Subject Access Request Guidelines


Print page

Subject Access Requests may be received in any area across the Department. They should be forwarded immediately to Data Access Section, Client Identity Services, Shannon Lodge, Carrick-on-Shannon, Co Leitrim.

Having received a Subject Access Request (SAR) from a person, the following must be carried out:

  1. Determine whether the Department holds data in respect of the individual. If not advise the person accordingly.
  2. If information is held, check that the required fee (currently €6.35) has been received. Verify the identity of the person making the SAR to ensure that it is the person concerned. If the fee has not been received, advise the person that the fee is required and that the request will not be proceeded with until it has been received.
  3. Send the fee to accounts branch and request receipt to be issued.
  4. Check the Department's claim data to establish what areas of the Department may hold records of the person. Prepare check list in relation to records requested.
  5. Contact all identified areas requesting 2 copies of the records to be sent to Data Access area.
  6. Monitor returns (including nil returns), update check list and issue reminders as needed, as records are required to be sent within 40 days.
  7. Check that records returned do not fall into the exceptions or limitations (see DPC note below).
  8. Send records to person, retaining one copy on file.
  9. Note that Subject Access Requests do not apply to deceased persons.

Information from the Data Protection Commissioner's Website:

What must YOU do in response to an access request?

  • Supply the information to the individual within 40 days of receiving the request. Note that, having received the access request, you cannot change or delete the personal data which you hold just because you do not wish the data subject to see it.
  • Provide the information in a form which will be clear to the ordinary person (e.g., any codes must be explained).
  • Ensure that you give personal information only to the individual concerned (or someone acting on his or her behalf and with their authority). For instance, you normally would not provide such information by phone.

If you do not keep any information on computer or in a relevant filing system about the individual making the request you should tell them so within the 40 days.

You are not obliged to refund any fee you may have charged for dealing with the access request should you find you do not, in fact, keep any data. However, the fee must be refunded if you do not comply with the request, or if you have to rectify, supplement or erase the personal data concerned.

Are there exceptions or limitations on the right of access to personal data?

Yes there are. The restrictions upon the right of access fall into five groups:

  • Section 5 of the Data Protection Act provides that the right of access does not apply in a number of cases, in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society, on the other hand, such as the need to investigate crime effectively, and the need to protect the international relations of the State.
  • The right of access to medical data and social workers' data is also restricted in some very limited circumstances, to protect the individual from hearing anything about himself or herself which might cause serious harm to his or her physical or mental health or emotional well-being.
  • The right of access to examination results is modified slightly.
  • The right of access does not include a right to see personal data about another individual, without that other person's consent. This is necessary to protect the privacy rights of the other person. Where personal data consists of expressions of opinion about the data subject by another person, the data subject has a right to that expression of opinion except where that expression of opinion was given in confidence.
  • The obligation to comply with an access request does not apply where it is impossible for the data controller to provide the data or where it involves a disproportionate effort.

Exceptions to the Right of Access

Individuals have a strong right of access to see their personal data. However, section 5 of the Data Protection Acts provides that individuals do not have a right to see information relating to them where any of the following circumstances apply.

  1. If the information is kept for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders, or assessing / collecting any taxes or duties: but only in cases where allowing the right of access would be likely to impede any such activities
  2. Comment: It would obviously be unacceptable to allow a criminal suspect to see all of the information kept about him by An Garda Síochána, where this would be likely to impede the effectiveness of the criminal investigation. On the other hand, however, if allowing an individual access to personal information about him or her would not be likely to impede an investigation, then the access request would have to be complied with. (see case study 2/04)
  3. If granting the right of access would be likely to impair the security or the maintenance of good order in a prison or other place of detention
  4. If the information is kept for certain anti-fraud functions: but only in cases where allowing the right of access would be likely to impede any such functions
  5. If granting the right of access would be likely to harm the international relations of the State
  6. If the information concerns an estimate of damages or compensation in respect of a claim against the organisation, where granting the right of access would be likely to harm the interests of the organisation
  7. If the information would be subject to legal professional privilege in court
  8. If the information is kept only for the purpose of statistics or carrying out research, but only where the information is not disclosed to anyone else, and where the results of the statistical work or research are not made available in a form that identifies any of the individuals involved
  9. If the information is back-up data.
    Comment: It would be unreasonable to expect an organisation to retrieve back-up copies of its personal information in responding to an access request. However, it should be noted that back-up data is not necessarily the same as old or archived data. Such archive data is subject to an individual's right of access in the normal way.

