Return to the Home PageData Protection Commissoner
Block 4, Irish Life Centre, Talbot St., Dublin 1 About Us Your Rights Your Responsibilities Contact Us Reference
 
-
 REFERENCE 
Legal Texts
Key Definitions
Publications
Forms
Case Studies
Links

 

 

 
 Number 25 of 1988
 DATA PROTECTION ACT, 1988

Preliminary

Interpretation and application of Act.

1.-(1) In this Act, unless the context otherwise requires-

"appropriate authority" has the meaning assigned to it by the Civil Service Regulation Acts, 1956 and 1958;

"back-up data" means data kept only for the purpose of replacing other data in the event of their being lost, destroyed or damaged;

"civil servant" has the meaning assigned to it by the Civil Service Regulation Acts, 1956 and 1958;

"the Commissioner" has the meaning assigned to it by section 9 of this Act;

"company" has the meaning assigned to it by the Companies Act, 1963;

"the Convention" means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January, 1981, the text of which is set out in the First Schedule to this Act;

"the Court" means the Circuit Court;

"data" means information in a form in which it can be processed;

"data controller" means a person who, either alone or with

others, controls the contents and use of personal data;

"data equipment" means equipment for processing data;

"data material" means any document or other material used in connection with, or produced by, data equipment;

"data processor" means a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment;

"data subject" means an individual who is the subject of personal data;

"direct marketing" includes direct mailing;

"disclosure", in relation to personal data, includes the disclosure of information extracted from such data and the transfer of such data but does not include a disclosure made directly or indirectly by a data controller or a data processor to an employee or agent of his for the purpose of enabling the employee or agent to carry out his duties; and, where the identification of a data subject depends partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed;

"enforcement notice" means a notice under section 10 of this Act;

"financial institution" means-

(a) a person who holds or has held a licence under section 9 of the Central Bank Act, 1971, or

(b) a person referred to in section 7(4) of that Act;

"information notice" means a notice under section 12 of this Act;

"local authority" means a local authority for the purposes of the Local Government Act, 1941;

"the Minister" means the Minister for Justice;

"personal data' means data relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of the data controller;

"prescribed", in the case of fees, means prescribed by regulations made by the Minister with the consent of the Minister for Finance and, in any other case, means prescribed by regulations made by the Commissioner with the consent of the Minister;

"processing" means performing automatically logical or arithmetical operations on data and includes-

(a) extracting any information constituting the data, and

(b) in relation to a data processor, the use by a data controller of data equipment in the possession of the data processor and any other services provided by him for a data controller,

but does not include an operation performed solely for the purpose of preparing the text of documents;

"prohibition notice" means a notice under section II of this Act;

"the register" means the register established and maintained under section 16 of this Act;

and any cognate words shall be construed accordingly.

(2) For the purposes of this Act, data are inaccurate if they are incorrect or misleading as to any matter of fact.

(3) (a) An appropriate authority, being a data controller or a data processor, may, as respects all or part of the personal data kept by the authority, designate a civil servant in relation to whom it is the appropriate authority to be a data controller or a data processor and, while the designation is in force-

(i) the civil servant so designated shall be deemed, for the purposes of this Act, to be a data

(ii) this Act shall not apply to the authority,

as respects the data concerned.

(b) Without prejudice to paragraph (a) of this subsection, the Minister for Defence may, as respect all or part of the personal data kept by him in relation to the Defence Forces, designated an officer of the Permanent Defence Force who holds a commissioned rank therein to be a data controller or a data processor and, which the designation is in force-

(i) the officer so designated shall be deemed, for the purposes of this Act, to be a data controller or, as the case may be, a data processor, and

(ii) this Act shall not apply to the Minister for Defence,

as respects the data concerned.

