Data Protection and Freedom of Information in the Public Sector

Notice No. 23

31-December-2006

1. Introduction

 

This Notice has been prepared by the FOI Central Policy Unit of the Department of Finance in consultation with the Office of the Data Protection Commissioner and the Office of the Information Commissioner by reference to section 1(5) of the Data Protection (DP) Act 1988 and section 7(7) of the Freedom of Information (FOI) Act 1997.   Its purposes are

 

(i)  to outline provisions governing rights of access to personal information/data under the Freedom of Information and Data Protection Acts and

 

(ii) to outline procedural arrangements which public bodies can follow when dealing with requests for access by individuals to their own personal information / personal data under those Acts.

 

This notice does not seek to provide an interpretation of either Freedom of Information or Data Protection legislation.  Readers should refer to the Freedom of Information website (www.foi.gov.ie) or the Data Protection Commissioner website  (www.dataprotection.ie) for more information on the respective Acts. The procedural arrangements set out in section 3 of this notice are intended as a guide for public bodies in harmonising their approach to granting access to personal information/personal data under the two Acts.

 

2. Legislation

 

Section 1(5) of the Data Protection Act 1988 and 2003 provides that:-  

 

(a)    A right conferred by this Act shall not prejudice the exercise of a right conferred by the Freedom of Information Act 1997,

(b)   The Commissioner and Information Commissioner shall, in the performance of their functions, co-operate with and provide assistance to each other.

 

Section 7(7) of the FOI Act imposes a duty on public bodies to assist people who request information or access to a record from a public body otherwise than under FOI.  Where it is not possible to provide the information other than under FOI, the public body must advise the person of their right of access and must assist them in making their FOI request. 

 

The FOI Act provides, with very few exceptions, for a right of access to a record held by, or under the control of, a public body.  Section 28 of the Act provides an exemption in respect of access to personal information, subject to a number of exceptions, including where the personal information concerned relates to the person making the FOI request.  This means that one’s own personal information will very often be released under FOI.

 

Data subjects have a right of access to their personal data held on computer under section 4 of the Data Protection Act 1988.  The Data Protection (Amendment) Act 2003 extended this right so that it now includes both automated data and manual data in a “relevant filing system”.  The Act amends and extends the Data Protection Act 1988 by imposing extra obligations on data controllers, as well as extending the rights of data subjects and creating new powers and functions for the Data Protection Commissioner.  In general the increased obligations on data controllers require higher standards in regard to fair obtaining and transparency in processing of personal data, the definition of which is extended to cover certain manual data.

 

The extension of this right of access to personal data held manually means that bodies who receive an access request now have to look at the Freedom of Information Act as well as the Data Protection Acts (which now cover manual (paper) files in addition to computer files).

 

In summary, the position is that one’s own personal information will very often be released under FOI, while under the Data Protection Acts there is a presumption in favour of access to one’s own personal data.

 

3. Procedural Arrangements

 

Where a request is made to a public body by, or behalf of, a person seeking access to their own personal information under the Freedom of Information Act,  this request should also be taken as a request under the Data Protection Acts.  This is because a valid Data Protection request does not need to refer to the Data Protection Act.  The right exists subject only to the individual supplying such information as is reasonably required to identify the individual and to locate any relevant personal data or information.  Notwithstanding this, the request may still be processed by the public body in accordance with the Act under which it was received (i.e. under either the Data Protection or Freedom of Information Act) and if the decision is to grant access in full, there is no necessity to mention  the other Act in the decision issued to the requester.

 

As stated above, one’s own personal information will very often be released under FOI while under the Data Protection Acts, there is presumption in favour of access to one’s own personal information.  If a public body considers that the release of records/data is exempt under one Act, their possible release under the other Act should be considered as a separate exercise.  The respective time periods under the relevant Acts runs from the date of receipt of the request.

 

So, for example, if a body is considering refusal of access under the Freedom of Information Act, it should check that such refusal is permitted under the Data Protection Acts and vice versa.

 

A decision on the request should be issued within the most favourable time-scale provided for by law (usually that under FOI).  The obligation in section 4 of the Data Protection Act that the individual be provided with information on how an organisation uses personal data is met by the FOI manual that each public sector organisation [each public body subject to FOI] must produce; it should be referred to in the decision on the access request.

 

If the decision is to refuse an individual access to some or all of her/his personal information, the decision letter should refer to the individual’s right to internal review under the FOI Acts and to the right to complain to the Data Protection Commissioner under the Data Protection Acts.

 

4. Access to personal information relating to third parties

 

 

Personal information is exempt from disclosure to third parties under the FOI Acts, subject to a number of exceptions and is generally prohibited under DP legislation. The nature of the restrictions and prohibitions reflect, in part, the difference in focus as between the two pieces of legislation.  The purpose of the FOI Act is to enable members of the public to obtain access to records held by public bodies to the greatest extent possible consistent with the public interest and the right to privacy.  However, under data protection, protection of the individual’s privacy is paramount, and there is no general “public interest” test which could override this right by permitting release of an individual’s information to anyone other than that individual save where consent to such release has been given or can be implied. 

