Access Requests
Standard Operating Procedure
Page 2 of 41
Table of Contents A. Document control .................................................................................................................. 3
B. Introduction ............................................................................................................................. 4
1. Key definitions ........................................................................................................................ 4
C. Part 1 - Legislation ................................................................................................................. 5
1. Provisions ................................................................................................................................ 5
2. Parameters ............................................................................................................................... 6
D. Part 2 - Case Management ................................................................................................... 7
1. OneTrust ................................................................................................................................... 7
2. Intake ......................................................................................................................................... 8
3. Request-handling ................................................................................................................... 9
E. Part 3 - Request Stages ...................................................................................................... 12
1. Confirmation .......................................................................................................................... 12
2. Retrieval .................................................................................................................................. 14
3. Scheduling ............................................................................................................................. 16
4. Redaction ............................................................................................................................... 17
5. Review ..................................................................................................................................... 20
6. Preparation ............................................................................................................................ 21
7. Release ................................................................................................................................... 21
8. Post-release ........................................................................................................................... 22
9. Closure .................................................................................................................................... 22
F. Part 4 - Restriction Guidance ............................................................................................ 24
1. Introduction ........................................................................................................................... 24
2. Restrictions in the GDPR ................................................................................................... 27
3. Restrictions in the 2018 Act .............................................................................................. 29
4. Restrictions in SI 82 of 1989.............................................................................................. 36
5. Restrictions in SI 83 of 1989.............................................................................................. 37
G. Appendix 1 ............................................................................................................................. 39
1. Consultation .......................................................................................................................... 39
Access Requests
Standard Operating Procedure
Page 3 of 41
A. Document control 1. Owner 2. Reviewer 3. Approver
Data Subject Requests Lead, Data Protection Unit (DPU)
Data Protection Officer Operations General Manager, DPU
Communicate any observations, queries, or concerns you have about this document to the owner.
4. Version 5. Location 6. Approved 7. Approver 8. Published 9. Update(s)
1.0 Link 28/01/20 RD 30/01/20 First published.
2.0 Link 16/04/21 JP 22/04/21 Substantive revision.
2.1 Link
25/08/21 SOR 26/08/21 Stage 3, Stage 5, part 4, appendices.
2.2 Link 27/08/21 SOR 27/08/21 Style, corrections.
All updates must be noted and explained above.
Revisions must be reviewed and approved.
10. Review 11. Action
27/08/2022 The owner will review and, if necessary, update this document.
Access Requests
Standard Operating Procedure
Page 4 of 41
B. Introduction The Child and Family Agency processes personal data in order to carry out the functions assigned by
the Child and Family Agency Act 20131 and other legislation.2 Individuals whose personal data Tusla
processes may exercise their General Data Protection Regulation (GDPR)3 rights and seek:
access;4
rectification and/or completion;5
erasure;6
restriction of processing;7
data portability;8
to object,9 and;
not to be subject to automated individual decision-making.10
These rights may be given further effect, or be restricted, by Irish data protection law. In order to
facilitate requesters’ exercise of their rights to the greatest extent possible, all requests must be
carefully considered. This document sets out:
1. a step-by step procedure for access request-handling, and;
2. guidance on the application of relevant data protection law.
1. Key definitions The GDPR assigns specific meanings to certain terms:
‘personal data’ is any information relating to an identified or identifiable natural person.11
an ‘identifiable natural person’ is one who can be directly or indirectly identified, in particular
by reference to an identifier, e.g.:
o a name;
o an identification number;
o location data;
o an online identifier, or;
o specific physical, physiological, genetic, mental, economic, cultural or social factors.12
‘processing’ is any operation – including storage – performed on personal data.13
1 Child and Family Agency Act 2013, section 8 2 See here for more. 3 Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L119/1 4 GDPR, art 15 5 GDPR, art 16 6 GDPR, art 17 7 GDPR, art 18 8 GDPR, art 20 9 GDPR, art 21 10 GDPR, art 22 11 GDPR, art 4(1) 12 ibid 13 GDPR, art 4(2)
Access Requests
Standard Operating Procedure
Page 5 of 41
C. Part 1 - Legislation 1. Provisions
Charter of Fundamental
rights of the European
Union (the ‘Charter’)
Provides that everyone has the right of access to data which has been
collected concerning him or her.14
GDPR Provides that the requester the right to obtain confirmation as to
whether or not personal data concerning him or her are being
processed and access to the personal data and information about the:
1. processing’s purposes;
2. categories of personal data processed;
3. recipients or categories of recipient to whom personal data
were, are, or will be disclosed;
4. retention period, where possible, or the criteria used to
determine that period if not possible;
5. existence of the rights to rectification, erasure, restriction of
processing, and the right to object;
6. right to complain to the Data Protection Commission (DPC);
7. personal data’s source, if not collected from the requester, and;
8. existence of automated decision-making, including profiling, as
well as meaningful information about the logic, significance,
and envisaged consequences of such processing.15
Provides that where personal data are transferred to a third country or
to an international organisation, the requester shall have the right to
be informed of the appropriate safeguards relating to the transfer.16
Provides that the controller shall provide a copy of personal data
undergoing processing. For any further copies requested, the
controller may charge a reasonable fee based on administrative costs.