(c) For the purposes of this Act, as respects any personal data-

(i) where a designation by the relevant appropriate authority under paragraph (a) of this subsection is not in force, a civil servant in relation to whom that authority is the appropriate authority shall be deemed to be its employee and, where such a designation is in force, such a civil servant (other than the civil servant the subject of the designation) shall be deemed to be an employee of the last mentioned civil servant,

(ii) where a designation under paragraph (b) of the subsection is not in force, a member of the Defence Forces shall be deemed to be an employee of the Minister for Defence and, where such a designation is in force, such a member (other than the officer the subject of the designation) shall be deemed to be an employee of that officer, and

(iii) a member of the Garda Siochana (other than the Commissioner of the Garda Siochana) shall be deemed to be an employee of the said Commissioner.

(4) This Act does not apply to-

(a) personal data that in the opinion of the Minister or the Minister for Defence are, or at any time were, kept for the purpose of safeguarding the security of the State,

(b) personal data consisting of information that the person keeping the data is required by law to make available to the public, or

(c) personal data kept by an individual and concerned only with the management of his personal, family or household affairs or kept by an individual only for recreational purposes.

Protection of Privacy of Individuals with regard to Personal Data Collection, processing, keeping, use and disclosure of personal data

2.-(1) A data controller shall, as respects personal data kept by him, comply with the following provisions:

(a) the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly,

(b) the data shall be accurate and, where necessary, kept up to date,

(c) the data-

(i) shall be kept only for one or more specified and lawful purposes,

(ii) shall not be used or disclosed in any manner incompatible with that purpose or those purposes,

(iii) shall be adequate, relevant and not excessive in relation to that purpose or those purposes, and

(iv) shall not be kept for longer than is necessary for that purpose or those purposes,

(d) appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.

(2) A data processor shall, as respects personal data processed by him, comply with paragraph (d) of subsection (1) of this section.

(3) Paragraph (a) of the said subsection (1) does not apply to information intended for inclusion in data, or to data, kept for a purpose mentioned in section 5 (1) (a) of this Act, in any case in which the application of that paragraph to the data would be likely to prejudice any of the matters mentioned in the said section 5 (1) (a).

(4) Paragraph (b) of the said subsection (1) does not apply to back-up data.

(5) (a) Paragraph (c) (iv) of the said subsection (1) does not apply to personal data kept for historical, statistical or research purposes, and

(b) the data or, as the case may be, the information constituting such data shall not be regarded for the purposes of paragraph (a) of the said subsection as having been obtained unfairly by reason only that its use for any such purpose was not disclosed when it was obtained,

if the data are not used in such a way that damage or distress is, or is likely to be, caused to any data subject,

(6) (a) The Minister may, for the purpose of providing additional safeguards in relation to personal data as to racial origin, political opinions, religious or other beliefs, physical or mental health, sexual life or criminal convictions, by regulations amend subsection (1) of this section.

(b) Regulations under this section may make different provision in relation to data of different descriptions.

(c) References in this Act to subsection (1) of this section or to a provision of that subsection shall be construed in accordance with any amendment under this section.

(d) Regulations under this section shall be made only after consultation with any other Minister of the Government who, having regard to his functions, ought, in the opinion of the Minister, to be consulted.

(e) Where it is proposed to make regulations under this section, a draft of the regulations shall be laid before each House of the Oireachtas and the regulations shall not be made until a resolution approving of the draft shall have been passed by each such House.

(7) Where-

(a) personal data are kept for the purpose of direct marketing, and

(b) the data subject concerned requests the data controller in writing to cease using the data for that purpose,

the data controller shall, as soon as may be and in any event not more than 40

days after the request has been given or sent to him-

(i) if the data are kept only for the purpose aforesaid, erase the data,

(ii) if the data are kept for that purpose and other purposes, cease using the data for that purpose, and

(iii) notify the data subject in writing accordingly and, where appropriate, inform him of those other purposes.

Right to establish existence of personal data

3.-An individual who believes that a person keeps personal data shall, if he so requests the person in writing-

(a) be informed by the person whether he keeps any such data, and

(b) if he does, be given by the person a description of the data and the purposes for which they are kept,

as soon as may be and in any event not more than 21 days after the request has been given or sent to him.

