Vehicle Registration Data (Automated Searching and Exchange) Act 2018

/static/images/base/harp.jpg


Number 5 of 2018


VEHICLE REGISTRATION DATA (AUTOMATED SEARCHING AND EXCHANGE) ACT 2018


CONTENTS

1. Interpretation

2. National contact point in State - vehicle registration data

3. Automated searching of vehicle registration data held in National Vehicle and Driver File

4. Automated searching of vehicle registration data held by designated states

5. Correction of inaccurate data and deletion of incorrectly supplied data

6. Recording of automated supply of personal data

7. Data Protection Commissioner’s functions

8. Application of Data Protection Act 1988

9. Duties of data controllers

10. Authorised officers

11. Short title and commencement


Acts Referred to

Data Protection Act 1988 (No. 25)

Finance Act 1992 (No. 9)

Finance Act 1993 (No. 13)

Finance Act 1994 (No. 13)

Finance Act 2003 (No. 3)

/static/images/base/harp.jpg


Number 5 of 2018


VEHICLE REGISTRATION DATA (AUTOMATED SEARCHING AND EXCHANGE) ACT 2018


An Act to give effect to Council Decision 2008/615/JHA of 23 June 20081 and Council Decision 2008/616/JHA of 23 June 20082 and the Agreement between the European Union and Iceland and Norway on the application of those two Council Decisions insofar as those Council Decisions or that Agreement concern cooperation in relation to automated searching of vehicle registration data and the exchange of such data by or between authorities which are responsible for the prevention, detection and investigation of criminal offences in the State, the other member states of the European Union and Iceland and Norway, and to provide for related matters.

[25th April, 2018]

Be it enacted by the Oireachtas as follows:

Interpretation

1. (1) In this Act—

“Agreement” means Agreement with Iceland and Norway;

“Agreement with Iceland and Norway” means the Agreement between the European Union and Iceland and Norway on the application of certain provisions of the Council Decision and the Implementing Council Decision and the Annex thereto, done at Stockholm on 26 November 2009 and at Brussels on 30 November 20093 ;

“authorised officer” means a person who is appointed under section 10 (1) to be an authorised officer for vehicle registration data for the purpose of this Act;

“automated search” means direct on-line access to the automated files of another body where the response to the search is fully automated;

“blocking”, in relation to personal data, means the marking of stored personal data with the aim of limiting their processing in the future;

“Council Decision” means Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime;

“data controller” means a person who, either alone or with others, controls the contents and use of personal data;

“data protection authority”, in relation to a designated state, means the authority in that designated state that is designated by that designated state to be the independent data protection authority of that designated state for the purposes of a European Union instrument or the Agreement;

“data subject” means an individual who is the subject of personal data;

“designated state” means a Member State (other than the State), Iceland or Norway;

“European Union instrument or the Agreement” means the following European Union instruments or agreement, or provisions thereof, insofar as they concern cooperation in relation to—

(a) automated searching of vehicle registration data, and

(b) the exchange of such data,

by or between authorities which are responsible for the prevention, detection and investigation of criminal offences in the State and designated states under—

(i) the Council Decision and the Implementing Council Decision,

(ii) the Agreement,

or any of them, as the case may be;

“Implementing Council Decision” means Council Decision 2008/616/JHA of 23 June 2008 on the implementation of Decision 2008/615/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime;

“individual case” means the investigation or prosecution of an offence or offences arising from a single event, incident or circumstances, but includes a case where a search for more than one vehicle or owner or operator of a vehicle is required;

“Minister” means Minister for Transport, Tourism and Sport;

“national contact point” means, in relation to a European Union instrument or the Agreement—

(a) in the case of the State, the Minister, and

(b) in the case of a designated state, the authority or person designated by that state as its national contact point;

“National Vehicle and Driver File” means records established and maintained by the Minister under section 60 (as amended by section 86 of the Finance Act 1994 ) of the Finance Act 1993 ;

“personal data” means data relating to an individual who can be identified either from the data or from the data in conjunction with other information in the possession of a data controller;