Where the request is made by electronic means, and unless otherwise
requested, information shall be provided in a commonly used
electronic form.17
Provides that the right to obtain a copy of personal data shall not
adversely affect others’ rights and freedoms.18
Data Protection Act 2018
(the ‘2018 Act’)
Provides for restriction of the right to access in certain circumstances.
Provides, in Irish law, for data protection rights and obligations –
including the right to access – as they relate to processing in-scope of
the Law Enforcement Directive.19,20
Data Protection (Access
Modification) (Health)
Regulations 1989 (‘SI 82
of 1989’)
Provides for restriction of the right to access in certain circumstances.
14 Charter, art 8(2) 15 GDPR, art 15(1) 16 GDPR, art 15(2) 17 GDPR, art 15(3) 18 GDPR, art 15(4) 19 Directive 2016/680 of the European Parliament and of the C 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA [2016] OJ L 119/89 20 2018 Act, ss 69-104 and 118-128
Access Requests
Standard Operating Procedure
Page 6 of 41
Data Protection (Access
Modification) (Social
Work) Regulations 1989
(‘SI 83 of 1989’)
Provides for restriction of the right to access in certain circumstances.
2. Parameters
21
The GDPR establishes certain parameters for request-handling,
requiring that:
communication is concise, transparent, intelligible, accessible,
and use plain language;22
o this is the case, in particular, for information addressed to
a child;23
information is provided in writing or by other means;24
requests not be refused unless the requester is demonstrably
unidentifiable;25
information on action taken is provided to the requester within
one month;26,27
o taking into account the complexity and number of
requests, this period may be extended by two months.28
However, the extension and its cause(s) must be
communicated to the requester within one month;29
if no action will be taken, the requester is informed within one
month and advised of their right to lodge a complaint and/or
seek a judicial remedy;30
generally, no fee may be levied, but, if requests are manifestly
unfounded or excessive:
o a reasonable fee may be charged, or;
o the request may be refused, provided;
o the request’s unfounded or excessive character is and
must be demonstrated;31
if doubts arise as to a requester’s identity, additional
information may be requested.32
21 CC parameter by priyanka from the noun project 22 GDPR, art 12(1) 23 ibid 24 ibid 25 GDPR, art 12(2) 26 GDPR, art 12(3) 27 One month is regarded as 30 days, commencing on receipt of the valid request 28 Three months is regarded as 90 days, commencing on receipt of the valid request 29 ibid 27 30 ibid 31 GDPR, art 12(5) 32 GDPR, art 12(6)
Access Requests
Standard Operating Procedure
Page 7 of 41
D. Part 2 - Case Management 1. OneTrust
i. Login
Tusla uses OneTrust to manage the end-to-end handling of data
subject requests.33 Contact the Privacy Network Manager if a OneTrust
account is required. To access OneTrust, use:
‘Google Chrome’;
‘Microsoft Edge’, or;
‘Mozilla Firefox’.
Do not use ‘Internet Explorer’.
To login:
Navigate to the login page;
Enter the email address associated with your account, and;
Enter your password.
OneTrust will display the modules to which access is permitted:
Select ‘Data Subject Requests’.
ii. Navigation
Three navigation panes are used within OneTrust.
Depending on the specific role(s) assigned to you, these panes may differ slightly.
1 2 3 4 5
The top navigation pane (from left to right) allows you to:
1. move between modules;
2. view alerts;
3. view the organisation;
4. view your profile, and;
5. access help and tips.
The left navigation pane to (from top to bottom) allows you to:
1. view the dashboard, and;
2. access the request register.
The register navigation pane to (from left to right) allows you to:
1. create requests;
2. search requests;
33 OneTrust, ‘About Us’ (OneTrust, 2021) <https://www.onetrust.com/company/about-us/> accessed 16 August 2021
1
2
1
2 3 4 5
Access Requests
Standard Operating Procedure
Page 8 of 41
3. modify columns;
4. refresh the register, and;
5. filter requests.
To modify columns:
select the column tool;
use the arrow buttons to move a column to or from ‘Active’,
and;
select ‘Save’.
To filter requests:
select the filter tool;
select ‘Add filter’;
select the desired field;
set the desired properties;
select ‘Save’, and;
select ‘Apply’.
i. The dashboard
When the data subject requests module is opened, the ‘Dashboard’
displays. The dashboard presents metrics relating to open requests.
ii. The register
The register, which can be filtered to display specific cases, lists
requests made to Tusla and is accessible via the left-hand navigation
pane.
2. Intake
i. The portal
Most requests are made via Tusla’s portal, which collects information
needed for request-handling. Portal requests will be assigned to the
relevant region, with an email notification sent to:
[email protected] for requests concerning:
o adoption services.
[email protected] for requests concerning:
Access Requests
Standard Operating Procedure
Page 9 of 41
o Dublin South Central;
o Dublin South East & Wicklow;
o Dublin South West, Kildare & West Wicklow, and;
o Midlands.
[email protected] for requests concerning:
o Cavan & Monaghan;
o Dublin North City;
o Louth & Meath, and;
o North Dublin.