Right of access

4.(1)(a) Subject of the provisions of this Act, an individual shall, if he so requests a data controller in writing-

(i) be informed by the data controller whether the data kept by him include personal data relating to the individual, and

(ii) be supplied by the data controller with a copy of the information constituting any such data,

as soon as may be and in any event not more than 40 days after compliance by the individual with the provisions of this section; and, where any of the information is expressed in terms that are not intelligible to the average person without explanation, the information shall be accompanied by an explanation of those terms.

(b) A request for the information specified in sub-paragraph (i) of subsection (1)(a) of this section shall, in the absence of any indication to the contrary, be treated as including a request for a copy of the information specified in subparagraph (ii) of the said subsection (1) (a).

(c) (i) A fee may be payable to the data controller concerned in respect of such a request as aforesaid and the amount thereof shall not exceed such amount as may be prescribed or an amount that in the opinion of the Commissioner is reasonable, having regard to the estimated cost to the data controller of compliance with the request, whichever is the lesser.

(ii) A fee paid by an individual to a data controller under subparagraph (i) of this paragraph shall be returned to him if his request is not complied with or the data controller rectifies or supplements, or erases part of, the data concerned (and thereby materially modifies the data) or erases all of the data on the application of the individual or in accordance with an enforcement notice or an order of a court.

(2) Where pursuant to provision made in that behalf under this Act there are separate entries in the register in respect of data kept by a data controller for different purposes, subsection (1) of this section shall apply as if it provided for the making of a separate request and the payment of a separate fee in respect of the data to which each entry relates.

(3) An individual making a request under this section shall supply the data controller concerned with such information as he may reasonably require in order to satisfy himself of the identity of the individual and to locate any relevant personal data or information.

(4) Nothing in subsection (1) of this section obliges a data controller to disclose to a data subject personal data relating to another individual unless that other individual has consented to the disclosure:

Provided that, where the circumstances are such that it would be reasonable for the data controller to conclude that, if any particulars identifying that other individual were omitted, the data could then be disclosed as aforesaid without his being thereby identified to the data subject, the data controller shall be obliged to disclose the data to the data subject with the omission of those particulars.

(5) Information supplied pursuant to a request under subsection (1) of this section may take account of any amendment of the personal data concerned made since the receipt of the request by the data controller (being an amendment that would have been made irrespective of the receipt of the request) but not of any other amendment.

(6) (a) A request by an individual under subsection (1) of this section in relation to the results of an examination at which he was a candidate shall be deemed, for the purposes of this section, to be made on-

(i) the date of the first publication of the results of the examination, or

(ii) the date of the request,

whichever is the later; and paragraph (a) of the said subsection (1) shall be construed and have effect in relation to such a request as if for "40 days" there were substituted "60 days".

(b) In this subsection "examination" means any process for determining the knowledge, intelligence, skill or ability of a person by reference to his performance in any test, work or other activity.

(7) A notification of a refusal of a request made by an individual under and in compliance with the preceding provisions of this section shall be in writing and shall include a statement of the reasons for the refusal and an indication that the individual may complain to the Commissioner about the refusal.

(8) (a) If and whenever the Minister considers it desirable in the interests of data subject to do so and by regulations so declares, the application of this section to personal data-

(i) relating to physical or mental health, or

(ii) kept for, or obtained in the course of, carrying out social work by a Minister of the Government, a local authority, a health board or a specified voluntary organisation or other body,

may be modified by the regulations in such manner, in such circumstances, subject to such safeguards and to such extent as may be specified therein.

(b) Regulations under paragraph (a) of this subsection shall be made only after consultation with the Minister for Health and any other Minister of the Government who, having regard to his functions, ought, in the opinion of the Minister, to be consulted and may make different provision in relation to data of different descriptions.

Restriction of right of access.

