FOI Central Policy Unit
 Notice No. 18
 
 
 
Data Protection and Freedom of Information in the Public Sector
 
 
1. Introduction
 
This Notice has been prepared by the CPU in consultation with the Office of the Data Protection Commissioner and the Office of the Information Commissioner by reference to section 1(5) of the Data Protection (DP) Act 1988 and section 12(6) of the Freedom of Information (FOI) Act 2014.   Its purposes are
 
(i)  to outline provisions governing rights of access to personal information/data under the Freedom of Information and Data Protection Acts and
 
(ii) to outline procedural arrangements which FOI bodies can follow when dealing with requests for access by individuals to their own personal information / personal data under those Acts.
 
This notice does not seek to provide an interpretation of either Freedom of Information or Data Protection legislation.  Readers should refer to the Freedom of Information website (www.foi.gov.ie) or the Data Protection Commissioner website  (www.dataprotection.ie) for more information on the respective Acts. The procedural arrangements set out in section 3 of this notice are intended as a guide for FOI bodies in harmonising their approach to granting access to personal information and do not reflect any statutory obligations.
 
2. Legislation
 
Section 1(5) of the DP Act 1988 (inserted by the Data Protection (Amendment) Act 2003) provides that:-
 
(a) A right conferred by this Act shall not prejudice the exercise of a right conferred by the Freedom of Information Act 2014,
(b) The Commissioner and Information Commissioner shall, in the performance of their functions, co-operate with and provide assistance to each other.
 
Section 12(6) of the FOI Act imposes a duty on FOI bodies to assist people who request information or access to a record from an FOI body otherwise than under FOI.  Where it is not possible to provide the information other than under FOI, the FOI body must advise the person of their right of access and must assist them in making their FOI request. 
 
The FOI Act provides, with very few exceptions, for a right of access to a record held by, or under the control of, an FOI body.  Section 37 of the Act provides an exemption in respect of access to personal information, subject to a number of exceptions, including where the personal information concerned relates to the person making the FOI request. 
 
Data subjects have a right of access to their personal data held on computer under section 4 of the Data Protection Act 1988.  The Data Protection (Amendment) Act 2003 extended this right so that as well as automated data, it now includes access to manual data in a “relevant filing system”.  Under the Acts, “manual data” means information recorded as or intended to be part of a “relevant filing system”, and practical guidelines on the meaning of these terms is available on the Commissioner’s website.  The Act amends and extends the Data Protection Act 1988 by imposing extra obligations on data controllers, as well as extending the rights of data subjects and creating new powers and functions for the Data Protection Commissioner.  In general the increased obligations on data controllers require higher standards in regard to fair obtaining and transparency in processing of personal data, whether the data is held in electronic or manual form.  In addition, the extension of this right of access to personal data held manually means that bodies who receive an access request now have to look at their manual (paper) files in addition to computer files.
 
3. Procedural Arrangements
 
Where a request is made to a body under one Act (i.e. under either the Data Protection or Freedom of Information Act), the request should be processed by the FOI body under that Act.  If the decision is to grant access in full, there is no necessity to mention the other Act in the decision issued to the requester.
 
Where a body receives a letter seeking the records and relying on both pieces of the legislation they should contact the requester and advise him/her of his/her rights under both pieces of legislation and ask him/her to seek the records under one Act. In the event that the requester refuses to do so, a letter in relation to both Acts may issue with only one copy of the documents.
 
If the decision is to refuse access to the information (whether in whole or in part), the body may, if it so wishes, in anticipation of a possible request under the other Act, examine the records in the context of that other Act.
 
Where an examination of the records in the context of the other Act leads the decision-maker to a preliminary conclusion that there is no potential right of access to the records under the other Act, there is no need to inform the requester of his/her rights under the other Act. Where a decision-maker concludes that there is a potential right of access to the records under the other Act, the requester should be notified of his/her rights under that legislation.  In both cases, the decision on the request should be made solely pursuant to the Act under which the request was made.
 
The decision-maker may note the outcome of his/ her examination of the records and his/ her preliminary conclusions made at that time.
 
Where a request is subsequently received under the other Act for the same records and where the decision-maker is the same person who examined the records in response to the earlier request, a major part of the preparatory work will have been done.  Records created or received after the date of the first request and any relevant changes that may have occurred in the intervening period (e.g. the passage of time, factors relevant to a harm test etc.) would need to be considered at the time of the decision on the subsequent request.  A decision should then be made solely under the other Act.
 
4. Access to personal information relating to third parties
 
Access to personal information relating to third parties is subject to certain restrictions under FOI and is generally prohibited under DP legislation.  The nature of the restrictions and prohibitions reflect, in part, the difference in focus as between the two pieces of legislation.  The purpose of the FOI Act is to enable members of the public to obtain access to records held by FOI bodies to the greatest extent possible consistent with the public interest and the right of privacy.  However, under data protection, protection of the individual’s privacy is paramount, and there is no general “public interest” test which could override this right by permitting release of an individual’s information to anyone other than that individual save where consent to such release has been given or can be implied.
 
