Data Protection Act 1988

Right of access.

4

4. (1) F15 [ ( a ) Subject to the provisions of this Act, an individual shall, if he or she so requests a data controller by notice in writing

(i)     be informed by the data controller whether the data processed by or on behalf of the data controller include personal data relating to the individual,

(ii)     if it does, be supplied by the data controller with a description of

(I)     the categories of data being processed by or on behalf of the data controller,

(II) the personal data constituting the data of which that individual is the data subject,

(III) the purpose or purposes of the processing, and

(IV) the recipients or categories of recipients to whom the data are or may be disclosed,

(iii) have communicated to him or her in intelligible form

(I)     the information constituting any personal data of which that individual is the data subject, and

(II) any information known or available to the data controller as to the source of those data unless the communication of that information is contrary to the public interest,

and

(iv) where the processing by automatic means of the data of which the individual is the data subject has constituted or is likely to constitute the sole basis for any decision significantly affecting him or her, be informed free of charge by the data controller of the logic involved in the processing,

as soon as may be and in any event not more than 40 days after compliance by the individual with the provisions of this section and, where any of the information is expressed in terms that are not intelligible to the average person without explanation, the information shall be accompanied by an explanation of those terms.

( b ) A request under paragraph ( a ) of this subsection that does not relate to all of its subparagraphs shall, in the absence of any indication to the contrary, be treated as relating to all of them. ]

( c) (i) A fee may be payable to the data controller concerned in respect of such a request as aforesaid and the amount thereof shall not exceed such amount as may be prescribed or an amount that in the opinion of the Commissioner is reasonable, having regard to the estimated cost to the data controller of compliance with the request, whichever is the lesser.

(ii) A fee paid by an individual to a data controller under subparagraph (i) of this paragraph shall be returned to him if his request is not complied with or the data controller rectifies or supplements, or erases part of, the data concerned (and thereby materially modifies the data) or erases all of the data on the application of the individual or in accordance with an enforcement notice or an order of a court.

(2) F16 [ ]

(3) An individual making a request under this section shall supply the data controller concerned with such information as he may reasonably require in order to satisfy himself of the identity of the individual and to locate any relevant personal data or information.

(4) F16 [ ]

F17 [ (4A) ( a )     Where personal data relating to a data subject consist of an expression of opinion about the data subject by another person, the data may be disclosed to the data subject without obtaining the consent of that person to the disclosure.

( b )     Paragraph ( a ) of this subsection does not apply

(i)     to personal data held by or on behalf of the person in charge of an institution referred to in section 5(1)( c ) of this Act and consisting of an expression of opinion by another person about the data subject if the data subject is being or was detained in such an institution, or

(ii) if the expression of opinion referred to in that paragraph was given in confidence or on the understanding that it would be treated as confidential. ]

(5) Information supplied pursuant to a request under subsection (1) of this section may take account of any amendment of the personal data concerned made since the receipt of the request by the data controller (being an amendment that would have been made irrespective of the receipt of the request) but not of any other amendment.

(6) F16 [ ]

(7) A notification of a refusal of a request made by an individual under and in compliance with the preceding provisions of this section shall be in writing and shall include a statement of the reasons for the refusal and an indication that the individual may complain to the Commissioner about the refusal.

(8) ( a) If and whenever the Minister considers it desirable in the interests of data subjects F18 [ or in the public interest ] to do so and by regulations so declares, the application of this section to personal data—

(i) relating to physical or mental health, or

(ii) kept for, or obtained in the course of, carrying out social work by a Minister of the Government, a local authority, a health board or a specified voluntary organisation or other body,

may be modified by the regulations in such manner, in such circumstances, subject to such safeguards and to such extent as may be specified therein.

( b) Regulations under paragraph (a) of this subsection shall be made only after consultation with the Minister for Health and any other Minister of the Government who, having regard to his functions, ought, in the opinion of the Minister, to be consulted and may make different provision in relation to data of different descriptions.

F19 [ (9) The obligations imposed by subsection (1)( a )(iii) (inserted by the Act of 2003) of this section shall be complied with by supplying the data subject with a copy of the information concerned in permanent form unless

( a ) the supply of such a copy is not possible or would involve disproportionate effort, or

( b ) the data subject agrees otherwise.

(10) Where a data controller has previously complied with a request under subsection (1) of this section, the data controller is not obliged to comply with a subsequent identical or similar request under that subsection by the same individual unless, in the opinion of the data controller, a reasonable interval has elapsed between compliance with the previous request and the making of the current request.