5.(1) Section 4 of this Act does not apply to personal data-

(a) kept for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of that section to the data would be likely to prejudice any of the matters aforesaid,

(b) to which, by virtue of paragraph (a) of this subsection, the said section 4 does not apply and which are kept for the purpose of discharging a function conferred by or under any enactment and consisting of information obtained for such a purpose from a person who had it in his possession for any of the purposes mentioned in paragraph (a) of this subsection,

c) in any case in which the application of that section would be likely to prejudice the security of, or the maintenance of good order and discipline in-

(i) a prison,

(ii) a place of detention provided under section 2 of the Prison Act, 1970,

(iii) a military prison or detention barrack within the meaning of the Defence Act, 1954, or

(iv) Saint Patrick's Institution,

(d) kept for the purpose of performing such functions conferred by or under any enactment as may be specified by regulations made by the Minister, being functions that, in the opinion of the Minister, are designed to protect members of the public against financial loss occasioned by-

(i) dishonesty, incompetence or malpractice on the part of persons concerned in the provision of banking, insurance, investment or other financial services or in the management of companies or similar organisations, or

(ii) the conduct of persons who have at any time been adjudicated bankrupt,

in any case in which the application of that section to the data would be likely to prejudice the proper performance of any of those functions,

(e) in respect of which the application of that section would be contrary to the interests of protecting the international relations of the State,

(f) consisting of an estimate of, or kept for the purpose of estimating, the amount of the liability of the data controller concerned on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of the section would be likely to prejudice the interests of the data controller in relation to the claim,

(g) in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers,

(h) kept out for the purpose of preparing statistics or carrying out research if the data are not used or disclosed (other than to a person to whom a disclosure of such data may be made in the circumstances specified in section 8 of this Act) for any other purpose and the resulting statistics or the results of the research are not made available in a form that identifies any of the data subjects, or

(i) that are back-up data.

(2) Regulations under subsection (1) (d) and (3) (b) of this section shall be made only after consultation with any other Minister of the Government who, having regarding to his functions, ought, in the opinion of the Minister, to be consulted.

(3) (a) Subject to paragraph (b) of this subsection, section 4 of this Act, as modified by any other provisions thereof, shall apply notwithstanding any provision of or made under any enactment or rule of law that is in force immediately before the passing of this Act and prohibits or restricts the disclosure, or authorises the withholdings, of information.

(b) If and whenever the Minister is of opinion that a prohibition, restriction or authorisation referred to in paragraph (a) of this subsection in relation to any information ought to prevail in the interests of the data subjects concerned or any other individuals and by regulations so declares, then, while the regulations are in force, the said paragraph (a) shall not apply as respects the provision or rule of law concerned and accordingly section 4 of this Act, as modified as aforesaid, shall not apply in relation to that information.

Right of rectification of erasure.

6.(1) An individual shall, if he so requests in writing a data controller who keeps personal data relating to him, be entitled to have rectified or, where appropriate, erased any such data in relation to which there has been a contravention by the data controller of section 2(1) of this Act; and the data controller shall comply with the request as soon as may be and in any event not more than 40 days after it has been given or sent to him:

Provided that the data controller shall, as respects data that are inaccurate or not kept up to data, be deemed-

(a) to have complied with the request if he supplements that data with a statement (to the terms of which the individual has assented) relating to the matters dealt with by the data, and

(b) if he supplements the data as aforesaid, not to be in contravention of paragraph (b) of the said section 2(1).

(2) On compliance by a data controller with a request under subsection (1) of this section, he shall, as soon as may be and in any event not more than 40 days after the request has been given or sent to him, notify-

(a) the individual making the request, and

(b) if such compliance materially modifies the data concerned, any person to whom the data were disclosed during the period of 12 months immediately before the giving or sending of the request, of the rectification, erasure or statement concerned.

Duty of care owed by data controllers and data processors.

7.-For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned:

Provided that, for the purposes only of this section, a data controller shall be deemed to have complied with the provisions of section 2(1) (b) of this Act if and so long as the personal data concerned accurately record data or other information received or obtained by him from the data subject or a third party and include (and, if the data are disclosed, the disclosure is accompanied by)-

(a) an indication that the information constituting the data was received or obtained as aforesaid,

(b) if appropriate, an indication that the data subject has informed the data controller that he regards the information as inaccurate or not kept up to date, and

(c) any statement with which, pursuant to this Act, the data are supplemented.

