Gardai- Inappropriate data on “Pulse system” -data deleted when access request received- not fair to person- could frustrate the provisions of the Act

A person contacted my Office as she believed that An Garda Síochána were holding data about her on their “PULSE” database which was untrue. The complainant had made an access request to An Garda Síochána under section 4 of the Act but she did not believe that this request had been complied with as she believed that certain details had not been furnished to her.

I raised the matter with An Garda Síochána, which cooperated fully with my enquiry. I asked them to confirm if an entry had been made on the PULSE system about the complainant and if so,

1 had it existed on the date on which the access request was made?

2 why had it not been released to the complainant in response to the access request?

3 did the entry still exist?

4 if the entry no longer existed, when had it been deleted and what had been the circumstances of the deletion?

An Garda Síochána responded that following receipt of the access request from the data subject, a search was carried out of the databases on PULSE for relevant personal data. In addition to the data supplied in their response to the access request, they said that the search also revealed a comment relating to the data subject. On examination of the comment, An Garda Síochána stated that a decision was taken by them that the comment was inappropriate and it was therefore deleted. I noted this response and I informed An Garda Síochána that I could well understand -indeed accept - why they decided to delete the information, whichthey considered to be inappropriate. However, I pointed out that once an access request is made, then any personal data on the system on the date of receipt of the request has to be supplied in line with section 4(1) of the Act. Under section 4(5), it is not permissible to delete or edit data following receipt of an access request - only up dating of data which would have taken place in the normal course is permissible.

In the circumstances, I found that An Garda Síochána should have supplied the data in question to the data subject but they should have outlined that, on examining it, they had decided to delete it as they considered it to be inappropriate and not in line with the provisions of section 2 of the Act which requires data to be accurate and up to date. In essence, what this means is that once a subject access request is received, the subject access request power under section 4 is not to be frustrated by using the power under section 2 for the deletion of inaccurate data. Information should only be recorded if it is of operational significance, on the basis of a judgement that the information is likely to be of assistance to An Garda Síochána in the exercise of its lawful functions. Recording of data on a system should be accurate and informed but not inappropriate. Any information thatdoes not reach this standard mustbe considered irrelevant and/or excessive, and should form no part of Garda records.

I recognise that in the Garda area recording of information and opinion is vital for the prevention, detection and investigation of crime and that they may have concerns that access requests could frustrate their work. However, section 5 of theAct provides for restrictions on the right of access to personal data in certain cases (for example, where access could prejudice the prevention, detection or investigation of crime) and this provides adequate cover to ensure that their work is not hindered.

Accordingly, I requested that they revise their procedures to ensure that section 4 requests are fully complied with and that a similar type situation cannot arise in future.This I am glad to report has been acted on and it seems to have been an isolated though highly important case.