- The purpose of this legislation, due to be promulgated during the course of 2012, is to
- Promote the protection of personal information processed by public and private bodies;
- Introduce certain conditions so as to establish minimum requirements for the processing of personal information;
- Provide for the establishment of an Information Regulator;
- Provide for the issuing of codes of conduct;
- Provide for the rights of persons regarding unsolicited electronic communications and automated decision making;
- Regulate the flow of personal information across the borders of the Republic; and
- Provide for matters connected therewith.
- The Bill goes on to note that its intention is to “regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests...”
- Of significance is the requirement in respect of notification of security compromises.
- Where there are reasonable grounds to believe the personal information has been accessed or acquired by any unauthorized person, the reasonable party must notify the regulator and the data subject (unless the identity of the data subject cannot be identified).
- The regulator may direct a responsible party to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of personal information, if the Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.