[email protected] for requests concerning:
o Donegal;
o Galway & Roscommon;
o Mayo;
o Mid West, and;
o Sligo, Leitrim & West Cavan.
[email protected] for requests concerning:
o Carlow, Kilkenny & South Tipperary;
o Cork;
o Kerry, and;
o Waterford & Wexford.
[email protected] for:
o requests concerning other services.
ii. Other channels
The GDPR does not require that a request be made in any particular
way. If a request is otherwise received, e.g. by email, post, etc., it must
be recorded via the portal. To record a request:
select ‘Create Request’ in the register navigation pane;
a dialog box will appear;
select ‘Intake - DSRs’, and;
input the necessary information.
3. Request-handling
i. Navigation
When a request is opened, associated information will appear on-
screen. The information displayed depends on the workflow.
In the left-hand pane appear the request’s:
workflow;
owner (approver);
organisation;
submission date;
extension status;
due date;
resolution status, and;
source.
An open request displays its basic details.
Access Requests
Standard Operating Procedure
Page 10 of 41
Select ‘Show More’ to see all details - the information displayed is
that submitted by the requester.
High-level guidance on the request’s current stage displays below
the request details.
ii. Assignment
Email notifications advising that a request has been received are
sent to the relevant mailboxes. Requests must be assigned to an
individual Privacy Officer for handling.
To assign a request:
open the relevant request;
select ‘Approver’ in the left-hand pane;
choose the relevant Privacy Officer;
briefly summarise your action, and;
select ‘Assign’.
iii. Modification
When a request is opened, certain of its properties may be
modified. Requests’ properties should be modified only when
strictly necessary.
In the top navigation pane appear:
1. the request’s reference number;
2. stage, and;
3. a selector.
The top pane selector enables:
1. extension;
2. closure;
3. editing, or;
4. workflow modification.
The ‘Extend’ function:
issues an email to the requester, but;
is not currently in use;
see guidance below at Scheduling for further information.
The ‘Close’ function:
sets a request’s stage to ‘Closed’;
see guidance below at Closure for further information.
1 2 3
1
2
3
4
Access Requests
Standard Operating Procedure
Page 11 of 41
The ‘Edit’ function:
enables modification of responses submitted via the portal;
see guidance below at Preparation for further
information.
The ‘Change Workflow’ function:
enables modification of the workflow to which a request is
assigned, but;
is not currently in use.
‘Subtasks’ are used to track events that may occur during request-
handling. Their status is displayed in the ‘Subtasks’ tab. To modify
a subtask’s status:
select the relevant subtask;
select ‘Mark as In Progress’, ‘Mark as Complete’, or ‘Mark
as Rejected’ from the dropdown list;
A dialog box will appear:
briefly summarise your action;
if required, add an attachment, and;
select ‘Mark as…’.
‘Activity’ permits the posting of comments concerning the request;
‘DSAR File Upload’ users may also use this function to
upload files that are too large (i.e. over ten megabytes) to be
transmitted by email; see Retrieval for more.
‘History’ records modifications made to requests.
iv. Logging
Access Requests
Standard Operating Procedure
Page 12 of 41
Copies of documents, e.g. emails, letters, etc., must be logged:
create a folder titled Firstname Lastname – Reference;
structure using the file setup template, and;
log correspondence and documents as they are received.
Contact the Privacy Network Manager if drive access is required.
Always ensure that copies of documentation and correspondence
associated with request-handling are logged in the relevant folder.
v. Tracking
A request’s status is tracked by assignment to a specific stage in
OneTrust. Always ensure that the stage assigned accurately reflects
the request’s progress.
vi. Passwords
34
In certain circumstances, e.g. transmission or storage, password
protection may be required. When password protecting files:
choose a secure password (length is preferable to
complexity);
securely log a copy of the password protected file;
securely log a copy of the password-free file, separately if
necessary, and;
securely log a copy of the password, separately if necessary.
E. Part 3 - Request Stages 1. Confirmation
i. All requests
Noting the GDPR’s parameters for request-handling and the highly
sensitive nature of the personal data Tusla processes, the portal
34 Password by scott dunlap from the noun project
Access Requests
Standard Operating Procedure
Page 13 of 41
35
advises requesters that action cannot be taken on a request unless
their identity is confirmed.
The portal facilitates provision of certified identity documentation.
The requester’s identity may be confirmed by provision of:
identification, e.g. a copy of a Driver’s License, Passport, or
Public Services Card, which is certified by a member of a
regulated, relevant, profession, e.g. a member of An Garda
Síochána, a general practitioner, or solicitor, or;
correspondence from a member of a regulated, relevant,
profession affirming the requester’s identity.
36
In order to progress the handling of requests, certain information is
required. The portal captures the details of the requester’s
relationship with the Agency to facilitate retrieval of records falling
within the request’s scope. If:
further information is needed, contact the requester;
certified ID was not provided, contact the requester.
If, 30 days after contacting the requester:
insufficient information was provided, refuse and close;
the requester’s identity can’t be confirmed, refuse and close.