(11) In determining for the purposes of subsection (10) of this section whether the reasonable interval specified in that subsection has elapsed, regard shall be had to the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered.

(12) Subsection (1)( a )(iv) of this section is not to be regarded as requiring the provision of information as to the logic involved in the taking of a decision if and to the extent only that such provision would adversely affect trade secrets or intellectual property (in particular any copyright protecting computer software).

F19 [ (13) F16 [ ] ]

Annotations:

Amendments:

F15

Substituted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 5(a), S.I. No. 207 of 2003.

F16

Repealed other than for certain excepted purposes (25.05.2018) by Data Protection Act 2018 (7/2018), s. 7(1)(c), (4), S.I. No. 174 of 2018. The excepted purposes in subs. (4) are 7/2018, s. 8(1)(b), (2) and (3). See C-note below.

F17

Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 5(b), S.I. No. 207 of 2003.

F18

Inserted (1.07.2003) by Data Protection (Amendment) Act 2003 (6/2003), s. 5(c), S.I. No. 207 of 2003.

F19

Inserted (18.07.2014) by Data Protection (Amendment) Act 2003 (6/2003), s. 5(d); subs. (13) S.I. No. 338 of 2014.

Modifications (not altering text):

C35

Subss. (2), (4), (6), (13) repealed, but retained (see below) for certain excepted purposes, (25.05.2018) by Data Protection Act 2018 (7/2018), s. 7(1)(c), (4), S.I. No. 174 of 2018. The excepted purposes in subs. (4) are 7/2018, s. 8(1)(b) (the processing of such data under the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014) or the Vehicle Registration Data (Automated Searching and Exchange) Act 2018 (5/2018) to the extent that the Act of 1988 is applied in those Acts) and s. 8(2), (3) (transitional provisions).

(2) Where pursuant to provision made in that behalf under this Act there are separate entries in the register in respect of data kept by a data controller for different purposes, subsection (1) of this section shall apply as if it provided for the making of a separate request and the payment of a separate fee in respect of the data to which each entry relates.

...

(4) Nothing in subsection (1) of this section obliges a data controller to disclose to a data subject personal data relating to another individual unless that other individual has consented to the disclosure:

Provided that, where the circumstances are such that it would be reasonable for the data controller to conclude that, if any particulars identifying that other individual were omitted, the data could then be disclosed as aforesaid without his being thereby identified to the data subject, the data controller shall be obliged to disclose the data to the data subject with the omission of those particulars.

...

(6) ( a) A request by an individual under subsection (1) of this section in relation to the results of an examination at which he was a candidate shall be deemed, for the purposes of this section, to be made on—

(i) the date of the first publication of the results of the examination, or

(ii) the date of the request,

whichever is the later; and paragraph (a) of the said subsection (1) shall be construed and have effect in relation to such a request as if for “40 days” there were substituted “ 60 days”.

( b) In this subsection “ examination” means any process for determining the knowledge, intelligence, skill or ability of a person by reference to his performance in any test, work or other activity.

...

F19 [ (13) ( a ) A person shall not, in connection with

(i)     the recruitment of another person as an employee,

(ii) the continued employment of another person, or

(iii) a contract for the provision of services to him or her by another person,

require that other person

(I)     to make a request under subsection (1) of this section, or

(II) to supply him or her with data relating to that other person obtained as a result of such a request.

( b ) A person who contravenes paragraph ( a ) of this subsection shall be guilty of an offence. ]

C36

Section applied with modifications by Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014), s. 123(1), (2)(d), partially commenced insofar as the 2014 Act, part 12 ch. 4 (which includes s. 123) relates to an Article 7 request within the meaning of that chapter (20.11.2015) by S.I. No. 508 of 2015.

Application of Act of 1988

123. (1) The Act of 1988 shall, with the modifications specified in subsection (2) and any other necessary modifications, apply to the processing of personal data supplied or received pursuant to—

(a) Chapter 2,

(b) Chapter 3, or

(c) an Article 7 request,

and, for the purposes of the foregoing application of the Act of 1988, references in it to that Act or the provisions of that Act shall, unless the context otherwise requires, be construed as including references to—

(i) Chapter 2 or the provisions of that Chapter,

(ii) Chapter 3 or the provisions of that Chapter, and

(iii) Chapter 3 of Part 5 of the Act of 2008 insofar as that Chapter applies to an Article 7 request or the provisions of that Chapter insofar as they apply to such a request.

(2) The modifications of the Act of 1988 referred to in subsection (1) are the following, namely— ...

