Introduction

The Data Protection Act 2018 came into effect on 25 May 2018. The Act amends the Data Protection Acts 1988 and 2003.  It gives effect to EU Regulation 2016/679 – more commonly known as the General Data Protection Regulation (GDPR) – and EU Directive 2016/680 which applies to prosecutors, Gardaí and others in the criminal justice system.

The Act is designed to protect people’s privacy. It confers rights on individuals in relation to the privacy of their personal data, as well as responsibilities on individuals and/or organisations holding and processing that data.

Because the Office of the Director of Public Prosecutions (ODPP) processes personal data it has certain obligations under the Act. This statement explains what those obligations are and how we will comply with them.  It does not deal with every possible situation and it does not give legal advice.  If you think you need legal advice, you should talk to a solicitor.

The DPP decides whether or not to prosecute in criminal cases. The majority of cases dealt with by the DPP relate to serious crimes such as murder, manslaughter, sexual offences or fatal road incidents. The DPP also decides what the charges should be.  Once the prosecution begins, the Office of the DPP is responsible for the prosecution case.

The Chief Prosecution Solicitor acts as solicitor to the DPP and is head of the Solicitors Division of the DPP’s Office. The staff of the Solicitors Division represent the DPP in courts in Dublin.  Local state solicitors represent the DPP in courts outside Dublin.

The DPP and lawyers in the Office of the DPP are independent when making decisions. They make decisions in serious criminal cases based on investigation files sent to the Office by an investigating agency, usually the Garda Síochána. These files will contain data on suspects, victims and witnesses.

In less serious criminal cases the Garda Síochána make decisions to prosecute or not to prosecute. If this happens the Gardaí do not send a file to the DPP so the Office of the DPP will not hold data on the suspects, victims or witnesses in those cases.

The Data Protection Act 2018 came into effect on 25 May 2018. The Act amends the Data Protection Acts 1988 and 2003.

It gives effect to EU Regulation 2016/679 – more commonly known as the General Data Protection Regulation (GDPR) – which relates to the protection of individuals with regard to the processing of their personal data and the free movement of that data.

The Act also gives effect to EU Directive 2016/680 which relates to the protection of individuals with regard to the processing of their personal data by competent authorities (such as the Office of the Director of Public Prosecutions) for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of that data.

The Data Protection Act 2018 specifies the role of controllers and processors. The Office of the DPP is a data controller.  This means that the Office determines the purpose of the personal data it obtains and how it will be processed.

Some of the work of the Office of the DPP is undertaken by external parties, for example, Counsel and State Solicitors. These parties process personal data on behalf of the Office of the DPP.  This means that they are processors.  All such processors are required to act only on the instructions of the DPP as the controller and are obliged to fulfil their obligations in relation to the use of this personal data under the Act.

Personal data processed by the Office of the DPP generally relates either to the prosecution of criminal offences or to the general administration of the Office.

Examples of some of the categories of data processed in relation to the prosecution of criminal offences include:

  • Suspect details
  • Victim details
  • Witness details
  • Personal details of stakeholders, including State Solicitors, Gardaí, Counsel, and Court Services
  • Results of prosecutions undertaken against specific suspects

Examples of some of the categories of data processed by the Office of the DPP in relation to the general administration of the Office include:

  • Payments made to various service providers
  • Staff details

When processing personal data the Office of the DPP will adhere to the Data Protection Rules. The rules oblige us to:

  • Process the data lawfully and fairly
  • Collect it for one or more specified purpose only and process it in ways compatible with that purpose
  • Ensure that it is adequate, relevant and not excessive
  • Ensure that it is accurate and, where necessary, kept up-to-date
  • Ensure that data that is inaccurate is erased or rectified without delay
  • Retain it no longer than is necessary for the specified purpose
  • Keep it safe and secure and protect it against unauthorised or unlawful processing and accidental loss, destruction or damage

An individual whose personal data is being processed by the DPP has a right to know:

  • why the data is being processed;
  • the categories of personal data being processed;
  • the third parties, if any, to whom the data has been disclosed;
  • how long the data will be kept by the DPP.

If an individual wishes to know about their personal data they can make a Subject Access Request.

Introduction

Data protection laws give you (a data subject) the right to see the personal information that organisations hold about you. Under the GDPR (General Data Protection Regulation) and the Data Protection Act 2018, you have the right to know:

  • Whether we are using your personal data
  • What data we have about you
  • Why we are using your personal data and who we share it with
  • How long we will keep your personal data; and
  • How you can complain to the Data Protection Commission (DPC) if you are unhappy.

You can ask for this information by making what is called a ‘Data Subject Access Request’ (DSAR).

What do I need to make a Data Subject Access Request (DSAR)?

To protect your personal data, we may ask you to prove your identity (for example, with a passport, driver’s licence or Public Services Card). Sometimes we may also need extra details to help us find your information.

How do I submit a Data Subject Access Request (DSAR)?