37
A requester may seek specific personal data, e.g. in an individual
document, or all personal data relating to them. Always read, in
detail, the specific request submitted. If a request’s scope
encompasses a large volume of records, ask the requester if they
wish to prioritise retrieval of specific personal data.38
Bear in mind, however, that the requester cannot be required to
alter their request’s scope.
ii. Children’s right to access
A child40 may exercise their right to access. In some cases, a
guardian might help them. As regards guardianship, the child’s:
mother and father are guardians if they were married when
the child was born;41
parents are guardians if they are a married same-sex couple
who have jointly adopted the child;42
mother is the automatic guardian if the child was born
outside marriage;43
35 Name card by nibras@design from the noun project 36 CC information by selicon from the noun project 37 CC scope by dinosoftlab from the noun project 38 GDPR, rec 63 and Data Protection Commission, ‘Access and Portability’ (dataprotection.ie) <https://www.dataprotection.ie /en/organisations/know-your-obligations/access-and-portability> accessed 20 August 2021 40 2018 Act, s 29 defines a child as “a person under the age of 18 years” 41 Guardianship of Infants Act 1964, ss 6(1)(a), 6(2), 6(3), and 6(4) 42 Guardianship of Infants Act 1964, s 6(1)(b), 6(3B) 43 Guardianship of Infants Act 1964, s 6(4)
Access Requests
Standard Operating Procedure
Page 14 of 41
39 father is a guardian if he:
o and the child’s mother make a guardianship
declaration;44
o and the child’s mother aren’t married, but have
cohabited for 12 months, 3 of which were after the
child’s birth;45
o is the subject of a Court order appointing him as
guardian;46
o marries the child’s mother after the child’s birth and is
named on the child’s birth certificate;47
guardian may have been appointed by a Court order.48
If a request concerns a child’s personal data:
confirm that the requester is the child’s guardian before
proceeding;
consult with a Social Worker to identify if a care order is in
place. If:
o a care order49 is in place, a guardian cannot exercise on
their child’s behalf;
o a voluntary,50 emergency,51 or interim52 care order is in
place, a guardian may exercise on their child’s behalf.
If guardianship cannot be verified, refuse the request as it relates to
the child. Tusla employees are required to consider the to the best
interests of the child in all matters.53 If necessary, consult with a
Social Worker.
iii. Subtasks
Mark as complete subtask:
1. if the requester’s identity cannot be confirmed;
2. if the requester supplied insufficient information;
3. if the requester’s guardianship of the child cannot be
confirmed;
4. if the requester lodges a complaint with the DPC, and/or;
5. if the requester seeks a judicial remedy.
2. Retrieval
39 CC parenting by chinnaking from the noun project 44 Guardianship of Infants Act 1964, s 2(4) and SI 210 of 2020 45 Guardianship of Infants Act 1964, s 2(4A) 46 Guardianship of Infants Act 1964, s 6A 47 ibid 38 48 Guardianship of Infants Act 1964, s 6C and 6E 49 Child Care Act 1991, s 18 50 Child Care Act 1991, s 4 51 Child Care Act 1991, s 13 52 Child Care Act 1991, s 17 53 Child and Family Agency Act 2013, s 9(1)
Access Requests
Standard Operating Procedure
Page 15 of 41
i. The search document
Privacy Officers do not hold records relating to Tusla’s delivery of
services. Contact the likely record holder to retrieve records falling
within the request’s scope. To do so:
Send a search document to record holders to retrieve
records falling within the request’s scope.
o To comply with the GDPR’s timeline, records must be
returned within one week of the document’s issue.
A completed document must always be returned, even if no
records are identified.
o If the record holder does not engage, escalate the
matter to your line manager for urgent follow-up.
The search document is intended to ensure that all records falling
within the request’s scope are retrieved and facilitates collection of
information relating to the requester and associated persons’
individual circumstances which is required for request-handling.
ii. Secure transmission
Retrieved records must be transmitted securely:
Use password protected .zip files to send files of less than
ten megabytes via email. To create a password protected
.zip file:
o ensure ‘7-zip’ is installed;
o right-click the relevant file;
o select ‘7-zip’, then ‘Add to archive…’;
o choose the settings indicated;
o enter a secure password;
o Select ‘OK’;
Always log a copy of the original file, password protected
file, and password.
Ensure the password is communicated only to the intended
recipient(s).
Larger files may be uploaded via OneTrust. If the record
holder requires OneTrust DSAR File Upload access, contact
the Privacy Network Manager.
iii. Subtasks
Mark as complete subtask:
1. if no records are identifiable;
2. if less than 750 pages are retrieved;
3. if more than 750, but less than 1,500 pages are retrieved, or;
Access Requests
Standard Operating Procedure
Page 16 of 41
4. if over 3,000 pages are retrieved.
3. Scheduling
i. Storage
Retrieved records must be logged. Save:
all retrieved records, search documents, and associated
correspondence under ‘1. Returned’.
a working copy of the records under ‘2 Scheduled’.
ii. Out-of-scope records and duplicates
54
Examine the working copy to identify and remove out-of-scope
records and duplicates:
out-of-scope records may include those comprising only
non-personal data, e.g., blank forms or policy documents, or
those containing only personal data concerning other
individuals;
the right to access entitles the requester to a copy, rather
than multiple copies, of their personal data. Remove
duplicates, which may be returned where a record is stored
by multiple holders, repeatedly filed, or contained within an
email chain.
iii. Complexity and extension
55
Consider whether the handling of the request will be complex.
