Accessing your personal data under data protection law
 

What records held by private organisations can I access?

Nearly every organisation, public and private, stores information about individuals. You have a general right to access any of your personal data.

 

Personal data is information that relates to, or can identify you, either by itself or together with other available information. Personal data can include your name, address, contact details, an identification number, IP address, CCTV footage, access cards, audio-visual or audio recordings of you, and location data.

 

In many cases, an organisation must store and use this information for its everyday functions. Your employer needs personal information for tax and legal purposes. Hospitals and doctors store and use your medical records. Shops may collect and keep your contact details to deliver goods. Organisations or companies may also store personal information to prevent someone who has forgotten their password from being locked out of their online accounts.

 

However, in some situations, your personal data is stored and used for reasons which are not directly for your benefit. Websites sometimes place cookies on your computer to help companies decide which products and services to advertise when you are on their website. Members of supermarket loyalty schemes have their purchases tracked so that stores can decide how to improve their offerings. Information which you may have given a long time ago for a specific purpose can remain stored despite the relevant transaction being completed a long time ago.

 

The collection and use of your personal information is now strictly regulated in Ireland and across the EU through the General Data Protection Regulation (GDPR) and other legislation. This is often referred to as data protection law and you have certain rights under that law. Data protection is also a fundamental right under Article 8 of the European Charter of Fundamental Rights.

What are the general data protection principles?

Under data protection law, if an organisation or company is holding or using your personal data, you are known as a data subject. The organisation or company holding or using that data, is known as a data controller. However, the data controller can allow another person, organisation or company, known as a data processor, to process your personal data on its behalf. Doing anything with your personal data, including storing it, is known as ‘processing’.

You are entitled to have your personal information:

  • Protected
  • Used in a fair and legal way
  • Made available to you when you ask for a copy
  • Corrected if you ask for the information to be corrected

Six reasons to use or keep your data

Organisations can only use or keep your data where there is a lawful reason. The GDPR sets out six lawful reasons:

  1. You have given your free and informed consent. Your consent cannot be assumed, so silence, pre-ticked boxes or inactivity cannot indicate consent. You must specifically agree to any proposed processing.
  2. The processing is necessary to carry out a contract which you are a party to, such as the delivery of a product.
  3. The processing is necessary for the data controller to meet with a legal obligation, such as the mandatory collection of details for anti-money laundering or tax purposes.
  4. The processing is necessary to protect your vital interests or the vital interests of someone else, such as accessing medical records in an emergency.
  5. The processing is necessary to perform a task carried out in the public interest or where the data controller has official authority, such as public security processing.
  6. The processing is necessary in the legitimate interests of the processing organisation, if it does not conflict with your rights.

Organisations’ privacy policies

You must be given enough information in simple and clear language to know what an organisation is going to do with your personal data. This is often found in privacy policies on websites or in forms which you can read or sign in person. For instance, you should be told:

  • The identity and contact details of the data controller or their EU representative
  • The contact details for the organisation or company’s Data Protection Officer
  • The reason for the intended processing and its legal basis
  • What ‘legitimate interest’ the data controller has in your personal data if they are relying on a ‘legitimate interest’ to process the data
  • Who will have access to your personal data
  • Whether your personal data may be transferred outside the EU and if so, the data safeguards in that country
  • How long your personal data will be stored or how that time period will be decided
  • Your right to request access, rectification, erasure, restriction of use, objection of use and data portability (right to receive the data held in a form which allows it you to transfer it to another person)
  • Your right to complain to a supervisory authority
  • Your right to withdraw consent at any time if your consent is the basis for the processing
  • Whether you are required by law or a contract to provide your personal data and the consequences of not providing it
  • If your personal data will be subject to any automated decision-making (decisions made by computer with no human input) or profiling processes. Such processing may be prejudicial as it can systematically fail to take relevant matters into account.

In general, only personal data necessary for those stated purposes for which it is collected should be collected and processed. Your personal data should only be kept for as long as is necessary for the purpose for which it was collected.

 

While it is being stored or processed, your personal data must be kept safe, and policies and procedures must be in place to make sure that there is no unauthorised access.

Accessing your personal data

You have a fundamental right of access to your personal data under the GDPR. This includes:

  • The right to ask and be told whether or not your personal data is being processed
  • The right to ask for and be given a copy of any personal data which an organisation holds on you
  • The right to be told if your personal data is being processed, including:
    • The purpose or purposes of the processing
    • The source of your personal data if it has not been provided by you
    • The categories of personal data being processed
    • Who your personal data has been or will be disclosed to
    • How long your personal data will be kept
    • How to exercise your other data protection rights
    • Your right to raise concerns with the Data Protection Commission
    • Whether your personal data is the subject of automated decision-making

How do I make an access request under data protection law?

There is no set way to make an access request but the following general steps apply.

