Under section 4 of the Data Protection Acts, on making a written request to you any individual about whom you keep personal information on computer or in a relevant filing system is entitled to:
 
 (a) a copy of the data,
 (b) a description of the purposes for which it is held,
 (c) a description of those to whom the data may be disclosed and
 (d) the source of the data unless this would be contrary to public interest

You are also obliged to explain to the data subject the logic used in any automated decision making process where the decision significantly affects the individual and the decision is solely based on the automated process. This "right of access" is subject to a limited number of exceptions, which are listed below.

An individual making an access request must:-

• apply to you in writing,
• give any details which might be needed to help you identify him or her and locate all the information you may keep about him/her (e.g., previous addresses, customer account numbers).
• The individual must also pay you an access fee if you wish to charge one. You do not need to do so, but if you do it cannot exceed €6.35.

Every individual about whom a data controller keeps personal information on computer or in a relevant filing system, has a number of other rights under the Acts, in addition to the Right of Access. These include the right to have any inaccurate information rectified or erased, to have personal data taken off a direct marketing or direct mailing list and the right to complain to the Data Protection Commissioner. More details about the rights of individuals are given in the section of our website aimed at data subjects - click the link below.

What must YOU do in response to an access request?

• Supply the information to the individual within 40 days of receiving the request. Note that, having received the access request, you cannot change or delete the personal data which you hold just because you do not wish the data subject to see it.
• Provide the information in a form which will be clear to the ordinary person (e.g., any codes must be explained).
• Ensure that you give personal information only to the individual concerned (or someone acting on his or her behalf and with their authority). For instance, you normally would not provide such information by phone.

If you do not keep any information on computer or in a relevant filing system about the individual making the request you should tell them so within the 40 days.

You are not obliged to refund any fee you may have charged for dealing with the access request should you find you do not, in fact, keep any data. However, the fee must be refunded if you do not comply with the request, or if you have to rectify, supplement or erase the personal data concerned.

Are there exceptions or limitations on the right of access to personal data?

Yes there are. The restrictions upon the right of access fall into five groups:

• Section 5 of the Data Protection Act provides that the right of access does not apply in a number of cases, in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society, on the other hand, such as the need to investigate crime effectively, and the need to protect the international relations of the State.
• The right of access to medical data and social workers’ data is also restricted in some very limited circumstances, to protect the individual from hearing anything about himself or herself which might cause serious harm to his or her physical or mental health or emotional well-being.
• The right of access to examination results is modified slightly.
• The right of access does not include a right to see personal data about another individual, without that other person’s consent. This is necessary to protect the privacy rights of the other person. Where personal data consists of expressions of opinion about the data subject by another person, the data subject has a right to that expression of opinion except where that expression of opinion was given in confidence.
• The obligation to comply with an access request does not apply where it is impossible for the data controller to provide the data or where it involves a disproportionate effort.

Some Case Studies relevant to this topic:

The following Case Studies, which have appeared in Annual Reports of the Data Protection Commissioner over recent years, may be of some interest. Click on the Case Study details to see the full text.

CASE STUDY 2/05 - Life assurance company and medical reports - access denied

CASE STUDY 3/05 - Access request - legal advice that it should not be granted because of High Court proceedings

CASE STUDY 4/03 - Change of Medical Practitioner - access to medical files

CASE STUDY 1/00 - An Garda Síochána - subject access request - time limit for response - accuracy of personal data - excessive and irrelevant personal data - date of birth

CASE STUDY 3/00 - Mobile telephone company - subject access request - commercially sensitive information

CASE STUDY 4/99 — State agency - subject access request - whether word-processed documents retained on computer constitute "data"

CASE STUDY 3/97 — Employees sought access to consultants’ study

CASE STUDY 10/96 — Access request to a public sector data controller – applicant complained that response was defective –inspection of data controller’s computer records