Skip to Main Content

Academic Integrity: Data Protection

Ethics in Using Information

What is Data Protection?

"Data protection is about your fundamental right to privacy" (Data Protection Commissioner).

Individuals have a right to privacy and this means that access to personal data about living individuals must be regulated.

The Law

Data Protection Act 1988 Revised Act updated to 2 September 2019 (Law Reform Commission)

The office of the Data Protection Commissioner was established under the 1988 Act. The commissioner upholds the rights of individuals.

"Individuals who feel their rights are being infringed can complain to the Commissioner, who will investigate the matter and take whatever steps may be necessary to resolve it."

Data Protection Act 2018 Revised Act updated to 27 January 2020 (Law Reform Commission)

The Data Protection Commission was established under the 2018 Act and it gave further effect to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 1 on the protection of natural persons with regard to the processing of personal data.

European Legislation

Directive 2002/58/EC "ePrivacy Directive"

Directive 2006/24/EC (Amendment)

Directive 2009/136/EC (Amendment)

Directives above deal with Data Protection for phone, email, SMS and Internet.

EU Directive was brought into force in Ireland by ePrivacy Regulations 2011   

(SI 336 of 2011)

Directive 2016/680  "Law Enforcement Directive" GDPR (transposed into Irish Law by Data Protection Act 2018)


General Data Protection Regulation (GDPR) 2016/679

"...the most important change in data privacy regulation in 20yrs..."

Came into force 24 May 2018 (applied from 25 May)

Final Version of Regulation 2016/679

Primary Data

What is it?

Data you measure, collect or record, for your research using methods like interviews, surveys or focus groups.

You are required to obtain explicit consent from your data subjects to use this data in your research as well as for any future research in any related field.

Secondary Data

What is it?

Data already measured, recorded or collected by someone else such as census information or information from journals.

If you are using this data, you must make sure that you can use it for your specific purpose.

Sensitive Information

Sensitive data is normally personal information about a living person. This information can be concerning their health, race, religion etc. How sensitive the information is can often depend on the context.  The main issue is making sure that the person isn't identifiable. If you refer to a 92 year old man in a small town, it is likely that everyone will know who he is.  You must take steps to ensure that the information is secure as it is no defence to say that it was an accident. See the Lindqvist case (2003)

Storage & Retention

  • Keep it only for specific purpose
  • Keep it safe & secure
  • Keep it only as long as needed
  • Easily accessible as the person concerned has a right to see what you have in relation to them
  • Information is confidential so anonymise if using it

Exporting Data & Cloud Computing

Different laws apply in different jurisdictions.  Some countries do not protect data as stringently as others so you must be careful if exporting it.  Consent of the data subject is required prior to data export. Where is your data stored?

EU Law governs export within the European Union and the European Economic Area (EU + Norway, Iceland, Liechtenstein) 

Outside the European Economic Area - you must be careful.

The United States is governed by the EU-US Privacy Shield.  However, this has been challenged successfully by the Data Protection Commission in the Court of Justice of the EU.

"... to secure a decisive statement of position from the CJEU in relation to the key issues of principle at stake when an EU citizen’s personal data is transferred to the United States.

Today’s judgment provides just that, firmly endorsing the substance of the concerns expressed by the DPC (and by the Irish High Court) to the effect that EU citizens do not enjoy the level of protection demanded by EU law when their data is transferred to the United States."