Section 3 and Section 4 Access Requests

Under Section 3 of the Data Protection Acts, an individual has the right to be informed whether a school/ETB holds data/information about them, and to be given a description of the data together with details of the purposes for which their data is being kept.  The individual must make this request in writing and the data controller (i.e. the school/ETB) should comply with the request within 21 days. The individual is not entitled to request an actual copy of the data under section 3. There is no provision for charging a fee under a Section 3 access request. 

Under Section 4, individuals/data subjects are entitled to a copy of their personal data on written request.  They are entitled to the following:

  1. To receive information as to whether data processed by or on behalf of the school/ETB includes personal data relating to him/her within 40 days.
  2. If the school/ETB is processing the individual’s personal data, then s/he is entitled to a description of:
    1. the categories of data being processed
    2. the personal data constituting the data of which that person is the subject
    3. the purpose for processing
    4. the recipients/categories of recipients to whom the data is or may be disclosed.
  3. The individual is entitled to receive, in intelligible form (i.e. any codes or abbreviations explained), the information constituting any personal data of which that individual is the data subject, and any information known or available to the data controller as to the source of that data, unless the communication is contrary to public interest.
  4. Restrictions/exemptions under Section 4 (and 5 of the DP Acts):  There are some restrictions on the application of Section 4 and the right of an individual to have access to their personal data held by a school/ETB.  The main restrictions are set out in Sections 4 and 5 of the Acts.  The main exemptions are where:
    • the data is held for the purpose of preventing, investigating or detecting an offence, assessing or collecting tax and that the disclosure could prejudice any of those matters. Note: schools/ETBs must note that this exemption is generally considered to be reserved for State agencies (An Garda Síochána, the Revenue Commissioners etc.), and is generally considered not be available to a school/ETB
    • the data identifies another individual (i.e., not the person making the data access request), and it is not possible to redact or omit the particulars identifying that other person from the data This is necessary to protect the privacy rights to the other person.
    • the data contains an expression of opinion about the data subject by a third party and that third party gave the information to the data controller in confidence, on the understanding that it would be treated as confidential. Note: a very high threshold of confidentiality would need to be reached to rely on this.   The Office of the Data Protection Commissioner has advised that this ground will be very narrowly interpreted
    • where the data would be covered by a claim of legal professional privilege e.g.. communications between the school/ETB and its solicitors in relation to a case section 5(g) states section
      4 does not apply to data “in respect of which a claim of privileged could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisors or between those advisors”.  So, correspondence between the school/ETB and their solicitors in relation to a case against the school/ETB does not have to be disclosed pursuant to a data access request. 
    • the supply of the data is not possible or would involve disproportionate effort on the part of the data controller Note: a very high threshold of proof would be required to rely on this

    • the data contains an estimate of the amount of the liability of the school/ETB on foot of a claim for damages or compensation in any case where releasing the information would be likely to prejudice the school/ETB in relation to the claim.

    • The right of access to medical data (personal data relating to the physical or mental health of the individual) and social work data (personal data kept for or obtained in the course of carrying out social work by a Government department, local authority, the HSE,Tusla etc.) is also restricted in some circumstances. In the case of health data, the information can only be released after the school/ETB has consulted with the appropriate health professional (usually the data subject’s GP). In the case of social work data, if it includes information supplied to the school/ETB by an individual (other than one of the school's/ETB’s employees or agents) while carrying out social work, the school/ETB is not permitted to supply that information to the data subject without first consulting that individual who supplied the information.

    • Special Note re Access to Examinations Results Held: Some restrictions exist with respect to Section 4 of the Acts and the right of an individual to have access to exam results where s/he is a candidate.  There is an increased time limit for responding to an access request from 40 days to 60 days and an access request is deemed to be made at the date of the first publication of the results or at the date of the request, whichever is the later.

Note: The obligation to comply with an access request does not apply where it is impossible for the school/ETB to provide the data or where it involves a disproportionate effort. A very high threshold of proof would be required to rely on this.

Note re Automated Data, Manual Data and “relevant filing systems”: Schools/ETBs should note that electronic or automated data does not have to come within a “relevant filing system” for it to come under the terms of the DPAs. All automated/electronic data comes within the terms of the Data Proetction Acts. However, schools/ETBs should consider whether their manual files constitute a “relevant filing system”.  Manual data held by the school which does not come within the definition of a “relevant filing system” may not come within the terms of the DPAs. In order to come within the terms of a “relevant filing system”, the manual files must be structured by reference to individuals and/or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.  A clear example of a relevant filing system is a manual set of employee personnel files held in the principal’s office which are filed alphabetically and are easily and readily accessible. However, Schools should note that it is not acceptable for personal data to be retrievable by a school for its own use but not accessible to the individual under a section 4 request for the reason that it did not need the rest of the student’s file.

Refusals

Where a school/ETB refuses to hand over some or all of the personal data they hold in relation to a data subject (on the basis of any of the exemptions or prohibitions set out above), the school/ETB must advise the data subject of this in writing, setting out reasons for the refusal and expressly notifying the data subject that he or she has the right to complain to the Office of the Data Protection Commissioner about the refusal.  

Does a school/ETB obliged to comply with a subsequent/identical request by same person? If the school/ETB as data controller complies with a data access request, then the school/ETB is not obliged to comply with a subsequent identical or similar request by the same individual unless, in the opinion of the school/ETB, a reasonable interval has elapsed between compliance with the previous request and the current access request. The school/ETB has to ascertain what constitutes a reasonable interval and this should be assessed on a case-by-case basis, having regard to the nature of the data, the frequency with which the data is altered etc school/ETB as data controller complies with a data access request, then the school/ETB is not obliged to comply with a subsequent identical or similar request by the same individual unless, in the opinion of the school/ETB, a reasonable interval has elapsed between compliance with the previous request and the current access request. The school/ETB has to ascertain what constitutes a reasonable interval and this should be assessed on a case-by-case basis, having regard to the nature of the data, the frequency with which the data is altered etc.

It should be noted that an access request does not need to specifically refer to the Data Protection Acts in order to be valid.  When a school/ETB receives a written request from an individual requesting access under section 4, the school/ETB as data controller must comply with all access requests within 40 days. A reasonable administration fee may be charged by schools/ETBs as data controllers but this cannot exceed €6.35 for dealing with access requests.  Individuals may also request that the school/ETB rectify incorrect information maintained or delete excessive data or delete data gathered in breach of the Data Protection Acts.

Summary: Section 4 access request

Individuals are entitled to a copy of their personal data on written request.

  • The individual is entitled to a copy of their personal data (subject to some exemptions and prohibitions outlined above)
  • Request must be responded to within 40 days
  • Fee may apply but cannot exceed €6.35
    • Note: a very high threshold of proof would be required to rely on this