The Data Protection Officer
As part of my series to unpack the Data Protection Act, it is instructive that I demystify the ‘Data Protection Officer’. One of the challenges facing institutions is whether to appoint or how to appoint a ‘Data Protection Officer’. Section 24(1) of the Data Protection Act provides –
‘A data controller or data processor may designate or appoint a data protection officer on such terms and conditions as the data controller or data processor may determine…’
You will note that the provision is not couched in mandatory terms. Section 24 uses the phrase ‘may designate or appoint’. From a casual textual interpretation, this means that it is not a statutory obligation for a data controller or data processor to appoint a data protection officer. From my experience carrying out data governance audits, I would have preferred that the provision use the phrase ‘shall designate or appoint’. However, that is an argument for another day; the European Union GDPR in its Article 37 states –
‘The controller and the processor shall designate a data protection officer…’
Section 24 further states that the data protection officer is to be designated or appointed where –
the processing is carried out by a public body or private body, except for courts acting in their judicial capacity; the core activities of the data controller or data processor consist of processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects; or the core activities of the data controller or the data processor consist of processing of sensitive categories of personal data.
The above provision creates a dilemma because the data controller or data processor will need to carry out a data protection impact assessment to evaluate whether they fall into one of the above categories before deciding whether or not to designate or appoint a data protection officer. While at the same time, it is a data protection officer who carries out the data protection impact assessment. It is a chicken and egg situation.
From the outset, my advice to any institution that undertakes considerable personal data processing is to appoint or designate a data protection officer. Notwithstanding the fact that the role is not mandated by statute, it will be a step towards compliance with the Data Protection Act, 2019. Section 24 provides options in the appointment or designation of a data protection officer. One, a data protection officer may be a staff member of the data controller or data processor and may fulfil other tasks and duties provided that any such tasks and duties do not result in a conflict of interest. Two, a group of entities may appoint a single data protection officer provided that such officer is accessible by each entity. Three, where a data controller or a data processor is a public body, a single data protection officer may be designated for several such public bodies, taking into account their organisational structures.
While the Data Protection Act does not make it mandatory to appoint or designate a data protection officer, Section 24(6) states that – ‘A data controller or data processor shall publish the contact details of the data protection officer on the website and communicate them to the Data Commissioner who shall ensure that the same information is available on the official website. What this means is that once the data controller or processor designates or appoints a data protection officer, they have a statutory responsibility to publish their contact details and inform the Data Commissioner. I find the phrasing of Section 24 problematic, however, perhaps once appointed, the Data Commissioner shall provide clarity on the application of this provision.
On qualifications of the data protection officer, Section 24(5) provides that a person may be designated or appointed as a data protection officer, if that person has relevant academic or professional qualifications which may include knowledge and technical skills in matters relating to data protection. In many situations, the data protection officer is an IT security professional or a data expert with a legal background. However, it is up to the data controller or data processor to evaluate whether the persons they wish to appoint or designate has practical knowledge and experience in data governance within a legally regulated environment.
Once appointed, the duties of the data protection officer will be, one, to advise the data controller or data processor and their employees on data processing requirements provided under the Act or any other written law. Two, to ensure on behalf of the data controller or data processor that the Act is complied with. Three, to facilitate capacity building of staff involved in data processing operations. Four, to provide advice on data protection impact assessment. Five, to co-operate with the Data Commissioner and any other authority on matters relating to data protection.
As we await the appointment of the Data Commissioner, it is key that institutions engaged in considerable personal data processing start the process of appointing or designating their data protection officers.