Data security

Data controllers must keep the data they control secure. The obligation to secure personal data is imposed upon the data controller by section 2(1)(d) of the Data Protection Acts, which provides that:

“…appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing…”

This obligation is fully discussed Chapter 11 of Privacy and Data protection Law in Ireland. Section 2C of the Data Protection Acts goes onto set out what that when determining their appropriate security measures data controllers:


…may have regard to the state of technological development and the cost of implementing the measures, and…shall ensure that the measures provide a level of security appropriate to…the harm that might result from unauthorised or unlawful processing, accidental or unlawful destruction or accidental loss of, or damage to, the data concerned, and…the nature of the data concerned


This essentially sets out the risk analysis to be undertaken when assessing the security measures to be taken. Section 2C goes onto set out the obligations that data controllers must imposed upon their employees and data processors. The Data Protection Commissioner provides data security guidance which outlines some of the issues that fall to be addressed.


Security breaches have created high profile issues for data controllers. Recent examples include Living Social, Snapchat, Bord Gais and Loyaltybuild.   The consequences of a security breach may be serious for both controller and subject. Controller’s responses to data breaches are discussed here. A subject may need to respond by checking whether their data has been compromised in any way; it may be wise to change passwords or other security information that has been compromised. A subject who believes that their data protection rights have been breached may complain to the Data Protection Commissioner; they may also sue for damages.

[twitter-follow screen_name=’ictlaw_com’]