Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Data Protection Thought Experiment(s)

  • 30-09-2010 12:16am
    #1
    Subscribers Posts: 4,076 ✭✭✭


    I come in contact with the Data Protection Acts on a regular basis as a consequence of my job. I don't really deal with anything too complicated, that's the responsibility of others in the company, but being a software developer I can't help but imagine odd edge cases where the Acts might not make sense or might have unintended consequences. Normally a quick look at the Act or at dataprotection.ie will answer the question, but I'm not so sure about this one.

    Imagine I wrote an autobiography. It would contain personal information which - to my mind - would fall under the definition of "personal data" in the Data Protection Acts. Now imagine that a number of copies are printed. Some go to libraries, some get sold to private sellers and some end up sitting at the back of a bookseller's store room gathering dust.
    • Even though most of the holders of copies of the book would not be obliged to register, I can't see anything in the Acts which would exempt them from being a "data controller". Is the private owner of an (auto)biography really a data controller? Are any of the owners of such a book given any data protection obligations as a consequence of buying/receiving it?
    • If the "one or more specified, explicit and legitimate purposes" [Sec 2 (1) (c) (i)] for having the data is to read the book and since it may "not be kept for longer than is necessary for that purpose or those purposes" [Sec 2 (1) (c) (iv)]] should the book be disposed of once read? If not, when would an owner of the book be required to dispose of it?
    • If ""data" means information in a form in which it can be processed" [Sec 1 (1)], and if you believe that this would exempt a book from the Acts entirely, would your opinion change if the book was an eBook? (And hence trivially processable.)
    • If a purchaser of the book posted it to a relative in Australia, would that have to be a transfer following the rules here?
    • While Section 22A might provide a get-out clause, it appears to only apply to data held in order to process it "only for journalistic, artistic or literary purposes", would a person with the book just sitting on a shelf be able to claim they needed the data to process it for literary purposes? Seems a bit of a stretch to me.
      • Even if that person was exempt from many of the provisions of the Acts, they'd still have the requirement in Sec 2 (1) (d): "appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction". Would they be required to keep it locked away? :)

    I'm probably missing something obvious here. Can anyone point me in the right direction? Or am I just mad? :D


Comments

  • Subscribers Posts: 4,076 ✭✭✭IRLConor


    IRLConor wrote: »
    Or am I just mad? :D

    Clearly this is the correct answer. :)


  • Closed Accounts Posts: 2,062 ✭✭✭dermot_sheehan


    I suppose originally under the 1988 Act books would not be considered "data" since "data" is:
    "data" means information in a form in which it can be processed

    "processing" means performing automatically logical or arithmetical operations on data and includes—
    ( a ) extracting any information constituting the data, and
    ( b ) in relation to a data processor, the use by a data controller of data equipment in the possession of the data processor and any other services provided by him for a data controller,
    but does not include an operation performed solely for the purpose of preparing the text of documents

    The 2003 Act though contains a clear exemption in s. 21
    22A.—(1) Personal data that are processed only for journalistic, artistic or literary purposes shall be exempt from compliance with any provision of this Act specified in subsection (2) of this section if—
    (a) the processing is undertaken solely with a view to the publication of any journalistic, literary or artistic material,
    (b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, such publication would be in the public interest, and
    (c) the data controller reasonably believes that, in all the circumstances, compliance with that provision would be incompatible with journalistic, artistic or literary purposes.
    (2) The provisions referred to in subsection (1) of this section are—
    (a) section 2 (as amended by the Act of 2003), other than subsection (1)(d),
    (b) sections 2A, 2B and 2D (which sections were inserted by the Act of 2003),
    (c) section 3,
    (d) sections 4 and 6 (which sections were amended by the Act of 2003), and
    (e) sections 6A and 6B (which sections were inserted by the Act of 2003).
    (3) In considering for the purposes of subsection (1)(b) of this section whether publication of the material concerned would be in the public interest, regard may be had to any code of practice approved under subsections (1) or (2) of section 13 (as amended by the Act of 2003) of this Act.
    (4) In this section ‘publication’, in relation to journalistic, artistic or literary material, means the act of making the material available to the public or any section of the public in any form or by any means.”


Advertisement