Data Protection

Introduction

The Data Protection Act 2018 came into effect on 25 May 2018. The Act amends the Data Protection Acts 1988 and 2003.  It gives effect to EU Regulation 2016/679 – more commonly known as the General Data Protection Regulation (GDPR) – and EU Directive 2016/680 which applies to prosecutors, Gardaí and others in the criminal justice system.

The Act is designed to protect people’s privacy. It confers rights on individuals in relation to the privacy of their personal data, as well as responsibilities on individuals and/or organisations holding and processing that data.

Because the Office of the Director of Public Prosecutions (ODPP) processes personal data it has certain obligations under the Act. This statement explains what those obligations are and how we will comply with them.  It does not deal with every possible situation and it does not give legal advice.  If you think you need legal advice, you should talk to a solicitor.

The DPP decides whether or not to prosecute in criminal cases. The majority of cases dealt with by the DPP relate to serious crimes such as murder, manslaughter, sexual offences or fatal road incidents. The DPP also decides what the charges should be.  Once the prosecution begins, the Office of the DPP is responsible for the prosecution case.

The Chief Prosecution Solicitor acts as solicitor to the DPP and is head of the Solicitors Division of the DPP’s Office. The staff of the Solicitors Division represent the DPP in courts in Dublin.  Local state solicitors represent the DPP in courts outside Dublin.

The DPP and lawyers in the Office of the DPP are independent when making decisions. They make decisions in serious criminal cases based on investigation files sent to the Office by an investigating agency, usually the Garda Síochána. These files will contain data on suspects, victims and witnesses.

In less serious criminal cases the Garda Síochána make decisions to prosecute or not to prosecute. If this happens the Gardaí do not send a file to the DPP so the Office of the DPP will not hold data on the suspects, victims or witnesses in those cases.

The Data Protection Act 2018 came into effect on 25 May 2018. The Act amends the Data Protection Acts 1988 and 2003.

It gives effect to EU Regulation 2016/679 – more commonly known as the General Data Protection Regulation (GDPR) – which relates to the protection of individuals with regard to the processing of their personal data and the free movement of that data.

The Act also gives effect to EU Directive 2016/680 which relates to the protection of individuals with regard to the processing of their personal data by competent authorities (such as the Office of the Director of Public Prosecutions) for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of that data.

The Data Protection Act 2018 specifies the role of controllers and processors. The Office of the DPP is a data controller.  This means that the Office determines the purpose of the personal data it obtains and how it will be processed.

Some of the work of the Office of the DPP is undertaken by external parties, for example, Counsel and State Solicitors. These parties process personal data on behalf of the Office of the DPP.  This means that they are processors.  All such processors are required to act only on the instructions of the DPP as the controller and are obliged to fulfil their obligations in relation to the use of this personal data under the Act.

Personal data processed by the Office of the DPP generally relates either to the prosecution of criminal offences or to the general administration of the Office.

Examples of some of the categories of data processed in relation to the prosecution of criminal offences include:

  • Suspect details
  • Victim details
  • Witness details
  • Personal details of stakeholders, including State Solicitors, Gardaí, Counsel, and Court Services
  • Results of prosecutions undertaken against specific suspects

Examples of some of the categories of data processed by the Office of the DPP in relation to the general administration of the Office include:

  • Payments made to various service providers
  • Staff details

When processing personal data the Office of the DPP will adhere to the Data Protection Rules. The rules oblige us to:

  • Process the data lawfully and fairly
  • Collect it for one or more specified purpose only and process it in ways compatible with that purpose
  • Ensure that it is adequate, relevant and not excessive
  • Ensure that it is accurate and, where necessary, kept up-to-date
  • Ensure that data that is inaccurate is erased or rectified without delay
  • Retain it no longer than is necessary for the specified purpose
  • Keep it safe and secure and protect it against unauthorised or unlawful processing and accidental loss, destruction or damage

An individual whose personal data is being processed by the DPP has a right to know:

  • why the data is being processed;
  • the categories of personal data being processed;
  • the third parties, if any, to whom the data has been disclosed;
  • how long the data will be kept by the DPP.

If an individual wishes to know about their personal data they can make a Subject Access Request.

Requests must be made in writing and sent to the Data Protection Officer in the Office of the DPP (see contact details below).

Applicants must provide proof of identity, such as a copy of their driver’s licence or passport. This is to ensure that the Data Protection Officer can clearly identify the applicant and locate their personal data.

Valid requests will be responded to within one month of receipt. In certain circumstances this may be extended.  There is no fee for making an application.

An individual can also ask the DPP to correct or erase any personal data held by the DPP which they believe to be inaccurate – with the exception of personal data contained in witness statements.

It is important to note that only personal data relating to an individual applicant can be provided. The DPP cannot provide personal information relating to another individual.  Exceptions are made in some cases where parents or guardians request personal data relating to their children. A solicitor can also make a request on behalf of a client but must show their client has authorised the request.

There are some restrictions to an individual’s right of access to personal data held by the DPP. For example, personal data cannot be released if:

  • doing so would prejudice the prevention, detection, investigation or prosecution of criminal offences;
  • doing so would prejudice the discharging of criminal penalties;
  • the information sought is legally privileged.

If the Office of the DPP restricts an individual’s right of access to personal data, the individual can appeal the decision to the Data Protection Commission.

The Office of the DPP must keep a record of reasons for decisions to restrict access to information. The Data Protection Commission can ask to see this record at any time.

The Office of the DPP holds data relating to prosecution cases for an indefinite period of time. This is because evidence may be required in the future in the event of a later court case.

The Data Protection Officer for the Office of the DPP can be contacted at:

Data Protection Officer
Office of the Director of Public Prosecutions
Infirmary Road
Dublin 7

Tel: +353 (0)1 858 8600
E-mail: data.protection@dppireland.ie

A breach of data protection will immediately be reported to the Data Protection Officer in the Office of the DPP. Within 72 hours of becoming aware of the breach the Data Protection Officer will notify the Data Protection Commission as appropriate.

The Data Protection Officer will also contact the individual whose data was compromised to inform them of the breach.

The Office of the DPP is subject to oversight by the Data Protection Commission in relation to data protection matters. The Commission can audit the Office of the DPP’s compliance with Data Protection legislation.

Individuals who wish to make a complaint can contact the Data Protection Commission at:

Data Protection Commission
21 Fitzwilliam Square
Dublin 2
D02 RD28

Tel: +353 (0)57 868 4800 or 0761 104 800
Web: www.dataprotection.ie

Key Definitions

The following are explanations of some of the key terms used in the Data Protection Act 2018:

Data means automated and manual data.

Relevant filing system means any set of information that is structured by reference to individuals or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily accessible.

Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.

Data Subject is an individual who is the subject of personal data.

Controller is a person who (either alone or with others) controls the contents and use of personal data.

Processor is a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his/her employment.

Processing means performing any operation or set of operations on the data, whether or not by automatic means, including:

  • collecting, recording organising, structuring or storing the data
  • adapting or altering the data
  • retrieving, consulting or using the data
  • disclosing the data by transmitting, disseminating or otherwise making it available
  • aligning, combining, restricting, erasing or destroying the data.

Compliance