Central Policy Unit - Notice No. 23
1. Introduction
This Notice has been prepared by the FOI Central Policy Unit of the Department of Finance in consultation with the Office of the Data Protection Commissioner and the Office of the Information Commissioner by reference to section 1(5) of the Data Protection (DP) Act 1988 and section 7(7) of the Freedom of Information (FOI) Act 1997. Its purposes are
(i) to outline provisions governing rights of access to personal information/data under the Freedom of Information and Data Protection Acts and
(ii) to outline procedural arrangements which public bodies can follow when dealing with requests for access by individuals to their own personal information / personal data under those Acts.
This notice does not seek to provide an interpretation of either Freedom of Information or Data Protection legislation. Readers should refer to the Freedom of Information website (www.foi.gov.ie) or the Data Protection Commissioner website (www.dataprotection.ie) for more information on the respective Acts. The procedural arrangements set out in section 3 of this notice are intended as a guide for public bodies in harmonising their approach to granting access to personal information/personal data under the two Acts.
2. Legislation
Section 1(5) of the Data Protection Act 1988 and 2003 provides that:-
(a) A right conferred by this Act shall not prejudice the exercise of a right conferred by the Freedom of Information Act 1997,
(b) The Commissioner and Information Commissioner shall, in the performance of their functions, co-operate with and provide assistance to each other.
Section 7(7) of the FOI Act imposes a duty on public bodies to assist people who request information or access to a record from a public body otherwise than under FOI. Where it is not possible to provide the information other than under FOI, the public body must advise the person of their right of access and must assist them in making their FOI request.
The FOI Act provides, with very few exceptions, for a right of access to a record held by, or under the control of, a public body. Section 28 of the Act provides an exemption in respect of access to personal information, subject to a number of exceptions, including where the personal information concerned relates to the person making the FOI request. This means that one's own personal information will very often be released under FOI.
Data subjects have a right of access to their personal data held on computer under section 4 of the Data Protection Act 1988. The Data Protection (Amendment) Act 2003 extended this right so that it now includes both automated data and manual data in a "relevant filing system". The Act amends and extends the Data Protection Act 1988 by imposing extra obligations on data controllers, as well as extending the rights of data subjects and creating new powers and functions for the Data Protection Commissioner. In general the increased obligations on data controllers require higher standards in regard to fair obtaining and transparency in processing of personal data, the definition of which is extended to cover certain manual data.
The extension of this right of access to personal data held manually means that bodies who receive an access request now have to look at the Freedom of Inforamtion Act as well as the Data Protection Acts (which now cover manual (paper) files in addition to computer files.
In summary, the position is that one's own personal information will very often be released under FOI, while under the Data Protection Acts there is a presumption in favour of access to one's own personal data.
3. Procedural Arrangements
Where a request is made to a public body by, or behalf of, a person seeking access to their own personal information under the Freedom of Information Act, this request should also be taken as a request under the Data Protection Acts. This is because a valid Data Protection request does not need to refer to the Data Protection Act. The right exists subject only to the individual supplying such information as is reasonably reuired to identify the individual and to locate any relevant personal data or information. Notwithstanding this, the request may still be processed by the public body in accordance with the Act under which it was received (i.e. under either the Data Protection or Freedom of Information Act) and if the decision is to grant access in full, there is no necessity to mention the other Act in the decision issued to the requester.
As stated above, one's own personal information will very often be released under FOI while under the Data Protection Acts, there is presumption in favour of access to one's own personal information. If a public body considers that the release of records/data is exempt under one Act, their possible release under the other Act should be considered as a separate exercise. The respective time periods under the relevant Acts runs from the date of receipt of the request.
So, for example, if a body is considering refusal of access under the Freedom of Information Act, it should check that such refusal is permitted under the Data Protection Acts and vice versa.
A decision on the request should be issued within the most favourable time-scale provided for by law (usually that under FOI). The obligation in section 4 of the Data Protection Act that the individual be provided with information on how an organisation uses personal data is met by the FOI manual that each public sector organisation [each public body subject to FOI] must produce; it should be referred to in the decision on the access request.
If the decision is to refuse an individual access to some or all of her/his personal information, the decision letter should refer to the individual's tight to internal review under the FOI Acts and to the right to complain to the Data Protection Commissioner under the Data Protection Acts.
4. Access to personal information relating to third parties
Personal information is exempt from disclosure to third parties under the FOI Acts, subject to a number of exceptions and is generally prohibited under DP legislation. The nature of the restrictions and prohibitions reflect, in part, the difference in focus as between the two pieces of legislation. The purpose of the FOI Act is to enable members of the public to obtain access to records held by public bodies to the greatest extent possible consistent with the public interest and the right to privacy. However, under data protection, protection of the individual's privacy is paramount, and there is no general "public interest" test which could override this right by permitting release of an individual's information to anyone other than that individual save where consent to such release has been given or can be implied.