Factors which may contribute complexity to request-handling
include, but are not limited to:
engagement of An Garda Síochána;
multiple requests;
freedom of information request-handling;
TellUs complaint-handling;
prospective or ongoing proceedings, and;
54 CC schedule by supalerk laipawat from the noun project 55 CC jigsaw by mynamepong from the noun project
Access Requests
Standard Operating Procedure
Page 17 of 41
retrieval of large volumes or records.56
Extension of the response period may be necessary if request-
handling is considered complex. If the response period will be
extended, the requester must be informed within one month of the
request’s receipt.57
If a request’s scope encompasses a large volume of records, ask the
requester if they wish to prioritise retrieval of specific personal
data.58 Bear in mind, however, that the requester cannot be
required to alter their request’s scope.
Consider also arranging for the issuance of a batched response,
with records released to the requester on a regular basis over an
agreed period.
iv. Consultation with a Social Worker
59
In handling a request, the need for consultation with a Social
Worker may arise. The procedure for consultation with a Social
Worker is set out at Appendix 1. Always ensure that a record of
the consultation is logged.
v. Consultation with a Health Practitioner
60
In handling a request, the need for consultation with a Health Practitioner may arise. The procedure for consultation with a Social Worker is set out at Appendix 1. Always ensure that a record of the consultation is logged.
vi. Subtasks
Mark subtask 1. as complete if the response period will be extended.
4. Redaction
56 Small, medium, and large requests are regarded as those comprising<750, <1,500, and >3,000 pages 57 GDPR, art 12(3) 58 ibid 38 59 CC comment document by mateusz kowalewski from the noun project 60 CC messages by designify.me from the noun project
Access Requests
Standard Operating Procedure
Page 18 of 41
i. Storage
Save a copy of the scheduled records under ‘1. Marked’. If necessary,
create a .pdf copy of the relevant record, e.g. by selecting ‘File’, then
‘Save as’, selecting ‘PDF’, and selecting ‘Save’ in Microsoft Office
ii. Text recognition
Open the record in Adobe Acrobat 2020:
Select ‘Scan & OCR’:
a second navigation pane will appear at the top of the screen;
select ‘Recognize Text’, then ‘In This File’;
choose the relevant pages, and;
select ‘Recognize Text’.
iii. Restriction of the right to access
61
Data protection law restricts the right to access in certain
circumstances. Any restriction must be strictly limited to what is
necessary, in order to ensure the requester can exercise their right
to the greatest extent possible.
All restrictions must be applied with reference to the relevant
provisions of the:
GDPR;
2018 Act;
SI 82 of 1989, or;
SI 83 of 1989.
See Part 4 - Restriction Guidance for more on
the application of restrictions.
iv. Redaction
Open the record in Adobe Acrobat 2020:
Select ‘Redact’;
a second navigation pane will appear at the top of the
screen,
select ‘Mark for Redaction’, then ‘Text & Images’;
o Highlight text or images to mark;
o Log a copy the marked document under ‘1. Marked’.
Note: redactions are not yet applied;
Select ‘Apply’, in the top navigation pane.
o a dialog box will appear.
o select ‘Yes’.
o a left-hand pane will appear;
61 CC redaction by dan hetteix from the noun project
Access Requests
Standard Operating Procedure
Page 19 of 41
o select ‘Remove’;
o hidden data and metadata, e.g. bookmarks, hidden
elements, etc. are removed when the status bar
indicates ‘Done’.
Log a copy of the redacted document as “Appendix 2” under
‘2. Redacted’.
v. Scheduling
To create a schedule of the specific restrictions which apply to the
requester’s right to access:
Double-click the mark applied to the working copy;
A dialog box will appear. Enter the relevant restriction,
including the specific grounds for its application;
Select ‘Post’;
When all details are entered, select the ‘Ellipsis’ in the right-
hand pane;
Select ‘Create Comment Summary’;
Under:
o ‘Layout’, select ‘Comments only’;
o ‘Paper size’ select ‘A4’;
o ‘Sort comments by’, select ‘Page’;
o ‘Font Size’, select ‘Medium’;
o ‘Include’ select ‘‘All comments’;
o Deselect the tickbox;
o Ensure all pages are included, and;
o Select ‘Create Comment Summary’
The comment summary document will appear in a new window:
Select ‘Edit’ in the right-hand pane;
Retitle the document “Appendix 4 – Detail of restrictions”,
and;
Log a copy of the document as “Appendix 4” under ‘2.
Redacted’.
vi. Page numbering
Open the record in ‘Adobe Acrobat 2020’:
Select ‘Scan & OCR’;
a navigation pane will appear at the top of the screen;
select ‘Bates Numbering’, then ‘Add’.
A dialog box will appear:
o highlight the relevant record;
o select ‘Add files…’ if additional records require
numbering, and;
o select ‘Ok’.