Disclosure of personal data in certain cases.

8.-Any restrictions in this Act on the disclosure of personal data do not apply if the disclosure is-

(a) in the opinion of a member of the Garda Siochana not below the rank of chief superintendent or an officer of the Permanent Defence Force who holds an army rank not below that of colonel and is designated by the Minister for Defence under this paragraph, required for the purpose of safeguarding the security of the State,

(b) required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid,

(c) required in the interests of protecting the international relations of the State,

(d) required urgently to prevent injury or other damage to the health of a person or serious loss of or damage to property,

(e) required by or under any enactment or by a rule of law or order of a court,

(f) required for the purposes of obtaining legal advice or for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness,

(g) made to the data subject concerned or to a person acting on his behalf, or

(h) made at the request or with the consent of the data subject or a person acting on his behalf.

 

The Data Protection Commissioner

The Commissioner.

9.(1) For the purposes of this Act, there shall be a person

(referred to in this Act as the Commissioner) who shall be known as an Coimisinéir Cosanta Sonraí or, in the English language, the Data Protection Commissioner; the Commissioner shall perform the functions conferred on him by this Act.

(2) The provisions of the Second Schedule to this Act shall have effect in relation to the Commissioner.

Enforcement of data protection.

10.(1)(a) The Commissioner may investigate, or cause to be investigated, whether any of the provisions of this Act have been, are being or are likely to be contravened by a data controller or a data processor in relation to an individual either whether the individual complains to him of a contravention of any of those provisions or he is otherwise of opinion that there may be such a contravention.

(b) Where a complaint is made to the Commissioner under paragraph (a) of this subsection, the Commissioner shall-

(i) investigate the complaint or cause it to be investigated, unless he is of opinion that it is frivolous or vexatious, and

(ii) as soon as may be, notify the individual concerned in writing of his decision in relation to the complaint and that the individual may, if aggrieved by his decision, appeal against it to the Court under section 26 of this Act within 21 days from the receipt by him of this notification.

(2) If the Commissioner is of opinion that a person, being a data controller or a data processor, has contravened or is contravening a provision of this Act (other than a provision the contravention of which is an offence), the Commissioner may, by notice in writing (referred to in this Act as an enforcement notice) served on the person, require him to take such steps as are specified in the notice within such time as may be so specified to comply with the provision concerned.

(3) Without prejudice to the generality of subsection (2) of this section, if the Commissioner is of opinion that a data controller has contravened section 2(1) of this Act, the relevant enforcement notice may require him-

(a) to rectify or erase any of the data concerned, or

(b) to supplement the data with such statement relating to the matters dealt with by them as the Commissioner may approve of; and as respects data that are inaccurate or not kept up to date, if he supplements them as aforesaid, he shall be deemed not to be in contravention of paragraph (b) of the said section 2(1).

(4) An enforcement notice shall-

(a) specify any provision of this Act that, in the opinion of the Commissioner, has been or is being contravened and the reasons for his having formed that opinion, and

(b) subject to subsection (6) of this section, state that the person concerned may appeal to the Court under section 26 of this Act against the requirement specified in the notice within 21 days from the service of the notice on him.

(5) Subject to subsection (6) of this section, the time specified in an enforcement notice for compliance with a requirement specified therein shall not be expressed to expire before the end of the period of 21 days specified in subsection (4) (b) of this section and, if an appeal is brought against the requirement, the requirement need not be complied with the subsection (9) of this section shall not apply in relation thereto, pending the determination or withdrawal of the appeal.