“processing”, in relation to personal data, means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, sorting, retrieval, consultation, use, disclosure by supply, dissemination or otherwise making available, alignment, combination, blocking, erasure or destruction of data and includes the sending or receiving of a receipt of a notification under section 3 (3) or 4 (2);

“registration number” means—

(a) in the case of a vehicle registered in the State under section 131 (as amended by section 102 of the Finance Act 2003 ) of the Finance Act 1992 , the identification number assigned to the vehicle under subsection (5) of that section, and

(b) in the case of a vehicle registered in a designated state, the identification number assigned to the vehicle by that state;

“vehicle registration data” means—

(a) data relating to owners and operators of vehicles, and

(b) data relating to vehicles,

being—

(i) in the case of the State, data held in the National Vehicle and Driver File, and

(ii) in the case of a designated state, data held on its national vehicle registration database by whatever name called and however it is organised;

“VIN”, in relation to a vehicle, means the vehicle identification number, that is to say, the fixed combination of characters assigned to a vehicle by the manufacturer, marked on the manufacturer’s plate and on the chassis, frame or other similar structure of the vehicle.

(2) A word or expression that is used in this Act and also in a European Union instrument or the Agreement has, unless the context otherwise requires, the same meaning in this Act as it has in the European Union instrument or the Agreement.

National contact point in State - vehicle registration data

2. The Minister is designated as the national contact point in relation to vehicle registration data for the purposes of this Act and shall perform in the State the functions of the national contact point provided for in a European Union instrument or the Agreement insofar as they concern cooperation in relation to automated searching of vehicle registration data and the exchange of such data.

Automated searching of vehicle registration data held in National Vehicle and Driver File

3. (1) For the purpose of the prevention and the investigation of criminal offences in a designated state and in dealing with other offences coming within the jurisdiction of the courts or the public prosecution service of a searching designated state, as well as in maintaining public security, the national contact point in the State shall allow the national contact point of a designated state access to the National Vehicle and Driver File with power to conduct automated searches in an individual case in respect of vehicle registration data held in that File.

(2) Automated searches of vehicle registration data held in the National Vehicle and Driver File under this section may be conducted only through the use of the full VIN or full registration number of a vehicle.

(3) The national contact point in the State shall ensure that, following a search by the national contact point of a designated state, a reply is sent to that national contact point, in an automated manner, comprising—

(a) where data are found—

(i) a notification of the data, and

(ii) notification that the data may be used only for the purposes for which the data have been supplied or for the purpose of logging and recording the supply of data for the purposes of the Council Decision,

or

(b) where data are not found, a notification to that effect.

(4) In conducting an automated search under this section of data in the National Vehicle and Driver File, data supplied by the national contact point of a designated state in accordance with Article 12 of the Council Decision may be used by an authorised officer administering the file solely where this is necessary for the purpose of providing automated replies to search procedures and recording under section 6 .

(5) Subject to section 6 , the data supplied by the national contact point of a designated state referred to in subsection (4), shall be deleted immediately following automated replies to searches.

Automated searching of vehicle registration data held by designated states

4. (1) For the purpose of the prevention and investigation of criminal offences in the State, the national contact point in the State may make a request to the national contact point of a designated state for access to vehicle registration data held by that designated state in order to conduct automated searches in an individual case in respect of vehicle registration data held on the database of that designated state.

(2) The automated reply from the national contact point of the designated state concerned shall be received by the national contact point in the State.

(3) Searches in accordance with this section may be conducted only through the use of a vehicle’s full VIN or full registration number.

(4) The national contact point in the State may process any personal data received by it under this section, under a European Union instrument or the Agreement, from the contact point of a designated state solely for the purposes for which the data have been supplied, unless that other national contact point authorises processing for other purposes.

(5) Personal data received by the national contact point in the State under this section from the national contact point of a designated state may be supplied by the national contact point in the State, with the prior authorisation of the national contact point of that other state to—

(a) the courts,

(b) the Garda Síochána,

(c) the Director of Public Prosecutions, or

(d) other persons whom the national contact point in the State considers appropriate,

where required for the purposes of the prevention and investigation of criminal offences.

