Data Access is a Right

The Right of Access (also known as subject access) to personal data is enshrined as a fundamental right in Article 8 of the EU Charter of Fundamental Rights. According to the doctrine of ‘primacy of EU law’, EU law takes precedence over any conflicting Irish law. The EU General Data Protection Regulation (GDPR) requires implementation in Ireland of the Right of Access, along with other rights relating to personal data.

The Right of Access under Article 15 GDPR gives individuals, like you, the right to obtain a copy of your personal data (including school records, medical records, transcripts of testimony and redress records, for example). ‘Personal data’ is defined in Article 4 GDPR as:

…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

According to Article 15 GDPR, any person or institution in control of your personal data also has to provide you with the following relevant information

  • Confirmation of whether or not they have your personal data;
  • If they do, to provide you with a copy of your personal data electronically – as well as information on:
    • Why they have it; 
    • What categories of personal data they have; 
    • Who else within the organisation, or third parties, has accessed it, or may access it in the  future; 
    • How long they plan on keeping your data;
    • How they got your data;  
    • The fact you’re entitled to have your data fixed or deleted as requested; and
    • The fact you’re able to raise a concern with the Data Protection Commissioner if you are not happy with their response. 

The Right of Access may be subject to exceptions, but only if those exceptions are strictly in compliance with the GDPR, are actually necessary to achieve a legitimate aim, and strike a proportionate balance between competing interests. If a data controller wishes to refuse your access to your own personal data based on the ‘rights and freedoms of others’, for example, they must be able to demonstrate clearly the harm that would be caused to somebody else by the release of your own data to you, and why that outweighs your interests in receiving your personal data. The GDPR does not provide rights to deceased individuals.

St Josephs’s Industrial school in Artane, Dublin, was run by the Christian Brothers from 1870 to 1969. Between. 1869 and 1969, 105,000 Irish children were committed to industrial schools. Photograph: Getty Images

Unfortunately, it appears that in recent years, survivors of so-called ‘historical’ abuses in Ireland are finding it increasingly difficult to access their own information, including the records of testimony that they contributed to State inquiries or redress processes. 

Several agencies and individuals that control survivors’ files seem to be redacting more information than previously: for example, redacting any information relating to another person whether the other person is a state official, a member of a religious congregation or otherwise in a position of authority, or a parent or other family member of the person requesting their data, whether deceased or alive. 

Furthermore, in 2019 the Department of Education published draft legislation (the Retention of Records Bill 2019) which – if passed – would prohibit all access to every document contained in the archives of the Commission to Inquire into Child Abuse and the Residential Institutions Redress Board and its Review Committee for at least the next 75 years. The written submissions of numerous survivors, practitioners and academics resisting this proposed legislation are available online.

The GDPR enshrines strong data access rights for individuals. It can be a powerful tool in helping people gain access to their personal data by making a ‘data subject access request’ and a follow-up complaint to the Data Protection Commission if necessary. 

If you have been thinking about searching for your information, or if you have been experiencing difficulties obtaining your information: now is the time to start using the GDPR.

On this site, you will learn how to make a data access request, as well as how to make raise a concern with the Data Protection Commissioner if you are not happy with the response to your request.