​The Data Protection Act

In May 2002, Government enacted the Data Protection Act of 2002, which is aimed at protecting and controlling the use of personal information.

This new legislation requires that:

  • personal information is only gathered for a specific purpose
  • the individual about whom information is obtained knows that you are gathering and storing information about him or her
  • the personal information is used only for the purpose for which it was obtained
  • personal information is not passed on to third parties without the individual’s consent
  • individuals have access to the personal information retained by others
  • use and access to personal information is controlled

The Nine Principles of ‘Good Information Handling’

The controller shall ensure that:

  1. Personal data is processed fairly and lawfully;
  2. Personal data is always processed in accordance with good practice;
  3. Personal data is only collected for specific, explicitly stated and legitimate purposes;
  4. Personal data is not processed for any purpose that is incompatible with that for which the information is collected;
  5. Personal data that is processed is adequate and relevant in relation to the purposes of the processing;
  6. No more personal data is processed than is necessary having regard to the purposes of the processing;
  7. Personal data that is processed is correct and, if necessary, up to date.
  8. All reasonable measures are taken to complete, correct, block or erase data to the extent that such data is incomplete or incorrect, having regard to the purposes for which they are processed;
  9. Personal data is not kept for a period longer than is necessary, having regard to the purposes for which they are processed.

Data Protection Terminology

Who is the Data Controller?

The controller of personal data or data controller means a person who alone or jointly with others determines the purposes and means of the processing of personal data.

What is a Personal Data Representative (PDR)?

Under section 30(1) of the Data Protection Act, Data Controllers may elect to appoint a Personal Data Representative and in such case have to notify the Commissioner. The function of the PDR is to independently ensure that the controller processes personal data in a lawful and correct manner and in accordance with good practice.

What is Personal Data?

Personal data means any information about an identifiable living individual.

Notification of Data 

In terms of article 29 of the Data Protection Act a data controller, any person or organisation processing personal data, shall prior to carrying out any wholly or partially automated processing operations, notify the Data Protection Commissioner with such processing. This can be done by filling out the Notification Form online.

How can this affect my business?

This will have bearing on your business activities as, from time to time, you may need to obtain data on clients, or staff that you may need to employ. For every new process that will collect personal data the Notification of New Process Form needs to be filled and submitted to the Data Protection Commissioner.

For further information and the respective legislation visit the Data Protection website.

Online Application

Data Protection Notification Form​