(d) in section 4, the addition of the following subsection:

“(14) Notwithstanding section 5, this section applies to the processing of personal data supplied or received pursuant to—

(a) Chapter 2 of Part 12 of the Act of 2014,

(b) Chapter 3 of that Part of that Act,

(c) an Article 7 request.”,

...

C37

Application of section extended with modification (27.01.2014) by Credit Reporting Act 2013 (45/2013), s. 19(2), (4), S.I. No. 19 of 2014.

Data protection

19. ...

(2) Sections 2 , 4 and 6 of the Data Protection Act 1988 shall have effect as if—

(a) references to personal data included relevant credit data, and

(b) a person to whom this section applies were a living individual, and sections 9, 10, 12 and 24 to 31 of that Act apply accordingly.

(3) ...

(4) This section applies to any person with an annual turnover of not more than €3,000,000 (and to whom sections 2, 4 and 6 of the Data Protection Act 1988 would not apply apart from this section).

...

C38

Application of section restricted (1.03.2013) by Personal Insolvency Act 2012 (44/2012), s. 186, S.I. No. 63 of 2013.

Restriction of Data Protection Act 1988.

186.— Section 4 (as amended by section 5 of the Data Protection (Amendment) Act 2003) of the Data Protection Act 1988 shall not apply to data processed by—

(a) the Insolvency Service,

(b) an inspector appointed under section 176, or

(c) the Complaints Committee,

in the performance of functions assigned to those persons under this Act in so far as those functions relate to carrying out an investigation under this Part.

C39

Application of section restricted (6.07.2012) by Property Services (Regulation) Act 2011 (40/2011), s. 93, S.I. No. 198 of 2012.

Restriction of Data Protection Act 1988.

93.— Section 4 (as amended by section 5 of the Data Protection (Amendment) Act 2003 ) of the Data Protection Act 1988 shall not apply to data processed by the Authority in the performance of its functions under this Act in so far as those functions relate to carrying out an investigation.

C40

Application of section restricted (18.07.2004) by Commissions of Investigation Act 2004 (23/2004), s. 39, commenced on enactment.

Restriction of Data Protection Act 1988.

39.Section 4 of the Data Protection Act 1988 does not apply to personal data provided to a commission for as long as the data is in the custody of—

( a) the commission,

( b) the specified Minister after being deposited with him or her under section 43(2) ,

( c) a tribunal of inquiry after being made available to it under section 45 , or

( d) a body after being transferred to it on the dissolution of a tribunal of inquiry to which the data was made available under section 45 .

C41

Application of section restricted (16.12.2002) by Residential Institutions Redress Act 2002 (13/2002), s. 30, S.I. No. 520 of 2005.

Restriction of Data Protection Act, 1988.

30.Section 4 of the Data Protection Act, 1988 does not apply to personal data provided to the Board while the data is in the custody of the Board or the Review Committee.

C42

Application of section restricted (23.05.2000, establishment day) by Commission to Inquire into Child Abuse Act 2000 (7/2000), s. 33, S.I. No. 149 of 2000.

Restriction of Data Protection Act. 1988.

33.Section 4 of the Data Protection Act, 1988, does not apply to personal data provided to the Commission or a Committee while the data is in the custody of the Commission or a Committee, or in the case of such data provided to the Confidential Committee, of a body to which it is transferred by the Commission upon the dissolution of the Commission.

C43

Application of section restricted (19.04.1989) by Data Protection (Access Modification) (Social Work) Regulations 1989 (S.I. No. 83 of 1989), reg. 4. Continued in force (25.05.2018) by Data Protection Act 2018 (7/2018), s. 68(3)(a), S.I. No. 174 of 2018, until the first set of regulation are made under s. 60(5)(b) of that Act. Note that s. 68(3)(b) amends these regulations and replaces references to s. 4 with references to the Data Protection Regulation, and s. 68(3)(c) provides for transitional arrangements in relation to requests for social work data.

4. (1) Information constituting social work data shall not be supplied by or on behalf of a data controller to the data subject concerned in response to [a request under Article 15 of the Data Protection Regulation] if it would be likely to cause serious harm to [the physical or mental health or emotional condition of the data subject, but this restriction on providing information applies only to the extent to which, and for as long as, that likelihood pertains.]

(2) Nothing in paragraph (1) of this Regulation excuses a data controller from supplying so much of the information sought by the request as can be supplied without causing the harm referred to in that paragraph.

(3) If the social work data include information supplied to a data controller by an individual (other than an employee or agent of the data controller) while carrying out social work, the data controller shall not supply that information to the data subject [under Article 15 of the Data Protection Regulation] without first consulting that individual.

