S.I. No. 659/2018 - Data Protection Act 2018 (Section 159(1)) Rules 2018
Notice of the making of this Statutory Instrument was published in | ||
“Iris Oifigiúil” of 26th April, 2019. | ||
We, the Superior Courts Rules Committee, constituted pursuant to the provisions of the Courts of Justice Act 1936 , section 67, and reconstituted pursuant to the provisions of the Courts of Justice Act 1953 , section 15, by virtue of the powers conferred upon us by the Data Protection Act 2018 , section 159(1), and of all other powers enabling us in this behalf, do hereby make the following Rules. | ||
Dated this 11th day of June 2018. | ||
Frank Clarke | ||
George Birmingham | ||
Peter Kelly | ||
Elizabeth Dunne | ||
Michael Peart | ||
Anthony Barr | ||
Stuart Gilhooly | ||
Liam Kennedy | ||
Noel Rubotham | ||
Mary Cummins | ||
John Mahon | ||
Citation and entry into force | ||
1. These Rules, which may be cited as the Data Protection Act 2018 (Section 159(1)) Rules 2018, shall come into operation on the 1st day of August 2018. | ||
Scope | ||
2. These Rules (being processing rules, within the meaning of section 159(9) of the 2018 Act) shall apply to the processing of personal data: | ||
(a) of which a superior court of record, when acting in a judicial capacity, is a controller, and | ||
(b) which are personal data contained in a record of that court, | ||
where such personal data are processed on behalf of such controller by any processor, including any other processor engaged by a processor for carrying out specific processing activities on behalf of the controller. | ||
Interpretation | ||
3. (1) In these Rules: | ||
“2018 Act” means the Data Protection Act 2018 ; | ||
“court record” means a record of a superior court of record; | ||
“Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); | ||
“Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA; | ||
in relation to personal data of which a court is the controller, “judge” , in the case of any proceedings the hearing of which has not been assigned to any judge or panel of judges or, in any case where the judge concerned is no longer a member of that court or the panel concerned can no longer be constituted, shall mean the Chief Justice in relation to a judge of the Supreme Court, the President of the Court of Appeal in relation to a judge of the Court of Appeal or, as the case may be, the President of the High Court in relation to a judge of the High Court; | ||
“Processor” means a processor of personal data of which a superior court of record is the controller and includes without limitation, any court officer, any member of the staff of the Courts Service for the time being employed in a court office and any contractor of the Courts Service (including any employee or person working under the direction of such contractor) who is processing personal data of which a superior court of record is the controller. | ||
(2) In these Rules, save as expressly provided otherwise, terms defined in the Data Protection Regulation or the Directive shall have the meanings given to them in the Data Protection Regulation or, as the case may be, the Directive. | ||
Processing of personal data | ||
4. (1) Where a Processor shall process personal data on behalf of any superior court of record or judge of such court, the subject matter, duration, nature and purpose of the processing, the type of personal data to be processed and the categories of data subjects to whom the personal data relate shall be as set out in this rule. | ||
Subject matter of processing | ||
(2) The subject matter of processing to which these Rules apply consists of personal data included, by or on behalf of a party to proceedings before a court, or any other person, in and, subject to any order of the court concerned, retained in, a court record, in accordance with the provisions of statute, the Rules of the Superior Courts, any applicable practice direction of the court concerned and any order of that court, for the purposes of the conduct of those proceedings. | ||
(3) Personal data contained in a court record may be held securely in hard copy or in electronic form by a court officer or member of the staff of the Courts Service for the time being employed in a court office at an office of or attached to the court concerned or by a contractor of the Courts Service notified to the president of the court concerned, at premises or in a system used by the Courts Service or, as the case may be, by that contractor. | ||
(4) A Processor may collect, record, organise, structure, store, retrieve, consult and use personal data in accordance with the Rules of the Superior Courts, any applicable practice direction of the court concerned and any order of that court, for the purposes of the court or the proceedings to which they relate. | ||
(5) A Processor may, subject to the provisions of statute, the Rules of the Superior Courts, any applicable practice direction of the court concerned and any order of that court, disclose by transmission, dissemination or otherwise, personal data contained in a court record: | ||
(a) to a party to the proceedings to which such personal data relate, at the request of that party or by direction of the court concerned; | ||
(b) to a legal representative of such party on record as acting in the proceedings, at the request of that legal representative or by direction of the court concerned; | ||
(c) by direction of the court concerned to a member of An Garda Síochána or a prosecuting authority, for the purposes of — | ||
(i) the investigation of, or | ||
(ii) use as evidence in the prosecution of | ||
an offence alleged; | ||
(d) to any other person or persons (including an artificial legal person(s)) directed by the court concerned for any other purpose which the court concerned may determine to be appropriate having regard to the provisions of the Data Protection Regulation, the Directive and the 2018 Act; | ||
(e) to any other court or officer of a court for the purposes of an appeal or any other proceedings relating to the proceedings to which the personal data relate; | ||
(f) to any person in compliance with an order or direction of a court requiring production or discovery of the personal data concerned; and | ||
(g) to a bona fide member of the Press or broadcast media in accordance with rules made under section 159(7) of the 2018 Act. | ||
Duration of processing | ||
