Data Protection Commissioner
Data Protection Commissioner

Frequently Asked Questions - FAQ

2. Right of access / right of rectification

 

2.1 How can I see what information a body or company holds about me?

 

Under section 4 of the Data Protection Acts, 1988 and 2003, you have a right to obtain a copy, clearly explained, of any information relating to you kept on computer or in a structured manual filing system or intended for such a system by any entity or organisation. All you need to do is write to the organisation or entity concerned and ask for it under the Data Protection Acts.
Your request could read as follows:

Dear ...
I wish to make an access request under Section 4 of the Data Protection Acts 1988 and 2003 for a copy of any information you keep about me, on computer or in manual form in relation to (fill in as much information as possible to assist the organisations to locate the data that you are interested in accessing e.g. customer account number, staff number, or PPS number (if you are writing to a public sector organisation such as the Revenue Commissioners or the Department of Social Protection). 

When requesting some types of record, such as credit history or Garda records, it may also be useful to provide a list of previous addresses, previous names and your date of birth. You may be asked to pay a fee, but this cannot exceed €6.35.
Once you have made your request, and paid any appropriate fee, you must be given the information within 40 days (most organisations manage to reply much sooner).

 

 

2.2 How long does an organisation have to respond to my access request?

 

According to the Act, an access request must be responded to within 40 days from the date you make the access request. Until 40 days are up, we cannot investigate this matter. If you receive no reply or are unhappy with the response, at that stage you can submit a complaint to this office.

 

2.3 Are there any exceptions to the right of access?

 


Yes. Sections 4 & 5 of the Data Protection Acts set out a small number of circumstances in which your right to see your personal records can be limited. This is necessary in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society, on the other hand.

For example, a criminal suspect does not have a right to see the information held about him by An Garda Síochána, where that would impede a criminal investigation.  Similarly, you do not have a right to see communications between a lawyer and his or her client, where that communication would be subject to legal privilege in court. 

The right of access to medical data and social workers' data is also restricted in some very limited circumstances, where the health and mental well-being of the individual might be affected by obtaining access to the data.

Your right to obtain access to examination results and to see information relating to other people is also curtailed. Further details on all of these points can be obtained by clicking on the link below.

Exceptions to the right of access

 

2.4 What if an organisation refuses to respond to my access request?

 

 

 

If an organisation does not comply with a valid access request that you have made, it is open to you to make a complaint to the Data Protection Commissioner. 

Before doing so it is recommended that you contact the organisation in question to establish the circumstances and to indicate your intention to complain to this Office. They may be in a position to apologise and correct the problem there and then.  We find that this can work well as an organisation once contacted by ourselves will often go through a formal process and actually slow down the resolution of your complaint. 

If you are not satisfied with the organisation's response, or if you do not receive a response, at that point you should make a formal complaint to this office.  The Commissioner will investigate the matter for you and ensure that your rights are fully upheld. The Commissioner has wide powers to investigate complaints made to him and will take appropriate action against any persons or organisations that are not complying with the provisions of the Acts.

 

2.5 Can anyone else make an access request on my behalf?

 

 

 

The right of access under Section 4 of the Data Protection Acts applies to a person's own personal data.  Normally, an access request should be made by the person whose personal data it is.  But it would also be reasonable to comply with an access request submitted on a person's behalf by a solicitor or, in the case of a child, by a parent or guardian. 

It would be important in such a case that the data controller be satisfied that the person was genuinely acting on behalf of, and in the best interests of, the person whose data was being requested.

 

2.6 What are my rights in relation to accessing account information held in my husband/wife's name?

 

 

 

This can be a complex area and depends on the policy of the entities in question and any preferences that the individual(s) involved may have expressed.  However, from a data protection perspective, any entity with a policy of transacting business with the named a/c holder only is perfectly entitled to adopt that approach.  In fact, such a policy would be prudent as the revealing of account information to a spouse or former spouse will in most situations constitute a breach of the Data Protection Acts if undertaken without the consent of the other spouse or former spouse.

 

2.7 How can I get my credit rating/credit history?

 

 

 

 

The Irish Credit Bureau (ICB), on behalf of financial institutions, maintains a central record of repayments made  on loans, whether mortgages or personal, and credit cards. This repayment history can also be used to generate a Credit Bureau Score (CBS) - a number which summarises your Credit Report at a particular point in time. 

Your credit history and score may be accessed by member financial institutions of the ICB if you apply for a loan or other credit facility.  The number of times your record is accessed may be disclosed, however, the details of the members who accessed it will not be disclosed.