Personal information is exempt from disclosure to third parties under the FOI Acts, subject to a number of exceptions.  These exceptions include where the public interest in disclosure outweighs the individual’s right to privacy, where the person to whom the information relates has consented to the release, release in certain circumstances to a parent/guardian of personal information relating to a minor or a person with a disability which renders him/her incapable of exercising his/her rights under the Act, release in certain circumstances of personal information relating to a deceased person and where disclosure would benefit the person to whom the information relates. 
 
Under section 4 of the DP Act 1988, an individual may request access to information constituting any personal data of which that individual is the data subject.  When providing the requester’s data in response to an access request, a data controller is not obliged to disclose personal data relating to an individual other than the requester unless that other individual has consented to the disclosure.  Where there is such joint personal data the data controller is obliged to disclose so much of the information as can be supplied without identifying the other individual, e.g. by omitting names or other identifying particulars.  
 
It should be noted that while the FOI Act defines personal information as information about an identifiable individual whether living or deceased, the DP Acts only apply to data relating to living individuals.   
 
A guide to “Access to Personal Data/Personal Information for Data Protection and FOI” is attached as an Appendix to this Notice.  Information can also be accessed on the websites www.foi.gov.ie , www.oic.ie and www.dataprotection.ie
 
 
  2015
 
 
 
 
Access to Personal Data / Personal Information
 
Data Protection and FOI
 
DATA PROTECTION
 
Procedural aspects
 
Form of Request
  • s.4 “if he or she so requests a data controller by notice in writing”
  • no need to refer to DPA
 
Fee payable
  • Fee payable: max. €6.35 (prescribed)
 
  • refundable in certain circumstances
 
 
 
 
 
 
 
Details to be supplied by requester
  • Must supply sufficient information to enable data controller to (i) be satisfied as to identity of requester and (ii) locate relevant data or information
 
 
 
 
 
Time for reply
  • No requirement to acknowledge
 
  • Substantive reply not more than 40 days after compliance by requester with the terms of s.4
 
 
Scope of request
 
Definition of “personal data”
·         Data relating to a living individual who can be identified (i) from the data or (ii) from the data together with other information in, or likely to come into, the possession of the data controller
·         “Data” includes automated data and manual data (data which is part of a structured filing system)
·         Records made in the course of the duties of an employee of an FOI body may not necessarily be personal data of that individual employee
·         Data may not be amended subsequent to access request and prior to compliance with request, unless it would have been amended irrespective of the request
·         Access to information on sources of personal data, except where contrary to public interest
 
Data relating to third parties
 
  • s.4(4) A data controller is not obliged to disclose personal data relating to another individual unless that other individual has consented to the disclosure but the data controller is obliged to disclose so much of the information as can be supplied without identifying the other individual
  • s.4(4A)Data controller can disclose to data subject expressions of opinion by third party without that party’s consent, unless opinion given in confidence
 
Refusal of request
 
·         S.4(7) - Refusal must be in writing stating reasons and informing of right to complain to Data Protection Commissioner
 
Right of Appeal against a refusal
 
  • s.10 - Complain directly to DPC
  • s.26 - Decision of DPC may be appealed to Circuit Court
  • Further appeal on point of law to High Court and Supreme Court
 
Access To Health & Social Work data
 
  • s.4(8) - Ministerial regulations for (i) physical and mental health and (ii) social work data
  • health data (S.I. No: 82 of 1989): direct access, but data must be withheld if access would be likely to cause serious harm to the physical or mental health of the data subject. Obligation to consult “appropriate health professional”.
  • social work data (S.I. No.83 of 1989): direct access, but must be withheld if access would be likely to cause serious harm to the physical or mental health or emotional condition of the data subject.
  • Requires consultation with a third party (other than an employee or agent of the data controller)
  • As much data as possible must be released in any event
 
Access to Personal Data relating to minors etc
 
  • No express entitlement to exercise right of access on behalf of minors or persons unable to exercise their right
  • Section 8(h) allows disclosure to someone acting on behalf of the data subject – parents/guardians may be able to use this but disclosure is at the discretion of the data controller on case by case basis
 
Access to Personal Data of deceased persons
 
  • DPA only applies to data relating to living individuals.
 
