S.I. No. 623/2024 - Data Protection Act 2018 (Section 51(3)) (Defence Forces Tribunal of Inquiry) Regulations 2024
Notice of the making of this Statutory Instrument was published in | ||
“Iris Oifigiúil” of 12th November, 2024. | ||
I, MICHEÁL MARTIN, Minister for Defence, in exercise of the powers conferred on me by subsection (3) of section 51 of the Data Protection Act 2018 (No. 7 of 2018), having had regard to the matters referred to in subsection (8) of section 36 and subsection (7) of section 51 of that Act and having duly complied with subsections (5)(b) and (6) of section 36 and subsection (6)(b) of section 51 of that Act, hereby make the following regulations with respect to which, pursuant to section 6 of that Act, a draft has been laid before each House of the Oireachtas and a resolution approving the draft has been passed by each such House: | ||
Citation | ||
1. These Regulations may be cited as the Data Protection Act 2018 (Section 51(3)) (Defence Forces Tribunal of Inquiry) Regulations 2024. | ||
Definitions | ||
2. In these Regulations – | ||
“Act of 2018” means the Data Protection Act 2018 (No. 7 of 2018); | ||
“Article 10 data” has the same meaning as it has in section 55 of the Act of 2018; | ||
“Instrument of 2024” means the Tribunals of Inquiry (Evidence) Act 1921 (Appointment of Tribunal) Instrument 2024 ( S.I. No. 304 of 2024 ); | ||
“relevant personal data” has the meaning given to it by Regulation 3; | ||
“resolutions” means the resolution passed by Dáil Éireann on 24 January 2024 and the resolution passed by Seanad Éireann on 30 January 2024, the text of which resolutions is set out in the recital to the Instrument of 2024; | ||
“Tribunal” means the tribunal appointed by the Instrument of 2024. | ||
Relevant personal data | ||
3. In these Regulations, “relevant personal data” means – | ||
(a) special categories of personal data, and | ||
(b) without prejudice to the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 (No. 4 of 2016), Article 10 data. | ||
Processing, including further processing, of relevant personal data for reasons of substantial public interest | ||
4. Subject to the Data Protection Regulation and the Act of 2018, the processing, including the further processing, by the Tribunal of relevant personal data is authorised only in so far as is necessary for, and proportionate to, the substantial public interest referred to in Regulation 5. | ||
Substantial public interest | ||
5. For the purposes of Regulation 4, “substantial public interest” means the performance by the Tribunal of functions in connection with a matter which is specified in the resolutions as a matter of urgent public importance and for which the Tribunal was appointed to inquire into, report and make such findings and recommendations as it sees fit to the Taoiseach under the Instrument of 2024. | ||
Persons to whom relevant personal data may be disclosed | ||
6. Relevant personal data may be disclosed to the following persons in accordance with such policies and procedures as may be provided for under Regulation 7: | ||
(a) the sole member of the Tribunal; | ||
(b) the registrar to the Tribunal; | ||
(c) counsel to the Tribunal; | ||
(d) solicitor to the Tribunal; | ||
(e) a person appointed by the Tribunal in accordance with section 6 of the Tribunals of Inquiry (Evidence) (Amendment) Act 2002 (No. 7 of 2002) to be an investigator; | ||
(f) a member of staff of the Tribunal; | ||
(g) a person appointed by the Tribunal to provide advice or assistance to it in respect of any matter it thinks fit. | ||
Suitable and specific measures to be taken to safeguard the fundamental rights and freedoms of a data subject in processing, including further processing, relevant personal data authorised by these Regulations | ||
7. The Tribunal shall, for the purposes of safeguarding the fundamental rights and freedoms of a data subject in processing, including further processing, relevant personal data in accordance with these Regulations, take the following suitable and specific measures: | ||
(a) prepare and implement policies and procedures for the processing, including further processing, of relevant personal data under these Regulations, including in relation to the following: | ||
(i) the use of secure storage, passwords, encryption, logging mechanisms and other methods to ensure that the relevant personal data can only be accessed by persons authorised by the Tribunal to access that relevant personal data; | ||
(ii) the use of controls to ensure that relevant personal data are only disclosed to persons authorised by the Tribunal, or who are entitled or permitted by law, to receive that relevant personal data; | ||
(iii) the determination of appropriate storage periods for relevant personal data or classes of relevant personal data; | ||
(iv) the treatment of relevant personal data or classes of relevant personal data at the expiry of the storage periods referred to in subparagraph (iii); | ||
(v) the erasure of relevant personal data; | ||
(vi) where relevant personal data processed or further processed under these Regulations relate to the health of a data subject, ensuring that the processing, including further processing, of that relevant data is carried out by a person referred to in section 52(2) of the Act of 2018; | ||
(vii) the designation by the Tribunal of a data protection officer for the purposes of these Regulations; | ||
(viii) data minimisation, including the use of anonymisation and pseudonymisation, where appropriate; | ||
(b) without prejudice to the generality of paragraph (a), take such other measures as the Tribunal considers appropriate to ensure that – | ||
(i) relevant personal data are processed or further processed under these Regulations to the extent only that such processing or further processing is strictly necessary, and | ||
(ii) on a regular basis, an assessment is made by the Tribunal of the risks to the fundamental rights and freedoms of data subjects in respect of whom data are processed or further processed under these Regulations by reason of such processing or further processing; | ||
(c) ensure that on a regular basis the policies and procedures referred to in paragraph (a) and any measures referred to in paragraph (b) are reviewed, and, as it considers it appropriate to do so, updated. | ||
| ||
GIVEN under my Official Seal, | ||
7 November, 2024. | ||
MICHEÁL MARTIN, | ||
Minister for Defence. | ||
EXPLANATORY NOTE | ||
(This note is not part of the Instrument and does not purport to be a legal interpretation.) | ||
These Regulations authorise the processing, including the further processing, of special categories of personal data, including Article 10 data, by the Defence Forces Tribunal of Inquiry (‘the Tribunal’) pursuant to section 51 (3) of the Data Protection Act 2018 to the extent that such processing is necessary and proportionate for reasons of substantial public interest. | ||
The Regulations also require the Tribunal to have in place certain suitable and specific measures relating to the processing, including the further processing, of data under these regulations. |