The exemption from disclosure to third parties under the FOI Acts is subject to a number of exceptions, as stated above. These exceptions include where the public interest in disclosure outweighs the individual's right to privacy, where the person to whom the information relates has consented to the release, release in certain circumstances to a parent/guardian of personal information relating to a minor or a person with a disability which renders him/her incapable of exercising his/her rights under the Act, release in certain circumstances of personal information relating to a deceased person and where disclosure would benefit the person to whom the information relates.
Under section 4 of the DP Act 1988, an individual may request access to information constituting any personal data of which that individual is the data subject. When providing the requester's data in response to an access request, a data controller is not obliged to disclose personal data relating to an individual other than the requester unless that other individual has consented to the disclosure. Alternatively, the data controller is obliged to disclose so much of the information as can be supplied without identifying the other individual, e.g. by omitting names or other identifying particulars.
It should be noted that while the FOI Act defines personal information as information about an identifiable individual whether living or deceased, the DP Acts only apply to data relating to living individuals.
A guide to "Access to Personal Data/Personal Information for Data Protection and FOI" is attached as an Appendix to this Notice. More detailed information can be accessed on the websites www.foi.gov.ie , www.oic.ie and www.dataprotection.ie
December, 2006
Access to Personal Data / Personal Information
Data Protection and FOI
|
DATA PROTECTION Procedural aspects Form of Request · s.4 "if he or she so requests a data controller by notice in writing" · no need to refer to DPA Fee payable · Fee payable: max. 6.35 (prescribed) · refundable in certain circumstances Details to be supplied by requester · Must supply sufficient information to enable data controller to (i) be satisfied as to identity of requester and (ii) locate relevant data or information Time for reply · No requirement to acknowledge · Substantive reply not more than 40 days after compliance by requester with the terms of s.4 Scope of request Definition of "personal data" · Data relating to a living individual who can be identified (i) from the data or (ii) from the data together with other information in, or likely to come into, the possession of the data controller · "Data" includes automated data and manual data (data which is part of a structured filing system) · Records made in the course of the duties of an employee of a public body may not necessarily be personal data of that individual employee · Data may not be amended subsequent to access request and prior to compliance with request, unless it would have been amended irrespective of the request · Access to information on sources of personal data, except where contrary to public interest Data relating to third parties · s.4(4) A data controller is not obliged to disclose personal data relating to another individual unless that other individual has consented to the disclosure but the data controller is obliged to disclose so much of the information as can be supplied without identifying the other individual · s.4(4A)Data controller can disclose to data subject expressions of opinion by third party without that party's consent, unless opinion given in confidence Refusal of request · S.4(7) - Refusal must be in writing stating reasons and informing of right to complain to Data Protection Commissioner Right of Appeal against a refusal · s.10 - Complain directly to DPC · s.26 - Decision of DPC may be appealed to Circuit Court · Further appeal on point of law to High Court and Supreme Court Access To Health & Social Work data · s.4(8) - Ministerial regulations for (i) physical and mental health and (ii) social work data · health data (S.I. No: 82 of 1989): direct access, but data must be withheld if access would be likely to cause serious harm to the physical or mental health of the data subject. Obligation to consult "appropriate health professional". · social work data (S.I. No.83 of 1989): direct access, but must be withheld if access would be likely to cause serious harm to the physical or mental health or emotional condition of the data subject. · As much data as possible must be released in any event Access to Personal Data relating to minors etc · No express entitlement to exercise right of access on behalf of minors or persons unable to exercise their right · Section 8(h) allows disclosure to someone acting on behalf of the data subject parents/guardians may be able to use this but disclosure is at the discretion of the data controller on case by case basis Access to Personal Data of deceased persons · DPA only applies to data relating to living individuals. Exemptions to right of access Section 1(4) personal data outside scope of DPA · in opinion of Minister for Justice Equality and Law Reform or Minister for Defence are or were kept for safeguarding security of the State · information required by law to be made available by the data controller to the public · kept by an individual and concerned only with his or her personal, family or household affairs, or only for recreational purposes Section 5 data exempt from right of access · kept for the purpose of preventing detecting or investigating offences, apprehending or prosecuting offenders, or for assessing or collecting taxes, duties etc, in any case where it would prejudice any such matter · kept for a statutory purpose or function and obtained from a person covered under the previous paragraph · where providing access would prejudice maintenance of good order in a prison · where it would prejudice certain investigatory functions relating to protecting public against financial loss · where it would be contrary to interests of protecting international relations of the State · where providing access would prejudice interests of data controller regarding liability for damages · where a claim of legal professional privilege would apply regarding communications between a client and professional legal advisers · kept by the DPC or IC for the purpose of his or her functions · where data are kept only for statistical or research purposes and not disclosed in a form that identifies any of the data subjects · back-up data |
FOI Procedural aspects Form of Request · s7 "in writing or in such other form as may be determined" · must refer to FOIA Fee payable · There is no fee payable for access to records containing only the personal information of the requester. Where the request is for records containing both personal and non-personal information a fee of 15 for the initial request, 75 for an internal review and 150 for an appeal to the Information Commissioner will apply. Reduced fees are payable by those with medical cards. Details to be supplied by requester · must supply sufficient details about the information concerned to enable the record to be identified by the taking of reasonable steps · particular form of access may be specified
Time for reply |
» Permanent Link