(6) If the Commissioner-

(a) by reason of special circumstances, is of opinion that a requirement specified in an enforcement notice should be complied with urgently, and

(b) includes a statement to that effect in the notice,

subsections (4) (b) and (5) of this section shall not apply in relation to the notice, but the notice shall contain a statement of the effect of the provisions of section 26 (other than subsection (3) of the Act andshall not require compliance with the requirement before the end of period of 7 days beginning on the data on which the notice is served.

(7) On compliance by a data controller with a requirement under subsection (3) of this section, he shall, as soon as may be and in any event not more than 40 days after such compliance, notify-

(a) the data subject concerned, and

(b) if such compliance materially modifies the data concerned, any person to whom the data were disclosed during the period beginning 12 months before the data of the service of the enforcement notice concerned and ending immediately before such compliance,

of the rectification, erasure or statement concerned.

(8) The Commissioner may cancel an enforcement notice and, if he does so, shall notify in writing the person on whom it was served accordingly.

(9) A person who, without reasonable excuse, fails or refuses to comply with a requirement specified in an enforcement notice shall be guilty of an offence.

Prohibition on transfer of personal data outside State.

11.(1)The Commissioner may, subject to the provisions of this section, prohibit the transfer of personal data from the State to a place outside the State.

(2) The Commissioner, when considering whether to prohibit a proposed transfer of personal data from the State to a place in a state bound by the Convention, shall have regard to the provisions of Article 12 of the Convention.

(3) The Commissioner shall not prohibit a proposed transfer of personal data from the State to a place outside the State unless he is of opinion that the transfer would, if the place were in a state bound by the Convention, be likely

to lead to a contravention of the basic principles for data protection set out in Chapter II of the Convention.

(4) In determining whether to prohibit a transfer of personal data under this section, the Commissioner shall also consider whether the transfer would be likely to cause damage or distress to any person and have regard to the desirability of facilitating international transfers of data.

(5) A prohibition under subsection (1) of this section shall be effected by the service of a notice (referred to in this Act as a prohibition notice) on the person proposing to transfer the data concerned.

(6) A prohibition notice shall-

(a) prohibit the transfer concerned either absolutely or until the person aforesaid has taken such steps as are specified in the notice for protecting the interests of the data subjects concerned,

(b) specify the time when it is to take effect

(c) specify the grounds for the prohibition, and

(d) subject to subsection (8) of this section, state that the person concerned may appeal to the Court under section 26 of this Act against the prohibition specified in the notice within 21 days from the service of the notice on him.

(7) Subject to subsection (8) of this section, the time specified in a prohibition notice for compliance with the prohibition specified therein shall not be expressed to expire before the end of the period of 21 days specified in subsection (6) (d) of this section and, if an appeal is brought against the prohibition, the prohibition need not be complied with and subsection (13) of this section shall not apply in relation thereto, pending the determination or withdrawal of the appeal.

(8) If the Commissioner-

(a) by reason of special circumstances, is of opinion that a prohibition specified in a prohibition notice should be complied with urgently, and

(b) includes a statement to that effect in the notice,

subsections (6) (d) and (7) of this section shall not apply in relation to the notice but the notice shall contain a statement of the effect of the provisions of section 26 (other than subsection (3) of this Act and shall not require compliance with the prohibition before the end of the period of 7 days beginning on the date on which the notice is served.

(9) The Commissioner may cancel a prohibition notice and, if he does so, shall notify in writing the person on whom it was served accordingly.

(10) This section shall not apply to a transfer of data if the transfer of the data or the information constituting the data is required or authorised by or under any enactment or required by any convention or other instrument imposing an international obligation on the State.

(11) For the purposes of this section, a place shall be deemed to be in a state bound by the Convention if it is in any territory in respect of which the state is so bound.

(12) (a) This section applies, with any necessary modification, to a transfer of information from the State to a place outside the State for conversion into personal data as it applies to a transfer or personal data from the State to such a place.

(b) In paragraph (a) of this subsection "information" means information (not being data) relating to a living individual who can be identified from it.

(13) A person who, without reasonable excuse, fails or refuses to comply with a prohibition specified in a prohibition notice shall be guilty of an offence.

