The remaining provisions of the Acts, including sections 4(13), 6(2) (b), and 10(7) (b), were commenced on 18 July 2014 by Statutory Instruments 337 and 338 of 2014.
Data Protection Act 1988 (Commencement) Order 2014 (SI 337 of 2014)
This Regulation commences sections 6(2)(b) and 10(7)(b) of the Acts. These provisions provide data controllers with an obligation to notify third parties when personal data has been rectified or erased.
Section 6 already provides that a data controller must notify a data subject when the controller rectifies, blocks or erases personal data that are collected, processed or otherwise dealt with in contravention of the Data Protection Acts. Section 6(2)(b) now requires the data controller to also notify any person to whom personal data were disclosed during the preceding 12 months, unless such notification proves impossible or involves disproportionate effort.
Section 10 already provides that a data controller must notify the data subject, where the controller rectifies, blocks, erases, destroys, or adds a statement to personal data, in compliance with an enforcement notice issued by the Data Protection Commissioner. Section 10(7)(b) now requires the data controller to also notify any person to whom the personal data were disclosed during the preceding 12 months, unless such notification provides impossible or involves a disproportionate effort.
Data Protection (Amendment) Act 2003 (Commencement) Order 2014 (SI 338 of 2014)
This Regulation commences section 4(13) of the Acts, concerning enforced subject access. It makes it a criminal offence for an employer to attempt to require an employee, prospective employee, or independent contractor, to make an access request or to reveal the result of such an access request.
Employers should review their recruitment policies and procedures so as to ensure that their application and screening process does not provide for any enforced data access requests.