Restrictions on access to medical data and social work data.

The Data Protection (Access Modification) (Health) Regulations, 1989 (S.I. No. 82 of 1989) provide that health data relating to an individual should not be made available to the individual, in response to an access request, if that would be likely to cause serious harm to the physical or mental health of the data subject. A person who is not a health professional should not disclose health data to an individual without first consulting the individual's own doctor, or some other suitably qualified health professional.

Similar provisions apply in respect of social work data. The Data Protection (Access Modification) (Social Work) Regulations, 1989 (S.I. No. 83 of 1989) provide that social work data relating to an individual should not be made available to the individual in response to an access request, if that would be likely to cause serious harm to the physical or mental health or emotional condition of the data subject. The regulations apply to social work carried on by Ministers, local authorities, health boards, or any voluntary or other body that receives public funding for this work.

Information about Other Individuals

Section 4(4) of the Data Protection Act makes special provision for dealing with the personal data of another individual. A data controller is not obliged to comply with an access request if that would result in disclosing data about another individual, unless that other individual has consented to the disclosure. However, the data controller is obliged to disclose so much of the information as can be supplied without identifying the other individual, e.g. by omitting names or other identifying particulars.

Expressions of opinion

Where personal data consists of an expression of opinion about the data subject by another person, the data subject has a right to access that opinion except if that opinion was given in confidence. If the opinion was not given in confidence then the possible identification of the individual who gave it does not exempt it from access.

Examinations Data

Section 4(6) of the Data Protection Act makes special provision for responding to an access request about the results of an examination. "Examination" in this context means any test of knowledge, skill, ability etc., and is therefore not confined to official State examinations. Medical examinations are not covered, though. These special rules

  1. increase the time limit for responding to an access request from 40 days to 60 days, and
  2. deem an access request to be made at the date of the first publication of the examination results or at the date of the request, whichever is the later.

Disproportionate effort

Section 4(9) provides that the obligation on a data controller to comply with an access request, should normally be met by supplying a copy in permanent form, unless the supply of such a copy is not possible or would involve disproportionate effort.

Repeated Access Requests

If a data controller has complied with an access request he does not have to comply with an identical or similar request unless a reasonable interval has elapsed

Frequently asked questions on Data Protection (from the DPC's website).

2.1 How can I see what information a body or company holds about me?

Under section 4 of the Data Protection Acts, 1988 and 2003, you have a right to obtain a copy, clearly explained, of any information relating to you kept on computer or in a structured manual filing system or intended for such a system by any entity or organisation. All you need to do is write to the organisation or entity concerned and ask for it under the Data Protection Acts.
Your request could read as follows:

Dear ...
I wish to make an access request under Section 4 of the Data Protection Acts 1988 and 2003 for a copy of any information you keep about me, on computer or in manual form in relation to (fill in as much information as possible to assist the organisations to locate the data that you are interested in accessing e.g. customer account number, staff number, or PPS number (if you are writing to a public sector organisation such as the Revenue Commissioners or the Department of Social Protection).

When requesting some types of record, such as credit history or Garda records, it may also be useful to provide a list of previous addresses, previous names and your date of birth. You may be asked to pay a fee, but this cannot exceed €6.35.

Once you have made your request, and paid any appropriate fee, you must be given the information within 40 days (most organisations manage to reply much sooner).

