DPA - Provisions IIRequirements of a Data Controller
Information obtained and processed fairly/lawfully
Information is accurate and current
Kept for only 1 or more specified purposes
Not used or disclosed except for specified purpose
Relevant and limited to purpose
Not kept longer than required
Security against unauthorised access
Notes:
These correspond almost exactly to the principles listed in the Strasbourg Convention.
Exception: prevention, detection, investigation of an offence; collecting of monies owed to the State. Revenue refused to disclose information claiming it would hinder tax collection. DPC brought to court. Revenue lost on appeal.
Up-to-date. Exception: information for backup or archival purposes to replace data that was lost/destroyed. It is, by it’s nature, out-of-date.
‘Specification’ of the purpose is likely to be quite vague to allow as much leeway for the data controller as possible.
Exception: employee/agent of data controller for them to carry out their duties
Exception: historical record or statistical research
Provision for Ministerial regulation for additional protection for sensitive data (religion, politics, race, criminal record).
Failure to ensure adequate and reasonable protection my result in being sued for negligence.