A second dialog box will appear:
o select ‘Insert Bates Number’;
o input the number format to be applied;
o place the string in ‘Right Header Text’, and;
Access Requests
Standard Operating Procedure
Page 20 of 41
o select ‘Ok’.
vii. Support
62
Contact the Privacy Network Manager if support is needed, e.g.
because:
a file is particularly large or complex;
queries arise, e.g. in relation to the application of a specific
restriction, or;
queries arise, e.g. in relation to the interaction between
data protection law and other legislation.
viii. Subtasks
Mark as complete subtask:
1. if redaction support was sought, and/or;
2. if a legal query arises.
5. Review
vii. Pathways
63
In order to finalise the handling of the request ensure restrictions
are correctly applied and that the schedule accurately reflects the
applied restrictions. Never proceed to release if you are uncertain
about a restriction’s application. Review your work by:
1. discussing with another Privacy Officer;
2. bringing queries to a regional case conference;
3. querying the DPU via the conference and Privacy Network
Manager, or;
4. supplying the relevant elements to the DPU’s access team
for review.
Tusla’s DPU will carry out regular and spot-check reviews in
order to ensure that access requests are handled in accordance
with the relevant provisions of data protection legislation.
viii. Subtasks
62 CC helpful by adrien coquet from the noun project 63 CC document review by vectors point from the noun project
Access Requests
Standard Operating Procedure
Page 21 of 41
Mark as complete subtask:
1. if a Social Worker’s assessment is required, and/or;
2. if a Health Practitioner’s assessment is required.
6. Preparation
i. Finalisation
64
Prior to releasing the response:
prepare the outcome letter, Appendix 1, and Appendix 3;
collate the outcome letter and four appendices, and;
ensure the requester’s contact details are valid so the right
content goes to the right person at the right address.
ii. Governance
65
Ensure that your line manager is appraised of upcoming or
anticipated responses.
7. Release
i. Secure communication
66
The response should be securely communicated to the requester.
Records sent:
electronically must be encrypted and the password
supplied only when receipt is confirmed by the requester;
in hardcopy must be sent by registered post or courier.
Always:
o include return information;
o retain tracking information, and;
64 CC letter by pejyt from the noun project 65 CC approval by template from the noun project 66 CC finish by pedro from the noun project
Access Requests
Standard Operating Procedure
Page 22 of 41
o instruct carriers that the records may be supplied
only to the intended recipient and never left in a safe
place or otherwise delivered.
8. Post-release
i. Observations, queries, concerns
67
Observations, queries, or concerns may not be submitted in all
cases, however any submissions made by the requester should be
addressed locally to the greatest extent possible in the first
instance. If advice or guidance is required, case-specific queries
should be directed to the Privacy Network Manager.
Ensure copies of documentation and correspondence associated
with post-release activity are logged.
ii. Complaints, judicial remedies
The requester has the right to lodge a complaint with the DPC
and/or to seek a judicial remedy. Communicate notification of
any complaint or proceedings to the Privacy Network Manager.
Ensure copies of documentation and correspondence associated
with judicial remedies are logged.
iii. Subtasks
Mark subtask 1. as complete if observations, queries, or concerns
are submitted.
9. Closure
i. Timelines
Requests should be closed after 30 days if
67 CC question by scott dunlap from the noun project
Access Requests
Standard Operating Procedure
Page 23 of 41
after release, no further correspondence is received, or;
following the issuance of a response to regarding the
requester’s observations, queries, or concerns, no further
correspondence is received.
If necessary, a request can be reopened.
Ensure copies of documentation and correspondence associated
with closures are logged.
Access Requests
Standard Operating Procedure
Page 24 of 41
F. Part 4 - Restriction Guidance 1. Introduction
68
“[Personal data] is a threshold concept for the application of
data protection law generally; if data being processed are not
personal data, their processing is not [in-scope of the right]”.69
This means that restriction of the right, requires consideration of
its scope. The right gives the requester the possibility of obtaining
information concerning, and a copy of, their ‘personal data’. The
GDPR’s definition of personal data, which is set out above at Key
definitions comprises four elements:70
“any information” may, among other things, include
names, identification numbers, or descriptions of
situations. The Court of Justice of the European Union
(CJEU) interprets “any information” broadly.71
“relating to” refers to the link between a piece of
information and the requester. As above, the CJEU
generally interprets “relating to” broadly.72
“identified or identifiable” is also interpreted broadly. In
practical terms, this element means that even
information that isn’t immediately linked to the requester
may be personal data.73 When considering whether
information identifies a requester, or could make them
identifiable, account should be taken of the “means
reasonably likely to be used”74 to identify them.
“natural person” narrows the right’s scope to information
concerning living individuals. It is possible, however, that
information relating to deceased or legal persons may
also constitute personal data relating to a requester.75
The expansive definition of personal data means that requests
must be considered with reference to the requester and associated
persons’ individual circumstances.