2.2 How long does an organisation have to respond to my access request?

According to the Act, an access request must be responded to within 40 days from the date you make the access request. Until 40 days are up, we cannot investigate this matter. If you receive no reply or are unhappy with the response, at that stage you can submit a complaint to this office.

2.3 Are there any exceptions to the right of access?

Yes. Sections 4 & 5 of the Data Protection Acts set out a small number of circumstances in which your right to see your personal records can be limited. This is necessary in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society, on the other hand.

For example, a criminal suspect does not have a right to see the information held about him by An Garda Síochána, where that would impede a criminal investigation. Similarly, you do not have a right to see communications between a lawyer and his or her client, where that communication would be subject to legal privilege in court.

The right of access to medical data and social workers' data is also restricted in some very limited circumstances, where the health and mental well-being of the individual might be affected by obtaining access to the data.

Your right to obtain access to examination results and to see information relating to other people is also curtailed. Further details on all of these points can be obtained by clicking on the link below.

Exceptions to the right of access

2.4 What if an organisation refuses to respond to my access request?

If an organisation does not comply with a valid access request that you have made, it is open to you to make a complaint to the Data Protection Commissioner.

Before doing so it is recommended that you contact the organisation in question to establish the circumstances and to indicate your intention to complain to this Office. They may be in a position to apologise and correct the problem there and then. We find that this can work well as an organisation once contacted by ourselves will often go through a formal process and actually slow down the resolution of your complaint.

If you are not satisfied with the organisation's response, or if you do not receive a response, at that point you should make a formal complaint to this office. The Commissioner will investigate the matter for you and ensure that your rights are fully upheld. The Commissioner has wide powers to investigate complaints made to him and will take appropriate action against any persons or organisations that are not complying with the provisions of the Acts.

2.5 Can anyone else make an access request on my behalf?

The right of access under Section 4 of the Data Protection Acts applies to a person's own personal data. Normally, an access request should be made by the person whose personal data it is. But it would also be reasonable to comply with an access request submitted on a person's behalf by a solicitor or, in the case of a child, by a parent or guardian.

It would be important in such a case that the data controller be satisfied that the person was genuinely acting on behalf of, and in the best interests of, the person whose data was being requested.

2.6 What are my rights in relation to accessing account information held in my husband/wife's name?

This can be a complex area and depends on the policy of the entities in question and any preferences that the individual(s) involved may have expressed. However, from a data protection perspective, any entity with a policy of transacting business with the named a/c holder only is perfectly entitled to adopt that approach. In fact, such a policy would be prudent as the revealing of account information to a spouse or former spouse will in most situations constitute a breach of the Data Protection Acts if undertaken without the consent of the other spouse or former spouse.

2.7 How can I get my credit rating/credit history?

The Irish Credit Bureau (ICB), on behalf of financial institutions, maintains a central record of repayments made on loans, whether mortgages or personal, and credit cards. This repayment history can also be used to generate a Credit Bureau Score (CBS) - a number which summarises your Credit Report at a particular point in time.

Your credit history and score may be accessed by member financial institutions of the ICB if you apply for a loan or other credit facility. The number of times your record is accessed may be disclosed, however, the details of the members who accessed it will not be disclosed.

To get a copy of your credit history, apply online at www.icb.ie. You can also print out a copy of an application form at www.icb.ie. Finally you can contact the Irish Credit Bureau (01 -2600388) leave your details on their voice machine and they will send out an application for you to complete and return. Once you do this they will send out a copy of your credit history. You will be asked to pay a standard fee for access to your personal data of €6.

2.8 What rights have I to access the script of an exam I undertook?

Section 4(6)(a) of the Data Protection Acts provides a right to request the results of an examination at which a person was a candidate 60 days after the date of the first publication of the results of the examination.

This does not automatically extend to the scripts that were submitted for the exam. Access to such material would have to be considered weighing up whether it could be considered to be personal data. In such a context, a psychometric or IQ test would likely contain more information relating to the person that undertook it than say a test of general knowledge.

