Data Protection 

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 and will replace the existing data protection laws in all EU member states. The GDPR is designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy. Although many of the provisions of the GDPR are broadly similar to those contained in the existing data protection framework, there are a number of new and more onerous requirements contained in the regulation. In early 2017 the HPRA commenced a project to examine its data protection policies, procedure and controls to identify any gaps that need to be addressed. This project is continuing and will ensure that the HPRA is compliant when the GDPR comes into effect.

What is Data Protection?

Data protection is about ensuring that people’s personal data is collected, stored and processed safely. Data protection legislation has been put in place to ensure that individuals have privacy rights concerning their personal data. The HPRA, as a data controller, must adhere to the eight rules of data protection, which apply whether the information is held on computer or in a manual form. 
These are:
• Obtain and process information fairly
• Keep it only for one or more specified and lawful purposes
• Process it only in ways compatible with the purposes for which it was given initially
• Keep it safe and secure
• Keep it accurate and up-to-date
• Ensure that it is adequate, relevant and not excessive
• Retain it for no longer than is necessary for the specified purpose or purposes
• Give a copy of his/her personal data to any individual on request.

What is the difference between Data Protection and Freedom of Information?

The Data Protection Acts 1988 and 2003 provide similar rights of access as the Freedom of Information Acts, the main difference being that the Data Protection Acts do not apply to records of deceased persons. As with the Freedom of Information Acts, these rights extend to your own personal records.
There are exemptions provided for in the Acts. This means that there are specific circumstances when the requested information will not be released. If any of these exemptions are used to withhold information, the reasons will be clearly explained to you.

When to use the Data Protection Acts?

You may use either the Freedom of Information Acts or the Data Protection Acts to access personal information held by public bodies. However, the Data Protection Acts apply only to your own personal information. To make an access request for your personal information under the Data Protection Acts 1988 and 2003, please submit your request in writing to:

Data Protection Officer
Health Products Regulatory Authority 
Kevin O’Malley House, 
Earlsfort Centre
Earlsfort Terrace
Dublin 2
Tel: +353 (1) 6764971
Fax:+353 (1) 6767836

Please ensure that you describe the records you seek in the greatest detail possible to enable us to identify the relevant records.

An individual can get a copy of his/her data by making a request either under Section 3 or Section 4 of the Data Protection Acts. Under Section 3, an individual has the right to be informed as to whether the HPRA holds information about him/her and to be given a description of the data together with details of the purposes for which their data are being kept. Any individual requesting his/her details must do so in writing and the HPRA must confirm within 21 days if data is held and if so, the description of the data and the purposes for which they are kept. Under Section 4, individuals are entitled to a copy of their personal data within 40 days.
Details of your entitlement to complain to the Data Protection Commissioner will be included in the decision letter.

You are also entitled to rectify or delete the personal information the HPRA holds about you. In order to erase/change your personal information, please submit your request in writing to the address above. 

What types of information does the HPRA hold?

The types of personal information held by the HPRA, the use it makes of such personal information, and possible organisations it may disclose this information to is found on the on the Data Protection Commissioner's website. This list is updated on an annual basis as part of the HPRA’s registration with the Data Protection Commissioner.