Monday, January 19, 2009

Data Protection Review Group Announced

The Department of Justice has today announced the creation of a Data Protection Review Group on breaches of data protection. The terms of reference are:
a. Legal issues

i. Consider whether Irish Data Protection legislation needs to be amended to deal with data breaches.
ii. Assess the effectiveness of existing legislation in this context, including the impact of mandatory reporting legislation where it has been introduced.
iii. Assess the likely impact of the scope and timing of the forthcoming ePrivacy Directive and next EU Data Protection directive and other relevant international legislative developments.
iv. Describe the range of options in existing legislation within EU and with competing non EU states.
v. Consider the potential formats of mandatory reporting.
vi. Consider the role and level of penalties in any mandatory regime.

b. Technical issues

i. Definition of "breach" in the context of how organisations' use of technology is changing.
ii. Assessment of the assortment of devices and locations holding data now.
iii. Assessment of whether the same mechanisms should apply to paper and electronic media in any suggested change.
iv. Attempt to foresee unintended consequences in the light of the rapid evolution of technology and business practices.

c. Regulatory issues

i. Assess the prevalence of the data breach problem and level of existing reports.
ii. Assess any empirical evidence that Data Protection legislation informs industrial location decisions.
iii. Consider whether any change bear on Public and Private sectors equally.
iv. Assess how to establish the threshold of seriousness - in some cases a very small number of records could potentially cause substantial harm.
v. Balance the potential effectiveness of any proposed change against increasing the costs of doing business in Ireland - the Group should, insofar as possible, ensure that its deliberations equate to a Regulatory Impact Analysis.

The members of the group are:
Chairman: Mr. Eddie Sullivan (former Secretary General Department of Finance), Mr. Billy Hawkes, Data Protection Commissioner, Professor Robert Clark (School of Law, UCD), Ms. Isolde Goggin (former Chair of Comreg and expert on Regulatory Impact Assessment), Mr. Alec Dolan & Ms. Noreen Walsh (Department of Justice, Equality and Law Reform, Mr. Dave Ring (CMOD, Department of Finance), Mr. Tony McGrath (Department of Enterprise, Trade and Employment), Mr. Paul Carroll (Department of Social and Family Affairs) and Mr. Roger O'Connor (Department of Communications, Marine and Natural Resources).

The decision to look at data breaches - and in particular mandatory reporting - was made in October of last year after parliamentary questions revealed that the government was losing at least one electronic device per week, and that the vast majority of devices were not encrypted.

Submissions to the group should be sent to by March 1st.

1 comment:

  1. I wonder will the anomalous situation between Irish legislation and EU legislation on date retention will be reviewed?