2.9 Can I access my medical records under the Data Protection Acts?

The right to access your personal data is a basic right and applies by law regardless of the type of body or entity which is holding your personal data. Accordingly you have a basic right to access your personal data held by a doctor, hospital, consultant treating you in a private capacity etc. In response to such a request you should receive anything held on file or computer by the health professional or facility that relates to you or from which you can be identified. This would include any manuscript notes kept that relate to you.

The only variation on this requirement is where in the opinion of the health professional or facility the release to you of the information could potentially be damaging to your physical or mental health it should then be made available to your GP who will then talk you through it. This is a variation in the right of access that should only be applied in the rare circumstances envisaged.

As the Acts only require that a "copy" of information be supplied, a photocopy of an x-ray/scan would amount to a reproduction of the original and so its supply in photocopy form would meet the requirements of Section 4.

2.10 Can I access information containing in school roll books/parish registers as part of a genealogy project?

The provisions of the Data Protection Acts 1988 & 2003 only apply to the personal information of living individuals. If it could be reasonably assumed that the individuals named in these books/registers are now deceased, there would be no data protection issue. However any access to or use of data of living individuals needs to have a legitimate basis. For example the consent of the individuals would be needed before any access to their information could take place.

2.11 How can I access information held by An Garda Síochána?

You can make an access request pursuant to Section 4 of the Data Protection Acts 1988 and 2003 for a copy of all information held about you to An Garda Síochána Vetting Unit (Racecourse Road, Thurles, Co. Tipperary). The Vetting Unit then have 40 days to provide a copy of any information held about you. The organisation can charge a maximum fee of €6

2.12 Under the Data Protection Acts, is an individual entitled to the return of their original documents from an organisation?

Under section 4 of the Data Protection Acts, an individual is entitled, upon making a written request to an organisation, to obtain the following:

  1. a copy of the personal data,
  2. a description of the purposes for which it is held,
  3. a description of those to whom the data may be disclosed, and
  4. the source of the data unless this would be contrary to public interest.

Accordingly, the Acts provide that the individual is only entitled to a copy of the personal data that is held by the organisation and is not entitled, under the Data Protection Acts, to the return of the original documents.

2.13 Should back-up data be considered as part of an access request?

Back-up data are data kept only for the limited purpose of replacing other data in the event of their being lost, destroyed or damaged. Data kept for any other purpose, such as archive data, would not be considered back-up data. As back-up data are meant to be only copies of "live" data, they are not subject to the same strict rules as "live" data. They are not considered to be subject to an access request made pursuant to Section 4 of the Data Protection Acts. However, in a situation where only the back-up data remains, this would be subject to the full requirements of the Acts - including providing copies in response to an access request.

2.14 What can I do if I find that personal data held about me is incorrect?

If you discover that information kept about you by a data controller is factually inaccurate, you have a right to have that information rectified or, in some cases you may also have the information erased. This right may also be met by the appending of a statement from you relating to the matters which are deemed inaccurate.

Additionally, if the entity keeping the personal data has no good reason to hold it, i.e. it is irrelevant or excessive for the purpose, or if the information has not been obtained fairly, you can have the information rectified or erased.

You can exercise your rights in this area by simply writing to the entity keeping your data specifying your views which must comply or indicate why it will not do so within 40 days.

2.15 Can I request to have my baptismal records deleted?

The Data Protection Acts provide individuals with rights to request that factually inaccurate data that is held about them be corrected. As a baptismal record is a factually accurate record of a ceremony that took place on a certain date, there is no right under the Data Protection Acts to alter or delete the record.

2.16 Can I access/amend information in relation to a deceased relative?

The rights to access/amend under the Data Protection Acts only apply to the personal data of living individuals. There is no right to access/amend the information of deceased persons. A particular data controller, for reasons of goodwill, may choose upon request to supply data relating to a deceased person to a relative.

Last modified:06/10/2014