C44

Application of section restricted (19.04.1989) by Data Protection (Access Modification) (Health) Regulations 1989 (S.I. No. 82 of 1989), regs. 4-6. Continued in force (25.05.2018) by Data Protection Act 2018 (7/2018), s. 68(2)(a), S.I. No 174 of 2018, until the first set of regulations are made under s. 60(5)(a) of that Act. Note that s. 68(2)(b) amends these regulations and replaces references to s. 4 with references to the Data Protection Regulation, and s. 68(2)(c) provides for transitional arrangements in relation to requests for health data.

4. (1) Information constituting health data shall not be supplied by or on behalf of a data controller to the data subject concerned in response to [a request under Article 15 of the Data Protection Regulation] if it would be likely to cause serious harm to [the physical or mental health of the data subject, but this restriction on providing information applies only to the extent to which, and for so long as, that likelihood pertains.]

(2) Nothing in paragraph (1) of this Regulation excuses a data controller from supplying so much of the information sought by the request as can be supplied without causing the harm referred to in that paragraph.

5. (1) A data controller who is not a [health practitioner] shall not—

(a) supply information constituting health data in response to [a request under the said Article 15 of the Data Protection Regulation], ...

(b) withhold any such information on the grounds specified in Regulation 4 (1) of these Regulations,

unless he has first consulted the person who appears to him to be the appropriate [health practitioner].

(2) In this Regulation “the appropriate health professional” means—

( a ) the person who is the registered medical practitioner, [within the meaning of section 2 of the Medical Practitioners Act 2007 or a medical practitioner practising medicine pursuant to section 50 of that Act], currently or most recently responsible for the clinical care of the data subject in connection with the matters to which the information, the subject of the request, relates,

( b ) where there is more than one such person, the person who is the most suitable to advise on those matters,

( c ) where there is no person available falling within either subparagraph (a) or (b) of this paragraph, a health professional who has the necessary experience and qualifications to advise on those matters.

6. [...]

C45

Application of section restricted (19.04.1989) by Data Protection Act 1988 (Restriction of Section 4) Regulations 1989 (S.I. No. 81 of 1989), reg. 3 and sch. Adoption Act 1952 repealed (1.11.2010) by Adoption Act 2010 (21/2010), s. 7(1) and sch. part 1, S.I. No. 511 of 2010; revoked other than for certain excepted purposes (25.05.2018) by Data Protection Act 2018 (7/2018), s. 7(3), (4) and sch. 1 item 3, S.I. No. 174 of 2018. The excepted purposes in subs. (4) are 7/2018, s. 8(1)(b) (the processing of such data under the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014) or the Vehicle Registration Data (Automated Searching and Exchange) Act 2018 (5/2018) to the extent that the Act of 1988 is applied in those Acts) and s. 8(2), (3) (transitional provisions).

3. The prohibition and restrictions on the disclosure, and the authorisations of the withholding, of information contained in the provision of the enactments specified in the Schedule to these Regulations shall prevail in the interests of the data subjects concerned and any other individuals concerned.

SCHEDULE

Section 22 (5) of the Adoption Act, 1952 (No. 25 of 1952).

Section 9 of the Ombudsman Act, 1980 (No. 26 of 1980).

Editorial Notes:

E20

Power pursuant to section exercised (19.04.1989) by Data Protection (Access Modification) (Social Work) Regulations 1989 (S.I. No. 83 of 1989). Continued in force (25.05.2018) by Data Protection Act 2018 (7/2018), s. 68(3)(a), S.I. No. 174 of 2018, until the first set of regulation are made under s. 60(5)(b) of that Act. Note that s. 68(3)(b) amends these regulations and replaces references to s. 4 with references to the Data Protection Regulation, and s. 68(3)(c) provides for transitional arrangements in relation to requests for social work data.

E20

Power pursuant to section exercised (19.04.1989) by Data Protection (Access Modification) (Health) Regulations 1989 (S.I. No. 82 of 1989). Continued in force (25.05.2018) by Data Protection Act 2018 (7/2018), s. 68(2)(a), S.I. No 174 of 2018, until the first set of regulations are made under s. 60(5)(a) of that Act. Note that s. 68(2)(b) amends these regulations and replaces references to s. 4 with references to the Data Protection Regulation, and s. 68(2)(c) provides for transitional arrangements in relation to requests for health data.

E22

Power pursuant to section exercised (16.12.1988) by Data Protection (Fees) Regulations 1988 (S.I. No. 347 of 1988); regs. 5 and 6 revoked (4.04.1990) by Data Protection (Fees) Regulations 1990 (S.I. No. 80 of 1990), reg. 5.