Data Protection Commissioner
Data Protection Commissioner

An Garda Síochána: Failure to respond to an access request on time

I received a complaint in July 2005 that An Garda Síochána had failed to satisfy a data subject's request under Section 4 of the Data Protection Acts for access to his personal data.

My Office commenced an investigation which lasted for a period of some eleven months. We established that An Garda Síochána initially provided the data subject with personal data which it had identified from a search of the PULSE database and of manual files held in the Dublin Metropolitan Region South Central area. The data subject was concerned that the search had been restricted and he requested that all databases and relevant filing systems held by the Gardaí should be searched for his personal data. The Gardaí subsequently informed the data subject that a search of archived files had been conducted and that the personal data which he had sought had been located. They explained that the reason this data had not been located during the initial search was because the file had been archived prior to the introduction of the PULSE system. Over the following months, An Garda Síochána released portions of the personal records to the data subject. As part of my investigation of this complaint, I directed my staff to examine all the records and portions of records initially withheld by the Gardaí, pursuant to the Acts. As a consequence of this examination, and a further voluntary release of records to the data subject in June 2006 by the Gardaí following the provision of advice from my Office, I was satisfied that the data subject had received access pursuant to his rights under the Acts.

The fact remains that it took some twelve months from the initial access request before the data subject achieved his full entitlements under the Acts. Section 4(1)(a) of the Acts provides for a maximum response time of forty days to an access request. In this regard, the Gardaí apologised for the delay which they indicated was due in part to a delay in locating the relevant file in the Garda District in which the data subject resides. The data subject requested a formal decision from me in relation to his complaint pursuant to Section 10(1)(b) of the Acts. My decision found that An Garda Síochána had, indeed, contravened Section 4(1)(a) of the Acts in respect of the delay in complying with the data subject's access request. In that decision I stated that "I cannot accept that a delay of this magnitude is acceptable for a body such as the Gardaí which has a responsibility to ensure it fully meets its obligations under the Acts especially given the level of sensitive data that it holds." In all other respects, I found that the Gardaí had complied with their obligations under the Acts and that the data subject had obtained his access rights. Finally, I considered that the Gardaí should develop a clear policy on data retention and apply for the necessary authorisation to dispose of records that are no longer necessary for operational Garda purposes.

This case highlights the fact that no data controller can consider itself as not bound by the obligations of the Acts. The right of access is an important and fundamental right which every living individual in this State is entitled to exercise in the expectation that data controllers will comply within the forty day time limit.