 

The exemption from disclosure to third parties under the FOI Acts is subject to a number of exceptions, as stated above. These exceptions include where the public interest in disclosure outweighs the individual’s right to privacy, where the person to whom the information relates has consented to the release, release in certain circumstances to a parent/guardian of personal information relating to a minor or a person with a disability which renders him/her incapable of exercising his/her rights under the Act, release in certain circumstances of personal information relating to a deceased person and where disclosure would benefit the person to whom the information relates. 

 

Under section 4 of the DP Act 1988, an individual may request access to information constituting any personal data of which that individual is the data subject.  When providing the requester’s data in response to an access request, a data controller is not obliged to disclose personal data relating to an individual other than the requester unless that other individual has consented to the disclosure.  Alternatively, the data controller is obliged to disclose so much of the information as can be supplied without identifying the other individual, e.g. by omitting names or other identifying particulars.

 

It should be noted that while the FOI Act defines personal information as information about an identifiable individual whether living or deceased, the DP Acts only apply to data relating to living individuals.   

 

A guide to “Access to Personal Data/Personal Information for Data Protection and FOI” is attached as an Appendix to this Notice.  More detailed information can be accessed on the websites www.foi.gov.ie , www.oic.ie and www.dataprotection.ie

 

 

  December, 2006

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Appendix

 

Access to Personal Data / Personal Information

 

Data Protection and FOI

 

 

DATA PROTECTION

 

Procedural aspects

 

Form of Request

  • s.4 “if he or she so requests a data controller by notice in writing”
  • no need to refer to DPA

 

Fee payable

  • Fee payable: max. €6.35 (prescribed)

 

  • refundable in certain circumstances

 

 

 

 

 

 

 

Details to be supplied by requester

  • Must supply sufficient information to enable data controller to (i) be satisfied as to identity of requester and (ii) locate relevant data or information

 

 

Time for reply

  • No requirement to acknowledge

 

  • Substantive reply not more than 40 days after compliance by requester with the terms of s.4

 

 

Scope of request

 

Definition of “personal data”

·        Data relating to a living individual who can be identified (i) from the data or (ii) from the data together with other information in, or likely to come into, the possession of the data controller

·        “Data” includes automated data and manual data (data which is part of a structured filing system)

 

·        Records made in the course of the duties of an employee of a public body may not necessarily be personal data of that individual employee

·        Data may not be amended subsequent to access request and prior to compliance with request, unless it would have been amended irrespective of the request

·        Access to information on sources of personal data, except where contrary to public interest

 

Data relating to third parties

 

  • s.4(4) A data controller is not obliged to disclose personal data relating to another individual unless that other individual has consented to the disclosure but the data controller is obliged to disclose so much of the information as can be supplied without identifying the other individual
  • s.4(4A)Data controller can disclose to data subject expressions of opinion by third party without that party’s consent, unless opinion given in confidence

 

Refusal of request

 

·        S.4(7) – Refusal must be in writing stating reasons and informing of right to complain to Data Protection Commissioner

 

Right of Appeal against a refusal

 

  • s.10 – Complain directly to DPC
  • s.26 – Decision of DPC may be appealed to Circuit Court
  • Further appeal on point of law to High Court and Supreme Court

 

Access To Health & Social Work data

 

  • s.4(8) – Ministerial regulations for (i) physical and mental health and (ii) social work data
  • health data (S.I. No: 82 of 1989): direct access, but data must be withheld if access would be likely to cause serious harm to the physical or mental health of the data subject. Obligation to consult “appropriate health professional”.
  • social work data (S.I. No.83 of 1989): direct access, but must be withheld if access would be likely to cause serious harm to the physical or mental health or emotional condition of the data subject.
  • As much data as possible must be released in any event

 

Access to Personal Data relating to minors etc

 

  • No express entitlement to exercise right of access on behalf of minors or persons unable to exercise their right
  • Section 8(h) allows disclosure to someone acting on behalf of the data subject – parents/guardians may be able to use this but disclosure is at the discretion of the data controller on case by case basis

 

Access to Personal Data of deceased persons

 

  • DPA only applies to data relating to living individuals.