68 CC introduction by andi from the noun project 69 Lee A. Bygrave, Luca Tosoni, ‘Article 4(1) Personal Data’ in Christopher Kuner, Lee A. Bygrave and Christopher Docksey (eds) The EU General Data Protection Regulation (GDPR) A Commentary (Oxford University Press 2020) 105 70 European Data Protection Board, Guidelines on personal data breach notification under Regulation 2016/679 (18/EN wp250, rev.01, European Data Protection Board 2018) 71 See, for example: C-465/00, C-138/01, and C-139/01 Rechnungshof (C-465/00) v Österreichischer Rundfunk and Others
[2003] para 64, C-101/01 Reference to the Court under Article 234 EC by the Göta hovrätt (Sweden) for a preliminary ruling
in the criminal proceedings before that court against Bodil Lindqvist [2003] para 27, C-524/06 Heinz Huber v Bundesrepublik Deutschland [2008] paras 31 and 43, C-73/07 Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and
Satamedia Oy [2008] para 35, C-291/12 Michael Schwarz v Stadt Bochum [2013] para 27, C-293/12 and C-594/12 Digital
Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner
Landesregierung and Others [2014] para 26, C-212/13 František Ryneš v Úřad pro ochranu osobních údajů [2014] para 22, C-201/14 Smaranda Bara and Others v Casa Naţională de Asigurări de Sănătate and Others [2015] 29, C-582/14 Patrick
Breyer v Bundesrepublik Deutschland [2016] para 49, C-434/16 Peter Nowak v Data Protection Commissioner [2017] paras
34 and 36, and C-345/17 Request for a preliminary ruling from the Augstākā tiesa. [2019] para 32 72 See, for example: C-434/16 Peter Nowak v Data Protection Commissioner [2017] para 35, C-141/12 and C-372/12 YS v Minister voor Immigratie, Integratie en Asiel and Minister voor Immigratie, Integratie en Asiel v M and S. [2014] para 48 73 See, for example: C-582/14 Patrick Breyer v Bundesrepublik Deutschland [2016] paras 43 and 46 74 GDPR, rec 26 75 See, for example: C-92/09 and C-93/09 Volker und Markus Schecke GbR (C-92/09) and Hartmut Eifert (C-93/09) v Land Hessen [2010] para 53, C-419/14 WebMindLicenses kft v Nemzeti Adó- és Vámhivatal Kiemelt Adó- és Vám Főigazgatóság [2015] para 79, T-670/16 Digital Rights Ireland Ltd v European Commission [2017] para 25
Access Requests
Standard Operating Procedure
Page 25 of 41
i. Necessity and proportionality
76
77
The Charter requires that “[a]ny limitation on the exercise of the
[right to access] must be provided for by law and respect the
essence of [the right]. Subject to the principle of proportionality,
limitations may be made only if they are necessary and
genuinely meet objectives of general interest recognised by the
Union or the need to protect the rights and freedoms of
others.”78 When considering:
necessity;
o factually describe the need for the restriction;
o describe the right, i.e. access, that will be affected;
o define the objective of the restriction, and;
o confirm that the restriction is applied in the least
invasive way possible.
proportionality;
o describe the importance of the objective;
o assess the restriction’s scope, extent, and intensity;
o evaluate the fairness of the restriction, and;
o confirm the restriction is appropriate to the need.79
The European Data Protection Supervisor publishes detailed
guidance on the assessment of necessity80 and proportionality81.
These documents outline that, generally, restriction of the right
to access must be grounded in legislation, be strictly necessary,
and be strictly limited. In practical terms, restrictions must be
applied sparingly and only where required with reference to the
applicable data protection legislation.
ii. Specific restrictions
82
The restrictions set out in the GDPR, 2018 Act, SI 82 of 1989,
and SI 83 of 1989 are detailed below with reference to whether,
or to what extent, the circumstances in which they apply arise in
the context of the Agency’s processing.
iii. Example 1
Applicable: Provides that : Summary: Example:
76 CC hierarchy of need by linector from the noun project 77 CC golden ratio by chaowalit koetchuea from the noun project 78 Charter, art 52(1) 79 European Data Protection Supervisor, ‘The EDPS quick-guide to necessity and proportionality’ (EDPS, 28 January 2020) <https://edps.europa.eu/sites/edp/files/publication/20-01-28_edps_quickguide_en.pdf> accessed 16 April 2021 80 European Data Protection Supervisor, ‘Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit’ (EDPS, 11 April 2017) <https://edps.europa.eu/sites/default/files/publication/17-06-01_necessity_toolkit_final_en.pdf> accessed 16 April 2021 81 European Data Protection Supervisor, ‘Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data’ (EDPS, 25 February 2019) <https://edps.europa.eu/sites/default/files/publication/19-02-25_proportionality_guidelines_en.pdf> accessed 16 April 2021 82 CC prohibited by fabric from the noun project
Access Requests
Standard Operating Procedure
Page 26 of 41
🗹
“The relevant
legislation is set out
in this column.”
Checked restrictions
apply in the context of
Tusla’s processing.
Art. 15(1) and (4) GDPR, ss
60(3)(a)(iv), (v), 60(3)(b),
and 162(a) of the 2018 Act,
rs 4(1) and 5(1) of SI 82 of
1989, and rs 4(1) and (3) of
SI 83 of 1989
iv. Example 2
Applicable: Provides that : Summary: Example:
🗵
“The relevant
legislation is set out
in this column.”
Crossed restrictions
don’t apply in the
context of Tusla’s
processing.