To  get a copy of your credit history, apply online at www.icb.ie. You can also print out a copy of an application form at www.icb.ie. Finally you can contact the Irish Credit Bureau (01 -2600388) leave your details on their voice machine and they will send out an application for you to complete and return. Once you do this they will send out a copy of your credit history. You will be asked to pay a standard fee for access to your personal data of €6.

 

2.8 What rights have I to access the script of an exam I undertook?

 

Section 4(6)(a) of the Data Protection Acts provides a right to request the results of an examination at which a person was a candidate 60 days after the date of the first publication of the results of the examination. 

This does not automatically extend to the scripts that were submitted for the exam.  Access to such material would have to be considered weighing up whether it could be considered to be personal data.  In such a context, a psychometric or IQ test would likely contain more information relating to the person that undertook it than say a test of general knowledge.

 

2.9 Can I access my medical records under the Data Protection Acts?

 

 

 

The right to access your personal data is a basic right and applies by law regardless of the type of body or entity which is holding your personal data.  Accordingly you have a basic right to access your personal data held by a doctor, hospital, consultant treating you in a private capacity etc.  In response to such a request you should receive anything held on file or computer by the health professional or facility that relates to you or from which you can be identified.  This would include any manuscript notes kept that relate to you.

The only variation on this requirement is where in the opinion of the health professional or facility the release to you of the information could potentially be damaging to your physical or mental health. This is a variation in the right of access that should only be applied in the rare circumstances envisaged.


As the Acts only require that a "copy" of information be supplied, a photocopy of an x-ray/scan would amount to a reproduction of the original and so its supply in photocopy form would meet the requirements of Section 4.

 

2.10 Can I access information containing in school roll books/parish registers as part of a genealogy project?

 

The provisions of the Data Protection Acts 1988 & 2003 only apply to the personal information of living individuals. If it could be reasonably assumed that the individuals named in these books/registers are now deceased, there would be no data protection issue. However any access to or use of data of living individuals needs to have a legitimate basis. For example the consent of the individuals would be needed before any access to their information could take place. 

 

2.11 How can I access information held by An Garda Síochána?

 

 

 

You can make an access request pursuant to Section 4 of the Data Protection Acts 1988 and 2003 for a copy of all information held about you to An Garda Síochána Vetting Unit (Racecourse Road, Thurles, Co. Tipperary).  The Vetting Unit then have 40 days to provide a copy of any information held about you.  The organisation can charge a maximum fee of €6

 

2.12 Under the Data Protection Acts, is an individual entitled to the return of their original documents from an organisation?

Under section 4 of the Data Protection Acts, an individual is entitled, upon making a written request to an organisation, to obtain the following:
(a) a copy of the personal data,
(b) a description of the purposes for which it is held,
(c) a description of those to whom the data may be disclosed, and
(d) the source of the data unless this would be contrary to public interest.

Accordingly, the Acts provide that the individual is only entitled to a copy of the personal data that is held by the organisation and is not entitled, under the Data Protection Acts, to the return of the original documents.

 

2.13 Should back-up data be considered as part of an access request?

 

Back-up data are data kept only for the limited purpose of replacing other data in the event of their being lost, destroyed or damaged. Data kept for any other purpose, such as archive data, would not be considered back-up data. As back-up data are meant to be only copies of "live" data, they are not subject to the same strict rules as "live" data. They are not considered to be subject to an access request made pursuant to Section 4 of the Data Protection Acts. However, in a situation where only the back-up data remains, this would be subject to the full requirements of the Acts - including providing copies in response to an access request.

 

2.14 What can I do if I find that personal data held about me is incorrect?

 

 

 

If you discover that information kept about you by a data controller is factually inaccurate, you have a right to have that information rectified or, in some cases you may also have the information erased.  This right may also be met by the appending of a statement from you relating to the matters which are deemed inaccurate.

Additionally, if the entity keeping the personal data has no good reason to hold it, i.e. it is irrelevant or excessive for the purpose, or if the information has not been obtained fairly, you can have the information rectified or erased.

You can exercise your rights in this area by simply writing to the entity keeping your data specifying your views which must comply or indicate why it will not do so within 40 days.

 

2.15 Can I request to have my baptismal records deleted?

 

 

 

The Data Protection Acts provide individuals with rights to request that factually inaccurate data that is held about them be corrected. As a baptismal record is a factually accurate record of a ceremony that took place on a certain date, there is no right under the Data Protection Acts to alter or delete the record.

 

2.16 Can I access/amend information in relation to a deceased relative?

 

The rights to access/amend under the Data Protection Acts only apply to the personal data of living individuals.  There is no right to access/amend the information of deceased persons.  A particular data controller, for reasons of goodwill, may choose upon request to supply data relating to a deceased person to a relative.