Data Protection Commissioner
Data Protection Commissioner

CASE STUDY 1/00

An Garda Síochána – subject access request – time limit for response – accuracy of personal data – excessive and irrelevant personal data – date of birth

An individual wrote to An Garda Síochána seeking access under the Data Protection Act to all personal information held about him on computer. He gave his full name and address, and enclosed a postal order for ?5.00 (the maximum fee payable for an access request). An Garda Síochána wrote back to him requesting him to specify which databases were to be checked, and requesting that he provide additional details including date of birth. In reply, the individual confirmed that all databases were to be searched, but he declined to provide further personal data, as he felt that An Garda Síochána had sufficient details to identify him. After further correspondence between both sides, the individual specified three particular databases which were to be searched, he provided his date of birth, and eventually he received a copy of the relevant records from the Criminal Records Database maintained by An Garda Síochána. The records related to a road traffic conviction in the District Court, including a record of the sentence imposed. The individual complained to me on two main grounds:

(i) the delay in responding to his access request, and

(ii) inaccuracy of the personal data held by An Garda Síochána.

On the latter point, the individual established that the details relating to the sentence imposed upon him by the District Court were incorrect. Moreover, his conviction at the District Court had in fact been appealed to the Circuit Court, and, while the conviction had been upheld, the sentence had been varied. These facts were not reflected in the record maintained by An Garda Síochána. When these facts were brought to the attention of An Garda Síochána, prompt action was taken to append the relevant Circuit Court details to the existing District Court data.

The complainant was not happy with this Garda response. He argued that the details relating to the District Court conviction should be deleted from his Garda record, since this conviction had been appealed and was therefore not a valid conviction. The complainant argued that the conviction in respect of which he was required to pay a fine took place at the Circuit Court, not the District Court, and accordingly the recording of information about his District Court hearing was "excessive" and "irrelevant", contrary to section 2 of the Data Protection Act, 1988.

I did not accept the complainant's reasoning on this point. In accordance with the provisions of the Courts Acts and Courts of Justice Acts, an appeal from a lower court to a higher court enables the higher court to either affirm or to reverse, in whole or in part, the conviction applied by the lower court, and to vary the penalty or sentence imposed by the lower court, as the case may be. Accordingly, I did not accept the complainant's contention that his conviction before the District Court was not valid. In fact, the conviction of the District Court had been affirmed by the Circuit Court, although the original penalty and expenses imposed upon the complainant as a result of this conviction had been varied by the Circuit Court.

In light of this finding, I considered it appropriate for An Garda Síochána to record full and accurate particulars in relation to that conviction on its Criminal Records Database, provided that the outcome of the appeal hearing was also accurately recorded. However, I upheld the complaint that the information kept on the database had been inaccurate at the time An Garda Síochána responded to the access request. In my Decision on this matter, I noted that the details held on the Criminal Records Database are of a unique and particularly sensitive nature, and have the potential to reflect upon an individual's personal character in a profound manner; and the care taken over the accuracy of records on this database should be set at an appropriately high level.

As regards the length of time taken to respond to the access request, I noted that An Garda Síochána responded to the access request within the statutory maximum period of 40 days from the time of receiving the details they had requested from the complainant, and accordingly I did not uphold this element of the complaint. It should be noted that the 40-day period does not always start at the time the individual first writes to a data controller. If the data controller has doubts about the identity of the requester, or has insufficient details to locate the necessary records, then it is entitled to revert to the data subject seeking clarification on these points.

Some points that were made clear in the context of this complaint were the following:

  • As a general rule, where a data controller has two or more databases, it must treat a subject access request as relating to all of these databases, unless the requester indicates otherwise. A data controller cannot delay the processing of a request simply to seek specification of which database is to be searched. An exception to this general rule arises when a data controller opts to have separate register entries in respect of distinct databases (as provided under section 17(1)(b) of the Act). In such cases, requesters may be asked to specify which of the registered databases are to be searched, and may be asked to pay a separate fee for each one.
  • Where an individual wishes all databases to be searched, he or she must provide all of the information necessary for the searches to proceed. While I do not accept that a requester's date of birth is routinely needed to establish his or her identity in all cases, I do accept that the date of birth may be helpful in verifying identity in cases of doubt, and that it may be necessary to enable searches to proceed upon large databases which are searchable according to name and date of birth. The date of birth may also be necessary to distinguish individuals of similar name.