 

 

 

 

 

 

Exemptions to right of access

 

Section 1(4) – personal data outside scope of DPA

 

  • in opinion of Minister for Justice Equality and Law Reform or Minister for Defence are or were kept for safeguarding security of the State
  • information required by law to be made available by the data controller to the public
  • kept by an individual and concerned only with his or her personal, family or household affairs, or only for recreational purposes

 

Section 5 – data exempt from right of access

 

  • kept for the purpose of preventing detecting or investigating offences, apprehending or prosecuting offenders, or for assessing or collecting taxes, duties etc, in any case where it would prejudice any such matter
  • kept for a statutory purpose or function and obtained from a person covered under the previous paragraph
  • where providing access would prejudice maintenance of good order in a prison
  • where it would prejudice certain investigatory functions relating to protecting public against financial loss
  • where it would be contrary to interests of protecting international relations of the State
  • where providing access would prejudice interests of data controller regarding liability for damages
  • where a claim of legal professional privilege would apply regarding communications between a client and professional legal advisers
  • kept by the DPC or IC for the purpose of his or her functions
  • where data are kept only for statistical or research purposes and not disclosed in a form that identifies any of the data subjects
  • back-up data

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

FOI

 

Procedural aspects

 

Form of Request

  • s7 – “in writing or in such other form as may be determined”
  • must refer to FOIA

 

Fee payable

  • There is no fee payable for access to records containing only the personal information of the requester. Where the request is for records containing both personal and non-personal information a fee of €15 for the initial request, €75 for an internal review and €150 for an appeal to the Information Commissioner will apply.  Reduced fees are payable by those with medical cards.

 

Details to be supplied by requester

  • must supply sufficient details about the information concerned to enable the record to be identified by the taking of reasonable steps
  • particular form of access may be specified

 

Time for reply

  • Acknowledgement of request not later than 10 working days after receipt, including summary of s41 rights, right of review, and time limits
  • Substantive reply not later than 20 working days after receipt

 

Scope of request

 

Definition of “personal information”

  • Information about an identifiable individual – living or deceased – that (i) would, in the ordinary course, be known only to the individual, their family or friends; or (ii) is held by a public body on the understanding that it would be treated by it as confidential
  • Exceptions for employees of a public body: name, position, terms of employment, records made in the course of their duties
  • Exception: expressions of opinion in relation to a public body or its staff
  • Request applies to records “relating to” personal information

 

 

 

 

 

 

Personal Information relating to third parties

 

  • Personal information is exempt from disclosure under section 28 subject to a number of exceptions (see below)

 

 

 

 

 

 

 

 

 

Refusal of request

 

  • Refusal must be in writing, stating the reasons for the refusal and advising of the rights of review/appeal (section 8)

 

Right of Appeal against a refusal

 

  • Right of internal review
  • Appeal to IC
  • Further appeal on a point of law to the High Court and Supreme Court (Section 42)

 

 

Access to medical, psychiatric & social work records

 

  • S28(3) – access to such records may be refused where it might be prejudicial to the requester’s physical or mental health, well being or emotional condition.
  • Access must be made available to a relevant health professional specified by the requester

 

 

 

 

 

 

 

 

 

 

Access to Personal Information relating to minors etc

  • Regulations under s28(6) –provide right of access by parents/guardians to personal information relating to a minor or person with mental or physical incapacity, where such access is considered to be in the best interests of the individual.

 

 

 

Access to Personal Information of deceased persons

 

  • specifically dealt with by SI 47/1999
  • access granted to administrator of deceased person’s estate, and to persons on whom functions are conferred by law in this regard
  • access granted to spouse or next of kin, and others that the Head considers appropriate in the circumstances

 

Exemptions to right of access

 

There are exemptions to protect records –

  • whose release might prejudice security, defence or international relations (Section 24)

 

 

 

 

 

 

 

 

 

 

·        whose release might prejudice law enforcement or public safety (section 23)

·        financial and economic interests of the State (Section 31)*

 

 

 

 

 

 

 

 

 

·        whose release might prejudice security, defence or international relations (Section 24)

 

 

 

·        covered by legal professional privilege or whose release would be a contempt of court (Section 22)

 

 

 

 

 

 

·        certain records of the Government or presented to the Government (section 19)

·        certain records relating to the deliberation of public bodies (section 20)*

·        whose release might prejudice the functions or negotiations of public bodies (section 21)*

·        information obtained in confidence (section 26)*

·        commercially sensitive information (section 27)*

·        whose disclosure might prejudice research conducted by a public body or prejudice the well-being of a cultural, heritage or natural resource or species, or of a habitat of a species (flora or fauna) (section 30)*

·        *subject to public interest test

 

Disclosure of Personal Information to third parties

 

  • Personal information is exempt from disclosure under section 28 subject to a number of exemptions (see below).

 

  • Restriction applies to personal information of deceased persons

 

Circumstances in which right of access applies

 

  • s28(2),(5),(6) of FOIA
  • information relates to the requester
  • person concerned has consented to the disclosure
  • information of the same kind is already available to the general public
  • if the information was provided to the body by the person concerned and that person had been informed that it might be made available to the general public
  • disclosure is necessary to prevent serious or imminent  danger to the life or health of the individual
  • person concerned is a minor or has a disability rendering them incapable of exercising right of access – see above
  • disclosure would benefit the person
  • public interest in disclosure outweighs right to privacy of the person
  • personal information relating to deceased persons may be released in certain circumstances (see above)