In this Issue:-
- Central Bank Reform Act 2010
- Data Protection - New Standard Contractual Clauses
- Data Security Breach Code of Practice
CENTRAL BANK REFORM ACT, 2010 – UPDATE
On 29 September, 2010 the Minister for Finance, Mr Brian Lenihan, TD, signed a Commencement Order bringing the Central Bank Reform Act, 2010 ("the Act") into law with effect from 1 October, 2010.
The Act is the first of a three-stage legislative process to create a new fully-integrated structure for financial regulation.
A second Bill, to be published during the autumn legislative session, will enhance the powers and functions of the restructured Central Bank in relation to:
- the prudential supervision of individual financial institutions;
- the conduct of business, including the protection of consumer interest; and
- the overall stability of the financial system.
A third Bill will consolidate the existing statutory arrangements for the Central Bank and financial regulation in the State.
The Act creates a single, fully-integrated Central Bank of Ireland with a unitary Board - the Central Bank Commission which is chaired by the Governor of the Bank. The Irish Financial Services Regulatory Authority is being dissolved and most of its existing functions merged into the new structure. The Act also provides for:
- the application of a fitness and probity regime to those occupying key positions within financial service providers; and
- a relaxation of the lending limits set out in section 35 of the Credit Union Act, 1997 in an effort to facilitate borrowers who have run into difficulties in repaying their loans and need to have them rescheduled to allow for repayment over a longer period of time. The new lending limits are accompanied by measures to balance the increased flexibility in relation to rescheduling.
Certain provisions of the Act are not being commenced at this stage.
DATA PROTECTION - NEW STANDARD CONTRACTUAL CLAUSES
The EU Commission has approved new standard contractual clauses on the transfer of data to data processors established in third countries. The difference between the new clauses and the previous clauses is that the new clauses include provision for the onward appointment of sub-processors being appointed by data processors in Third Countries. This is a welcomed development in the area of data protection. The new clauses came into force on 15 May, 2010.
For further details please contact David Nolan in Dillon Eustace
DATA SECURITY BREACH CODE OF PRACTICE
In July 2010 the Data Protection Commissioner approved the Personal Data Security Breach Code of Practice ("the Code") under Section 13 (2) (b) of the Data Protection Acts, 1988 and 2003.
In summary the Code, which is available on the Commissioner's website, states that where there is a loss of control of personal data by a data controller it must be reported to the Commissioner within two working days of the data controller becoming aware of the incident, except in a limited number of circumstances.
The exceptional circumstances include –
- the commence where the data has been securely encrypted;
- the incident has been reported without delay to the affected data subject(s) and the loss of personal data affects less than 100 data subjects and does not include sensitive personal data or personal financial data that could be used to carry out identity theft.
Data controllers, subject to the reporting requirements, must provide a detailed report of the incident setting out:
- the amount and nature of the personal data that has been compromised;
- what action is being taken to secure and / or recover the personal data that has been compromised;
- what actions are being taken to inform those affected by the incident or reasons for the decision not to do so;
- what actions (if any) are being taken to limit damage or distress to those affected by the incident;
- a chronology of the events leading up to the disclosure and details of the measures being undertaken to prevent repetition of the incident.
All incidents of loss of control of personal data in manual or electronic form by a data processor must be reported to the relevant data controller as soon as the data processor becomes aware of the incident.
The Code applies to all categories of data controllers and data processors to which the Data Protection Acts, 1988 and 2003 apply.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.