Power to require information.

12.(1) The Commissioner may, by notice in writing (referred to in this Act as an information notice) served on a person, require the person to furnish to him in writing within such time as may be specified in the notice such information in relation to matters specified in the notice as is necessary or expedient for the performance by the Commissioner of his functions.

(2) Subject to subsection (3) of this section-

(a) an information notice shall state that the person concerned may appeal to the Court under section 26 of this Act against the requirement specified in the notice within 21 days from the service of the notice on him, and

(b) the time specified in the notice for compliance with a requirement specified therein shall not be expressed to expire before the end of the period of 21 days specified in paragraph (a) of this subsection and, if an appeal is brought against the requirement, the requirement need not be complied with and subsection (5) of this section shall not apply in relation thereto, pending the determination or withdrawal of the appeal.

(3) If the Commissioner-

(a) by reason of special circumstances, is of opinion that a requirement specified in an information notice should be complied with urgently, and

(b) includes a statement to that effect in the notice,

subsection (2) of this section shall not apply in relation to the notice, but the notice shall contain a statement of the effect of the provisions of section 26 (other than subsection (3) of this Act and shall not require compliance with the requirement before the end of the period of 7 days beginning on the date on which the notice is served.

(4) (a) No enactment or rule of law prohibiting or restricting the disclosure of information shall preclude a person from furnishing to the Commissioner any information that is necessary or expedient for the performance by the Commissioner of his functions.

(b) Paragraph (a) of this subsection does not apply to information that in the opinion of the Minister or the Minister for Defence is, or at any time was, kept for the purpose of safeguarding the security of the State or information that is privileged from disclosure in proceedings in any court.

(5) A person who, without reasonable excuse, fails or refuses to comply with a requirement specified in an information notice or who in purported compliance with such a requirement furnishes information to the Commissioner that the person knows to be false or misleading in a material respect shall be guilty of an offence.

Codes of practice.

13.(1)The Commissioner shall encourage trade associations and other bodies representing categories of data controllers to prepare codes of practice to be complied with by those categories in dealing with personal data.

(2) The Commissioner may approve of any code of practice so prepared (referred to subsequently in this section as a code) if he is of opinion that it provides for the data subjects concerned a measure of protection with regard to personal data relating to them that conforms with that provided for by sections 2, 3, 4 (other than subsection (8) and 6 of this Act and shall encourage its dissemination to the data controllers concerned.

(3) Any such code that is so approved of may be laid by the Minister before each House of the Oireachtas and, if each such House passes a resolution approving of it, then-

(a) in so far as it relates to dealing with personal data by the categories of data controllers concerned-

(i) it shall have the force of law in accordance with its terms, and

(ii) upon its commencement, references (whether specific or general) in this Act to any of the provisions of the said sections shall be

construed (or, if the code is in substitution for a code having the force of law by virtue of this subsection, continued to be construed) as if they were also references to the relevant provisions of the code for the time being having the force of law.

and

(b) it shall be deemed to be a statutory instrument to which the Statutory Instruments Act, 1947, primarily applies.

(4) This section shall apply in relation to data processors as it applies in relation to categories of data controllers with the modification that the references in this section to the said sections shall be construed as references to section 2(1)(d) of this Act and with any other necessary modifications.

Annual report.

14.(1) The Commissioner shall in each year after the year in which the first Commissioner is appointed prepare a report in relation to his activities under this Act in the preceding year and cause copies of the report to be laid before each House of the Oireachtas.

(2) Notwithstanding subsection (1) of this section, if, but for this subsection, the first report under that subsection would relate to a period of less than 6 months, the report shall relate to that period and to the year immediately following that period and shall be prepared as soon as may be after the end of that year.

Mutual assistance between parties to the Convention.

15.(1) The Commissioner is hereby designated for the purposes of Chapter IV (which relates to mutual assistance) of the Convention.

(2) The Minister may make any regulations that he considers necessary or expedient for the purpose of enabling the said Chapter IV to have full effect.