(6) Personal data contained in a court record shall be retained for the purposes of the proceedings including any appeal and enforcement action and for archiving purposes following the determination of the proceedings to which the personal data relate (including by way of appeal), prior to transfer of the court record to the National Archives in accordance with the provisions of the National Archives Act 1986 save where the court record concerned is the subject of an authorisation under the provisions of section 7 of the National Archives Act 1986 , in which case the court record shall be disposed of in accordance with such authorisation. | ||
Purpose of processing | ||
(7) Personal data contained in a court record may be processed — | ||
(a) in accordance with the provisions of statute, the Rules of the Superior Courts, any applicable practice direction of the court concerned and any order of that court, for the purposes of the proceedings to which they relate, or | ||
(b) in accordance with an order of that court or of another competent court, for the purposes of proceedings before the last-mentioned court. | ||
Type of personal data to be processed and data subjects to whom the personal data relate | ||
(8) Subject to the requirements of statute, the Rules of the Superior Courts, rules made under section 159(7) of the 2018 Act, any applicable practice direction of the court concerned and any order of that court, personal data of any type and which relate to any data subject in a court record are liable to be processed where such data have been included in such record. | ||
Obligations of the Processor | ||
5. In respect of any processing of personal data contained in a court record, the Processor shall: | ||
(a) act only on a direction or directions given by or on behalf of the court concerned (including such directions made under these Rules or the Rules of the Superior Courts or comprised in any practice direction of that court) in relation to the processing, except in so far as European Union law or the applicable law of a Member State of the European Union requires the Processor to act otherwise; | ||
(b) ensure that any person authorised by the Processor to process the personal data has undertaken to maintain the confidentiality of the personal data or is under an appropriate statutory obligation to do so; | ||
(c) assist the court in ensuring compliance with the court’s obligations under applicable data protection law in respect of data subject rights; | ||
(d) in the case of a Processor who is a contractor of the Courts Service, on the conclusion of the contract or at any other time in accordance with the provisions of the contract, upon completion of the processing services carried out by the Processor on behalf of the court | ||
(i) return to the court as directed by the Courts Service on behalf of the court, or | ||
(ii) where the data are contained in records which are the subject of an authorisation under the provisions of section 7 of the National Archives Act 1986 authorising the disposal of such records, erase | ||
all personal data, and erase any copy of the data, unless the Processor is required by European Union law or the law of a Member State of the European Union to retain the data; | ||
(e) in the case of a Processor who is an officer of the court concerned or a member of staff of the Courts Service employed in an office of or attached to the court, maintain all personal data subject to the direction of the judge or, as the case may be, the senior of the judges referred to in section 65(3) of the Court Officers Act 1926 and otherwise in accordance with rule 4(6); | ||
(f) make available to the court concerned all information necessary to demonstrate compliance by the Processor concerned with its obligations as a processor under these Rules and under law, including under Article 28 of the Data Protection Regulation and under the 2018 Act, as applicable, and allow for and contribute to audits, including inspections, conducted by an auditor on behalf of the court concerned; | ||
(g) not engage any other processor (who is not a court officer or a member of the staff of the Courts Service for the time being employed in a court office) otherwise than in accordance with the prior specific or general written authorisation of the president of the court concerned; in the case of any general authorisation, the Courts Service shall inform the president of the court in advance of any intended changes concerning the addition or replacement of any other processor who is not a court officer or employed in a court office; | ||
(h) ensure that where another processor (who is not a court officer or a member of the staff of the Courts Service for the time being employed in a court office) is engaged to process personal data on behalf of the court concerned, that other processor shall be subject to these Rules or a written contract shall exist between the Processor and such other processor containing obligations equivalent to those imposed on the Processor in these Rules; in the event that any such other processor fails to meet its data protection obligations in respect of any such processing, the Processor shall be fully liable to the court for the performance of its obligations in accordance with statute, the Rules of the Superior Courts, any applicable practice direction of the court concerned, any order of that court, and these Rules; | ||
(i) implement such technical and organisational security measures as are required to comply with the data security obligations under applicable data protection law; | ||
(j) inform the president of the court concerned immediately if, in the Processor’s opinion, it receives an instruction from the court which infringes the Data Protection Regulation, the Directive or the 2018 Act; | ||
(k) notify the president of the court concerned immediately after becoming aware of any personal data breach and provide the court concerned with such cooperation and assistance as may be required to mitigate against the effects of, and comply with any reporting obligations which may apply in respect of, any such breach, and | ||
(l) assist the court in complying with the court’s obligations under applicable data protection law in respect of data protection impact assessments. | ||
| ||
EXPLANATORY NOTE | ||
(This note is not part of the Instrument and does not purport to be a legal interpretation.) | ||
These rules, made under section 159 (1) of the Data Protection Act 2018 , govern, for the purposes of Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and Article 22(3) of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, the processing by a processor of personal data contained in a record of a superior court of record. |