Correction of inaccurate data and deletion of incorrectly supplied data

5. (1) Whenever, whether on notification from a data subject or otherwise, it comes to the attention of the national contact point in the State that data supplied under this Act are either incorrect or should not have been supplied, the national contact point shall, as soon as practicable, inform the national contact point of the designated state concerned that received the data of that fact and request that national contact point to correct or delete, as may be appropriate, the data concerned.

(2) If the national contact point in the State receives data from the national contact point of a designated state without requesting them, the national contact point shall immediately check whether the data are necessary for the purpose for which they were supplied by the national contact point of the designated state concerned.

(3) Whenever, whether on notification from a data subject or otherwise, it comes to the attention of the national contact point in the State, that data received by the national contact point under section 3 or 4 are either incorrect or should not have been supplied, the national contact point in the State shall, after consultation with the national contact point of the designated state that supplied the data, correct or delete, as may be appropriate, the data concerned.

(4) Subject to subsection (8), a national contact point shall delete data received pursuant to this Act when they are no longer required for the purpose for which they were supplied and, in any event, shall do so not later than the expiration of the maximum period (if any) prescribed by the law of the designated state concerned and specified by the national contact point of that designated state at the time the data were supplied.

(5) If a data subject contests the accuracy of data supplied or received and the accuracy of those data cannot be ascertained, the national contact point in the State shall, as soon as is reasonably practicable, inform the data subject accordingly.

(6) If, following a notification to a data subject under subsection (5), the data subject so requests, the national contact point in the State shall note on those data that the accuracy of them cannot be ascertained, and such a note may be removed only if—

(a) the data subject consents to its removal, or

(b) the Data Protection Commissioner, on application made to the Commissioner in that behalf, is satisfied that the note may be removed.

(7) Personal data supplied to the national contact point in the State by the national contact point of a designated state which should not have been supplied shall be deleted by the national contact point in the State.

(8) Where the national contact point in the State has grounds for believing that the deletion of data in accordance with subsection (4) would prejudice the interests of the data subject, the national contact point shall instead block the data.

(9) Data blocked in accordance with subsection (8) may be supplied or otherwise further processed only for purposes relating to the interests of the data subject concerned.

Recording of automated supply of personal data

6. (1) The national contact point in the State shall, in relation to requests for supply of personal data under section 3 or 4 , whether or not data are supplied, record such requests and, where appropriate, the supply and receipt of such data.

(2) The recording in accordance with subsection (1) of the supply and receipt of personal data shall be in a permanent legible form or be capable of being converted into a permanent legible form and shall include the following information in relation to the data:

(a) a description of the data supplied or received;

(b) the date and time of the supply or receipt of the data;

(c) the name or reference code of the national contact point of the designated state concerned;

(d) the reason for the search for the data supplied or received;

(e) the identifier of the authorised officer who carried out the search and that of the authorised officer who approved the search or request.

(3) Records created under this section may be used only for the purposes of monitoring data protection and ensuring data security.

(4) The national contact point in the State shall—

(a) retain records created under this section for a period of 2 years from the date of their creation, and

(b) immediately after that period, delete those records.

(5) Whenever requested to do so by the Data Protection Commissioner, the national contact point in the State shall furnish to the Data Protection Commissioner records created under this section as soon as practicable, but in any event not later than 4 weeks, after the receipt of a request to do so.

(6) The national contact point in the State shall—

(a) using the records created under this section, carry out random checks on the lawfulness of the supply and receipt by it of data,

(b) keep the results of those random checks for a period of 18 months from the time they were carried out for the purposes of inspection by the Data Protection Commissioner, and

(c) immediately after that period, delete those results.

Data Protection Commissioner’s functions

7. (1) The Commissioner shall be the competent data protection authority in the State for the purposes of a European Union instrument or the Agreement.

(2) The lawfulness of the processing of personal data supplied or received under this Act shall be monitored by the Commissioner.

