Now more than ever, we live in a world where knowledge is power. Businesses have discovered that the more information they have about an individual, the easier it is to sell them products and services. The internet thrives on the gathering and utilising of personal information. But, as individuals, we have rights in respect of information that can individually identify us. Our rights come into effect when there is any personal information about us stored on paper, on a computer, in the cloud or by way of photograph or video.
Any individual or organisation collecting personal data must tell us who they are, why they want this information, and for what they are going to use our data. Generally, people and organisations must obtain our express or implied consent to gather our data. We encounter both formal and casual data protection consents throughout daily life; when enrolling for school, opening a bank account, signing up to a gym, joining a mailing list, contracting for utilities, starting a new job, or just walking into places that are equipped with CCTV.
We have a right to request a copy of any personal data from any organisation. If we think that an organisation has information about us, we may write a letter and we are entitled to expect a response within 21 days giving us the requested data. We may have to pay a small fee (no more than €6.35 plus the cost of photocopying) to administer our request.
Flowing from the right to see the data that is kept about us, we have a right to have incorrect information amended, and to have up-to-date details recorded. If we tell the person holding our data that there is a factual inaccuracy, they are obliged to correct it.
There is also a right to only have our data used for the stated purpose, and in general we must first consent to that purpose. All information about a person must be gathered fairly, and be for a lawful purpose. An organisation may not gather excessive personal data.
All information that can identify us as individuals must be stored safely and must only be kept for as long as is necessary. For example, a hospital will necessarily hold our medical records for longer than a restaurant taking our name and number to confirm a reservation.
Where a decision will impact us, and is based on gathered data, we have a right to have a human decision-maker take decisions, unless we consent to automated decision making. This can arise in respect of credit checks or work performance.
If our data is being used for marketing purposes, we have a right to have our details removed from the database. This must be done within 40 days of a request. You will notice that marketing emails often have an unsubscribe option; this is in compliance with data protection laws. We may choose not to receive any direct marketing phone calls by registering on the National Directory Database (NDD) ‘opt-out’ register. It is the duty of your telephone provider to do this upon your request.
If you feel that your data rights are being disrespected by any person or organisation, you may make a complaint to the Office of the Data Protection Commissioner. If you suffer damage from a misuse of your personal data, your solicitor can advise you on whether compensation may be available.
On May 25th this year the GDPR or the EU Regulation on data protection will come into effect. The Regulation will give individuals even more control over their personal information, as well as a greater right to compensation for a misuse of your data. Over the next while, you will notice organisations seeking your express consent to process your personal information, and explaining their reasons for requesting this.
The above is intended for information purposes only, and is not intended to be relied upon as legal advice Please contact us for advice specific to your needs. We, at Fitzsimons Redmond LLP are happy to discuss with you any concern that you might have as to your privacy rights.
Lisa Quinn O’Flaherty
Solicitor at Fitzsimons Redmond LLP