Home Knowledge Data Protection Implications of the New Fitness and Probity Regime

Data Protection Implications of the New Fitness and Probity Regime

February 29, 2012
Consultant
John Larkin
Partner
Leo Moore

The Central Bank of Ireland’s revised fitness and probity regime may trigger a new registration requirement for certain companies in the (re)insurance sector with the Office of the Data Protection Commissioner (“ODPC”).  Those companies that are already registered may need to revise existing registrations.

Insurance companies and most reinsurance companies are already required to register with the ODPC as data controllers. Other companies operating as data processors in the insurance sector (such as brokers, claims handlers, administrators and other service providers) are already required to register with the ODPC as data processors. It is primarily in relation to the latter category (i.e. the data processors) where the new registration requirement arises, though reinsurance companies not previously registered will now need to reconsider the matter.

Companies previously registered only as data processors (in respect of data they process on behalf of insurance companies such as details of insured persons and their claims), and reinsurance companies that are not yet registered as data controllers, will now also need to register as data controllers.  This registration will be in respect of the personal data of directors, managers and other employees that they control, process and store for the purpose of complying with the new fitness and probity regime. The ODPC has clarified that a previous registration exemption relating to HR data processed in the ordinary course of personnel administration does not apply to data being processed for the revised fitness and probity regime.

For those that are already registered, a review of their data protection registration should be conducted.  This review should ensure that their register entry reflects the data now processed and the new purpose for such processing.

All companies processing personal information for the purposes of compliance with the revised fitness and probity regime should bear in mind that the normal data protection rules will still apply to the collection and processing of such data. Businesses should be careful to process only those data which are necessary for the purposes of complying with the regime.  They should also ensure that all technical and organisational security measures for the protection of personal data are subject to ongoing review.

Contributed by John Magee. 

Recommended Insights

See all
Article and Insights
1
Feb 2024
Responsible Business Annual Report 2023
William Fry is pleased to launch its Responsible Business Annual Report 2023.
Article and Insights
2
Feb 2024
Digital Operational Resilience Act – second batch of technical standards launched for consultation
We focus on the second batch of draft implementation measures announced by the Eur...
WF_author_blank
Partner
John O’Connor
Article and Insights
2
Feb 2024
John Delaney Documents – Supreme Court Refuses Leave to Appeal
The Supreme Court has refused leave to appeal from a decision rejecting John Delan...
WF_author_blank
Partner
Deirdre O’Donovan
Article and Insights
24
Jan 2024
Cross-Examining Affidavit Evidence in Insolvency Cases
The High Court recently dismissed a petition seeking the winding up of a biofuel c...
WF_author_blank
Partner
Fergus Doorly
prev
next
See all