(3) The performance by the Commissioner of his or her function under subsection (2) shall include the carrying out of random checks on the processing of personal data referred to in that subsection.

(4) When requested to do so by a data subject, the Commissioner shall examine the lawfulness of the processing of personal data in respect of him or her.

(5) The results of any check under subsection (3) or examination under subsection (4) shall be kept by the Data Protection Commissioner for a period of 18 months and shall be deleted upon the expiring of that period.

(6) The Commissioner may exchange relevant information with the data protection authority of a designated state where necessary in order for the Commissioner or the data protection authority of that designated state to perform their functions in relation to a European Union instrument or the Agreement.

(7) The Commissioner may request the data protection authority of a designated state to perform its functions under the law of that designated state with regard to checking the lawfulness of the processing of personal data supplied by the State to that designated state under a European Union instrument or the Agreement.

(8) The Commissioner may receive information from the data protection authority of a designated state arising from the performance by it of the functions referred to in subsection (7) with regard to the processing of the personal data concerned.

(9) The Commissioner shall, at the request of the data protection authority of a designated state, perform his or her functions under subsection (1) and he or she shall furnish information to that authority with regard to the processing of the personal data the subject of the request.

(10) In this section “Commissioner” means Data Protection Commissioner.

Application of Data Protection Act 1988

8. The Data Protection Act 1988 , shall apply to the processing of personal data supplied or received under this Act and, for the purposes of the application of the Data Protection Act 1988 , references in it to that Act or the provisions of that Act shall, unless the context otherwise requires, be construed as including references to this Act or the provisions of this Act.

Duties of data controllers

9. (1) A data controller—

(a) shall, in relation to the processing of personal data supplied or received under this Act, comply with the technical specifications of an automated search under a European Union instrument or the Agreement, and

(b) shall ensure that the measures provide a level of security appropriate to—

(i) the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of, or damage to, or accidental alteration of, the data concerned, and

(ii) the nature of the data concerned.

(2) A data controller shall not use the inaccuracy of personal data received by him or her from a body in a designated state under a European Union instrument or the Agreement as a ground to avoid or reduce his or her liability to the data subject concerned as regards the duty of care owed to the data subject in relation to the collection by him or her of personal data or information intended for inclusion in such data or his or her dealing with such data.

(3) Where the Minister pays damages to a data subject where damage is caused to the data subject by reason of inaccurate data received by the national contact point in the State in relation to vehicle registration data from a body in a designated state under this Act, the Minster may seek a refund of the amount that he or she paid in damages to the data subject concerned from the body in the designated state concerned.

(4) Where a body in a designated state applies to the national contact point in the State in relation to vehicle registration data for a refund of damages paid by it, or on its behalf, on foot of a decision or finding of a court or other tribunal or the data protection authority of that designated state for damage caused to the data subject by reason of inaccurate data sent by the national contact point to that body under this Act, the Minister shall refund to the body in the designated state concerned the amount paid in damages by it, or on its behalf, to the data subject concerned.

Authorised officers

10. (1) The national contact point in the State may appoint in writing—

(a) a member of the Garda Síochána specified by rank or name, or

(b) an officer of the Minister specified by grade or name,

to be an authorised officer for vehicle registration data for the purposes of this Act.

(2) An appointment to be an authorised officer may be revoked in writing by the national contact point in the State.

(3) The national contact point in the State shall make available upon request a list of the names of authorised officers to the Data Protection Commissioner or to the national contact point of a designated state or the data protection authority of a designated state.

(4) Only an authorised officer may conduct automated searches of vehicle registration data for the purposes of this Act and Article 12 of the Council Decision.

Short title and commencement

11. (1) This Act may be cited as the Vehicle Registration Data (Automated Searching and Exchange) Act 2018.

(2) This Act shall come into operation on such day or days as the Minister may by order or orders appoint either generally or with reference to any particular purpose or provision and different days may be so appointed for different purposes or different provisions.

1 OJ No. L 210, 6.8.2008, p. 1

2 OJ No. L 210, 6.8.2008, p. 12

3 OJ No. L 353, 31.12.2009, p. 3