  1. Ask as soon as possible, preferably in writing, either by letter or email. Seeking your personal data is known as making an access request or a data subject access request.  You should state in the letter or email that it is an access request. This means that both you and the data controller will have a record of the request and its content if an issue later arises.
  2. Contact the relevant Data Protection Officer. Many large organisations have a Data Protection Officer (or DPO) and they are generally the best person to contact about your request for information. You should be able to find their contact details in the privacy policy or ‘contact us’ section of the organisation’s website. Where there is no specific email address for a data access request, you should use the organisation’s general contact details.
  3. Make your request as specific as possible in relation to the personal data that you wish to access unless you want to access all your personal data held. Remember to specify whether you want the information in electronic format or in hard copy.
  4. Provide some additional, identifying information about yourself if needed. You may need to provide more than just your name so that the organisation can distinguish between you and others who may share your name, so the organisation may ask you to provide further evidence of your identity.

Some large companies allow you to automatically download your personal information directly through their website.

How much does it cost to make an access request?

There is generally no fee for making an access request.

 

The main exception to this is where your access request is considered ‘manifestly unfounded or excessive’. An example of this is where someone repeatedly makes the same access request even though it has already been dealt with. If a data controller can prove that your request is manifestly unfounded or excessive, they can charge a reasonable fee for the administrative costs of providing the information requested.

 

They may also charge a fee based on administrative costs if you ask for additional copies of the information.

How will the company or organisation deal with my request?

The data controller must respond to your request within one month. If the request is complex or involves a large amount of information, the data controller can extend the time to respond by a further two months. You should receive a written explanation for any extension within the initial one-month period.

 

If your request is very broad and requires the data controller to provide a large amount of information and documents, you may be asked to reduce the number of documents containing personal data requested. However, you can insist on receiving all the information and documentation held. If you do, it may take longer to comply with your access request.

 

In general, the data controller should respond to your access request in the same format the request was made, or in the way in which you specifically asked for a response. For example, if you emailed your request, the data controller should provide the information by email, unless you request otherwise.

Can an organisation or company refuse access to my personal data?

A data controller can refuse access to some or all of your data where:

  • Providing your personal data infringes the rights of others
  • Your personal data is listed with the personal data of others (In these cases, the data controller may remove the personal data of others to provide you with your data)
  • Your personal data is in a document that has trade secrets, confidential information or intellectual property (in these cases, the data controller may remove the confidential information, however, they can rarely justify complete non-disclosure of your personal data for these reasons)
  • The request is considered ‘manifestly unfounded or excessive’ (for example, if you made a request in the recent past and were told that the data controller had no personal data relating to you)

By law (Data Protection Act 2018), access to your personal data may also be refused in relation to processing carried out:

  • For electoral purposes, such as publishing a roll of electors
  • By the Referendum Commission
  • In the administration of tax and duties
  • To safeguard Cabinet confidentiality
  • When defending legal claims

Do I have any rights after I receive my personal data?

When you receive your personal data after an access request, you have several other data protection rights:

  • If your personal data is inaccurate, you have the right to have the data corrected without delay.
  • If your personal data is incomplete, you have the right to have the data completed. This includes by providing supplementary information.
  • You have the right to have your data deleted without delay if one of the following grounds applies:
    • Your personal data is no longer needed for the purpose for which it was collected
    • You withdraw your consent to the processing of your personal data and there is no other lawful basis for processing it
    • You object to the processing and there are no legitimate grounds for continuing the processing
    • You object to the processing of your personal data for direct marketing
    • Your personal data has been unlawfully processed
    • Your personal data has to be erased to comply with a legal obligation
    • Your personal data has been collected in relation to processing of a child’s personal information for instance, when giving consent as a parent or guardian  

In some limited cases, you may be able to object to further processing of your personal data or its transfer to another processor.

What can I do if I am unhappy with the outcome of an access request?

Complain to the Data Protection Commission

If you are unhappy with the way your access request was processed, you can make a complaint to the Data Protection Commission (DPC).

 

The DPC is Ireland’s independent authority with responsibility for upholding the right of people in the EU to have their personal data protected. It monitors compliance with GDPR and other data protection legislation and deals with complaints in relation to data protection breaches. Its website contains helpful explanations of data protection law, dataprotection.ie.

 

You may be unhappy with the way your request was handled because:

  • There was no response or a delayed response to your access request
  • The response to the request was incomplete
  • You believe the data controller wrongly relied on exemptions to not share your personal data with you
How do I make a complaint?

Complete the DPC’s online complaint form. You will be asked to provide evidence to support your complaint. This will include:

  • Evidence of your access request
  • Correspondence between you (or your legal representative) and the data controller and
  • information in support of your belief that the data controller holds your personal Information
What will the DPC do?

The DPC will acknowledge your complaint and check to see if it is the right organisation to deal with your complaint. If it is, the DPC in the first instance will try to help you and the data controller to reach an agreement if it believes this is possible within a reasonable amount of time.