 
 
 
 
 
 
Exemptions to right of access
 
Section 1(4) – personal data outside scope of DPA
 
  • in opinion of Minister for Justice Equality and Law Reform or Minister for Defence are or were kept for safeguarding security of the State
  • information required by law to be made available by the data controller to the public
  • kept by an individual and concerned only with his or her personal, family or household affairs, or only for recreational purposes
 
Section 5 – data exempt from right of access
 
  • kept for the purpose of preventing detecting or investigating offences, apprehending or prosecuting offenders, or for assessing or collecting taxes, duties etc, in any case where it would prejudice any such matter
  • kept for a statutory purpose or function and obtained from a person covered under the previous paragraph
  • where providing access would prejudice maintenance of good order in a prison
  • where it would prejudice certain investigatory functions relating to protecting public against financial loss
  • where it would be contrary to interests of protecting international relations of the State
  • where providing access would prejudice interests of data controller regarding liability for damages
  • where a claim of legal professional privilege would apply regarding communications between a client and professional legal advisers
  • kept by the DPC or IC for the purpose of his or her functions
  • where data are kept only for statistical or research purposes and not disclosed in a form that identifies any of the data subjects
  • back-up data
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
FOI
 
Procedural aspects
 
Form of Request
  • s12 – “in writing or in such other form as may be determined”
  • must refer to FOIA
 
Fee payable
  • There is no up-front application fee payable for access to records under FOI.  Search and retrieval and copying charges apply – details are available on www.foi.gov.ie. Where the request is for records containing both personal and non-personal information a fee of €30 for an internal review and €50 for an appeal to the Information Commissioner will apply.  Reduced fees are payable by those with medical cards.
 
Details to be supplied by requester
  • must supply sufficient details about the information concerned to enable the record to be identified by the taking of reasonable steps
  • particular form of access may be specified
  • Must supply information to allow the FOI officer to confirm identity and/or relationship
 
Time for reply
  • Acknowledgement of request not later than 10 working days after receipt, including summary of s(19) rights, right of review, and time limits
  • Substantive reply not later than 20 working days after receipt
 
Scope of request
 
Definition of “personal information”
  • Information about an identifiable individual – living or deceased – that (i) would, in the ordinary course, be known only to the individual, their family or friends; or (ii) is held by an FOI body on the understanding that it would be treated by it as confidential.  Full definition at section 2 of the FOI Act 2014
  • Exceptions for employees or former employees of an FOI body: name, position, terms of employment, records made in the course of their duties
  • Exception: expressions of opinion in relation to an FOI body or its staff
  • Request applies to records “relating to” personal information
 
 
 
Personal Information relating to third parties
 
  • Personal information is exempt from disclosure under section 37 subject to a number of exceptions (see below)
 
 
 
 
 
 
 
 
 
Refusal of request
 
  • Refusal must be in writing, stating the reasons for the refusal and advising of the rights of review/appeal (section 13(2))
 
Right of Appeal against a refusal
 
  • Right of internal review
  • Appeal to IC
  • Further appeal on a point of law to the High Court and Supreme Court (Section 24)
 
 
Access to medical, psychiatric & social work records
 
  • S37(3) – access to such records may be refused where it might be prejudicial to the requester’s physical or mental health, well being or emotional condition.
  • Access must be made available to a relevant health professional specified by the requester
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Access to Personal Information relating to minors etc
  • Regulations under s37(8) –provide right of access by parents/guardians to personal information relating to a minor or person with mental or physical incapacity, where such access is considered to be in the best interests of the individual.
 
 
 
Access to Personal Information of deceased persons
 
  • specifically dealt with by SI 47/1999
  • access granted to administrator of deceased person’s estate, and to persons on whom functions are conferred by law in this regard
  • access granted to spouse or next of kin, and others that the Head considers appropriate in the circumstances
 
Exemptions to right of access
 
There are exemptions to protect records –
  • whose release might prejudice security, defence or international relations (Section 33)
 
 
 
 
 
 
 
 
 
 
 
·         whose release might prejudice law enforcement or public safety (section 32)
·         financial and economic interests of the State (Section 40)*
 
 
 
 
 
 
 
 
 
·         whose release might prejudice security, defence or international relations (Section 33)
 
 
 
·         covered by legal professional privilege or whose release would be a contempt of court (Section 31)
 
 
 
 
 
 
·         certain records of the Government or presented to the Government (section 28)
·         certain records relating to the deliberation of FOI bodies (section 29)*
·         whose release might prejudice the functions or negotiations of FOI bodies (section 30)*
·         information obtained in confidence (section 35)*
·         commercially sensitive information (section 36)*
·         whose disclosure might prejudice research conducted by an FOI body or prejudice the well-being of a cultural, heritage or natural resource or species, or of a habitat of a species (flora or fauna) (section 39)*
·         *subject to public interest test
 
Disclosure of Personal Information to third parties
 
  • Personal information is exempt from disclosure under section 37 subject to a number of exemptions (see below).
 
  • Restriction applies to personal information of deceased persons
 
Circumstances in which right of access applies
 
  • S37(2),(5),(8) of FOIA
  • information relates to the requester
  • person concerned has consented to the disclosure
  • information of the same kind is already available to the general public
  • if the information was provided to the body by the person concerned and that person had been informed that it might be made available to the general public
  • disclosure is necessary to prevent serious or imminent  danger to the life or health of the individual
  • person concerned is a minor or has a disability rendering them incapable of exercising right of access – see above
  • disclosure would benefit the person
  • public interest in disclosure outweighs right to privacy of the person
  • personal information relating to deceased persons may be released in certain circumstances (see above)