Alex White (Dublin South, Labour) | Oireachtas source

As we are discussing amendments Nos. 1 and 10 together, I will address both amendments. Section 66C(2) clarifies that section 6A of the Data Protection Act 1988, in other words, the principal Act, which relates to the processing of personal data that is likely to cause damage or distress, which is the issue Deputy Colreavy raises, does not apply where the processing is necessary to undertake a legitimate postcode activity. This would cover, for example, a case where an owner or occupier of a property disagrees with the matching of his or her address to an Eircode, in particular, the routing key element of the Eircode, despite the accuracy of any such matching. Section 66C(2) is, therefore, an essential provision in the Bill.

To address directly the issue raised by the Deputy, section 7 of the main Data Protection Act already provides that data controllers and processors owe a duty of care to data subjects, which duty relates to the collection of and dealings with personal data. The provisions of the principal Act apply in respect of breaches of the rights contained therein. Section 30 of the Data Protection Act provides that the Data Protection Commissioner may bring summary proceedings for an offence under the Act, while section 31 of the Act provides for penalties for offences under the Act.

It is neither appropriate nor necessary to provide for offences here, new offences as it were, for breaches of data protection rights when such provisions already exist in the Data Protection Act. It is not a case that we are omitting enforcement provisions because what we are putting into the Act, if the committee agrees to the amendments, are new provisions, which will have, as it were, the protection of the enforcement provisions that are already in the 1988 Act. We do not need new enforcement measures or new penalties to cover breaches of the new provisions we are putting into the legislation because breaches of those new provisions will still fall to be dealt with under the original Act. Therefore, if a citizen is aggrieved in respect of some breach of these new provisions, they will still have the benefit of the enforcement mechanisms that are already included in the principal Act. There have never been any issues raised, of which I am aware, in regard to the adequacy of the enforcement measures in the Data Protection Acts that made the principal Acts. It is always open to the Oireachtas and to the Deputy to raise the issue of whether the enforcement measures in the general Data Protection Acts are sufficient and adequate. That could be an issue in the future if the Deputy or anyone else believed they were not adequate but no one has ever raised the issue that the existing enforcement mechanisms are not adequate.

In regard to the Deputy's second point, which relates to the contractor and the complaints procedure, a code of practice has been put in place and the contractor has had good contact with the Data Protection Commissioner about it and the commissioner has had an opportunity to have an input into the new code of practice dealing with the complaints procedure under this amendment Bill. As I understand it and as I have been advised, the Data Protection Commissioner has given her input into that code of practice and on the basis and understanding that her input is incorporated into the code of practice by the contractor, the Data Protection Commissioner will be amenable to agreeing to that code of practice.

We are not supplanting the role of the Data Protection Commissioner, Someone could still make a complaint to the Data Protection Commissioner under the Data Protection Acts. We are not hollowing out any powers from the Data Protection Commissioner. At the initial phase, if that is an accurate way of describing it, one will be able to make a complaint under this new complaints procedure, but that will not take away one's right to make a complaint in the normal way to the Data Protection Commission. Those are my responses to the Deputy's comments.