 

If this approach is not appropriate or successful, the DPC may:

  • Reject the complaint
  • Dismiss the complaint
  • Give you advice in relation to the substance of the complaint
  • Serve an enforcement notice on the data controller requiring it to comply with your data access request or tell you about a breach of your personal data
  • Investigate the complaint or
  • Take any other action it considers appropriate

If your complaint relates to processing which happened before the introduction of the GDPR on 25 May 2018, the complaint may be handled differently.

An appropriate not-for-profit body or organisation may also be able to make a complaint on your behalf.

Take legal proceedings

If your data protection rights have been breached, you also have the option of bringing legal proceedings against the data controller. However, this can be expensive and you may have to pay the data controller’s legal costs if you lose the case. You should get legal advice if you are considering legal action.

 

In legal proceedings, you can seek:

  • An award of damages and
  • A declaration (a formal recognition by a court) and/or
  • An injunction (a court order requiring someone to do or to stop doing something)

The amount of damages awarded will depend on the loss you have suffered. If you have no real financial loss, only minimal damages may be awarded even if you prove there has been a breach of your data protection rights. If you suffered significant financial loss, for example where you were refused a job due to the unlawful or inaccurate sharing of your personal information, you may get higher damages.

 

A declaration is a formal court recognition that a particular data protection right of yours has been breached. The court may grant an injunction to stop the processing or require any personal data wrongfully being stored or used about you to be deleted.

 

You can bring legal proceedings in either the Circuit Court or the High Court. If you are seeking damages below €75,000, it is best to use the Circuit Court. If you go to the High Court, you may be ordered to pay some of the data controller’s legal costs, even if you win your case.

 

You do not have to make a complaint to the Data Protection Commission before starting legal proceedings. An appropriate not-for-profit body or organisation may also be able to take proceedings on your behalf.

Access to particular types of personal data or records

This section covers the following particular types of personal data or records:

  • Children’s personal data
  • Medical records
  • Garda records
  • People who have died (deceased people)

Children’s personal data

Children have the same data protection rights as adults and can make data access requests. However, they are given specific protection with regard to their personal data. This is the case as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to how their personal information is processed.

 

Parents and guardians may also be able to make access requests or exercise any other data protection right on behalf of their children. However, there is no direct right for this in data protection law. Rather, if a request is made by a parent or guardian, the data controller must consider the nature and circumstances of the request, including the age, capacity and views of the child and the child’s best interests.

 

Parents and guardians can also make FOI requests to access the personal data of a child under 18. The FOI body will only grant access if they consider the disclosure to be in the child’s best interests. Before granting access, they may ask the child for their view. Depending on the child’s age, capacity and understanding of the reason for the request, their view can then be considered in the final decision.

Medical records

Your medical records are your personal information and you are entitled to access them.

 

If you are a patient in a public or publicly-funded hospital, or have a medical card or GP visit card, you can seek access in the following ways:

  • Make an access request under data protection law
  • Make an access request under the Freedom of Information Act
  • Write to the service provider or Health Service Executive and ask for your records.

You may have to provide information to help them locate your file, including your date of birth, current and previous addresses, the contacts you had with specific services and approximate dates

 

Under FOI, the head of the service can refuse to provide you with your medical records if they believe that giving you the information may be harmful to your health or emotional well-being. In these circumstances, you can ask them to release the record to a health professional named by you.

 

If you visit your GP as a private patient, attend a private hospital, or are cared for in a private nursing home, you can simply ask for your medical records. However, if this does not work, you can get access to your medical records:

  • By making an access request under data protection law
  • On the basis of your contract with the medical service
  • Through the courts

Under data protection law, you can be refused access to your medical records if disclosure would give rise to serious harm to your physical or mental health.

Garda records

You can ask the Garda Síochána for a copy of any personal data that it has about you. When you make an access request to the Gardaí, you are generally entitled to:

  • Get a copy of the personal data being kept about you
  • Be told why the data is being kept
  • Be told the identity of anyone that the Gardaí has shared the data with
  • Be told how the Gardaí obtained the data (unless this would be against public interest, for example, cause a risk of harm to someone else)

You can make a request for your personal data using the Garda Síochána subject access request form (pdf). Post the completed form to the address on the form or email it to DataProtection@Garda.ie.

 

The Gardaí can refuse your request for personal data and withhold that information in the following situations:

  • Your request for data would identify someone else. This also applies to the Gardaí's obligation to give you details of the source of the information. If the source of the information identifies somebody else, the Gardaí can withhold it.
  • They have to refuse so as to prevent, detect or investigate crime, or to arrest or prosecute offenders
  • There are existing or expected legal proceedings or claims

Many of the records held by the Garda Síochána fall outside of the scope of a FOI request, such as criminal records.

Deceased people

In Ireland, GDPR rules for the processing of personal data do not generally apply to those who have died. Under FOI, access to the personal information of a deceased person may be granted:

  • To the personal representative who is administering the estate of the deceased or anyone acting on the personal representative’s behalf
  • To someone who is performing a legal function in relation to the deceased or their estate
  • To the spouse (including a divorced spouse or cohabitee) or close relative if the head of the public body considers it appropriate
 
LikeLike (0)