To help us process your request as quickly as possible, we recommend that you complete our Data Subject Access Request Form . While it is not legally required, it helps us clearly understand your request and find your information.

Can a solicitor make my request for me?

Yes. They just need a signed letter from you saying they can act on your behalf. This is to protect your personal data.

Can someone else act for me?

Yes. You can choose someone other than a solicitor to make a request for you. We will need the following:

  • A signed letter from you saying they can act for you; and
  • Proof of identity for both you and the person acting for you.

Can I make a request for a child (under 18)?

Yes. You may submit a DSAR for a child if:

  • You have parental responsibility for the child; and
  • The child, due to their age or capacity, is not able to understand or exercise their data protection rights.

We may ask for further information to ensure that the request is in the best interests of the child. If the child is sufficiently mature to understand their rights, we may instead ask that the request be made by the child themselves.

Do I have to pay a fee?

No. DSARs are normally free of charge. But if your request is unfounded or excessive, we may charge a reasonable fee.

What happens after I submit my request?

We check your identity and any letter of authority (if needed). Once we have everything we need, we will usually respond to you within one month. If your request is complex, we may take up to two more months. In such cases, we will let you know within the first month.

What if you need more information from me?

We will contact you. The one‑month time limit only starts when we have all the information we need to deal with your request.

How will I receive my response?

We usually reply in the same way you contacted us – email or post. Responses are sent by secure email or by registered post. You can choose your preferred response method on our DSAR form.

Will I receive all of my personal data?

We can only provide information that relates directly to you. There are some legal restrictions on what we can share, meaning certain information cannot be disclosed.

Why might some personal data not be provided?

We may have to withhold certain information, for example:

  • If it is legally privileged (confidential and cannot be shared with others)
  • If it contains someone else’s personal data
  • If disclosure would prejudice an ongoing prosecution; or
  • If the request is unfounded or excessive

If we withhold certain information, we will explain why.

If my details are wrong, can I ask for them to be corrected?

Yes. You have the right to request that any inaccurate personal data held by the Director of Public Prosecutions (DPP) be corrected.

An individual can also ask the DPP to correct or erase any personal data held by the DPP which they believe to be inaccurate – with the exception of personal data contained in witness statements.

If you believe your personal information is incorrect or incomplete, you should contact the DPP’s office, providing details of the data in question and the correction requested. The request will be assessed in line with applicable data protection laws.

What if I am unhappy with the response I receive?

If you are unhappy with how your request was handled or with the reasons provided, you have the right to lodge a complaint with the Data Protection Commission:

Data Protection Commission
6 Pembroke Row
Dublin 2
D02 X963

Where can I learn more about my rights?

Visit the Data Protection Commission website: www.dataprotection.ie

[/vc_column_text]

There are some restrictions to an individual’s right of access to personal data held by the DPP. For example, personal data cannot be released if:

  • doing so would prejudice the prevention, detection, investigation or prosecution of criminal offences;
  • doing so would prejudice the discharging of criminal penalties;
  • the information sought is legally privileged.

If the Office of the DPP restricts an individual’s right of access to personal data, the individual can appeal the decision to the Data Protection Commission.

The Office of the DPP must keep a record of reasons for decisions to restrict access to information. The Data Protection Commission can ask to see this record at any time.

The Office of the DPP holds data relating to prosecution cases for an indefinite period of time. This is because evidence may be required in the future in the event of a later court case.

The Data Protection Officer for the Office of the DPP can be contacted at:

Data Protection Officer
Office of the Director of Public Prosecutions
Infirmary Road
Dublin 7

Tel: +353 (0)1 858 8600
E-mail: data.protection@dppireland.ie

A breach of data protection will immediately be reported to the Data Protection Officer in the Office of the DPP. Within 72 hours of becoming aware of the breach the Data Protection Officer will notify the Data Protection Commission as appropriate.

The Data Protection Officer will also contact the individual whose data was compromised to inform them of the breach.

The Office of the DPP is subject to oversight by the Data Protection Commission in relation to data protection matters. The Commission can audit the Office of the DPP’s compliance with Data Protection legislation.

Individuals who wish to make a complaint can contact the Data Protection Commission at:

Data Protection Commission
21 Fitzwilliam Square
Dublin 2
D02 RD28

Tel: +353 (0)57 868 4800 or 0761 104 800
Web: www.dataprotection.ie

Key Definitions

The following are explanations of some of the key terms used in the Data Protection Act 2018:

Data means automated and manual data.

Relevant filing system means any set of information that is structured by reference to individuals or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily accessible.

Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.

Data Subject is an individual who is the subject of personal data.

Controller is a person who (either alone or with others) controls the contents and use of personal data.

Processor is a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his/her employment.

Processing means performing any operation or set of operations on the data, whether or not by automatic means, including:

  • collecting, recording organising, structuring or storing the data
  • adapting or altering the data
  • retrieving, consulting or using the data
  • disclosing the data by transmitting, disseminating or otherwise making it available
  • aligning, combining, restricting, erasing or destroying the data.