Ss 60(3)(a)(i) – (iii),
60(3)(a)(vi), 61, 94, and 158 of the 2018 Act.
Access Requests
Standard Operating Procedure
Page 27 of 41
2. Restrictions in the GDPR
i. Article 15(1)
Applicable? Provides that : Summary: Example:
🗹
“The [requester] shall have the right to
obtain from the controller confirmation
as to whether or not personal data
concerning him or her are being
processed, and, where that is the case,
access to the personal data”.
The right is to the requester’s personal data only,
however:
certain non-personal data, e.g. the
headings under which a requester’s
personal data is recorded, should be
supplied to contextualise Tusla’s
processing, and;
others’ personal data may relate to a
requester, e.g. Tusla employees’ names
and assignment to their case.
1. A record holder retrieves a safety
statement concerning a premises with which
Ash T., the requester, has no connection. As
the statement is non-personal data, it falls
outside the right’s scope and may be excluded
from the response.
2. A record holder retrieves a form
containing the requester’s name and contact
information. Fields which could include
others’ personal data are blank. As the blank
fields contextualise Tusla’s processing, the
form should be released in full.
ii. Article 15(4)
Applicable? Provides that: Summary: Example:
🗹
The requester’s “right to obtain [a copy
of personal data] shall not adversely
affect the rights and freedoms of
others.”
Rights and freedoms are set out in documents
such as the Charter, the European Convention on
Human Rights, and the Constitution. A response
to the requester can’t adversely affect others’:
rights, e.g. to security of the person,83 or
to respect for private and family life,84 or;
freedoms, e.g. of thought, conscience, and
religion,85 or of expression and
information.86
1. A record holder retrieves the minutes of a
meeting that Paul S., Sylvia T., and a Social
Worker attended. As Paul attended the
meeting with Sylvia and the Social Worker,
he likely knows the minutes’ contents and
their release is unlikely to cause adverse
effects.
83 Charter, art 6 84 Charter, art 7 85 Charter, art 10 86 Charter, art 11
Access Requests
Standard Operating Procedure
Page 28 of 41
The GDPR doesn’t define adverse effect, but its
lawfulness, fairness, and transparency principle
is relevant. In this connection, the:
DPC notes that “[i]t should be
transparent to individuals that personal
data [are] or will be processed”,87
United Kingdom’s Information
Commissioner's Office states that “you
should only handle personal data in
ways that people would reasonably
expect and not use it in ways that have
unjustified adverse effects on them.” 88
If the response to a requester diminishes another
person’s enjoyment of a right or freedom, it will
give rise to adverse effects. A person’s rights and
freedoms generally expire with them, this means
that a release cannot adversely affect deceased
persons. Art. 15(4) is applicable only when
personal data’s release to the requester will result
in a concrete adverse effect on a specific right or
freedom enjoyed by another person.
The concrete adverse effect on a specific right or
freedom must be cited when applying Art. 15(4).
Consideration of its application should be guided
by the requester and associated persons’
circumstances. Consult with a Social Worker, as
outlined at Appendix 1, if information required
for the application of this restriction is needed.
2. Michael B. submits an access request to
Tusla for birth and adoption information. A
record holder retrieves a document listing
Gabrielle B. as Michael’s mother. An
enclosed note states that during her
engagement with the Adoption Information
and Tracing Service, Gabrielle indicated that
she doesn’t wish to interact with Michael.
The requester and associated persons’
individual circumstances are considered to
assess whether the release of mixed personal
data, i.e. personal data relating to both
Michael and Gabrielle, will adversely affect
Gabrielle’s rights and freedoms. A Social
Worker is consulted to obtain information
needed to inform the restriction’s
application.
As Gabrielle has indicated that she doesn’t
wish to interact with Michael, it appears
likely that the release of mixed personal data
will adversely affect her right to respect for
private and family life. As such, Michael’s
right to access must be restricted as regards
mixed personal data relating to Gabrielle and
such personal data must be excluded from
the response, citing the specific adverse
effect on the relevant right.
87 DPC, ‘Principles of Data Protection’ (DPC) <https://www.dataprotection.ie/en/individuals/data-protection-basics/principles-data-protection> accessed 16 April 2021 88 Information Commissioner’s Office, ‘Principle (a): Lawfulness, fairness and transparency’ (Information Commissioner’s Office) <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/> accessed 16 April 2021
Access Requests
Standard Operating Procedure
Page 29 of 41
3. Restrictions in the 2018 Act
i. Section 60(3)(a)(i)
Applicable? Restricts the right: Summary: Example:
🗵
To the extent “necessary and
proportionate to safeguard cabinet
confidentiality, parliamentary
privilege, national security, defence and
the international relations of the State”.
The circumstances in which this restriction
applies are not expected to arise in the context of
Tusla’s processing.
Nil.
ii. Section 60(3)(a)(ii)
Applicable? Restricts the right: Summary: Example:
🗵
To the extent “necessary and
proportionate for the prevention,
detection, investigation and prosecution
of criminal offences and the execution of
criminal penalties”.
The circumstances in which this restriction
applies are not expected to arise in the context of
the Agency’s processing.
Nil.
iii. Section 60(3)(a)(iii)
Applicable? Restricts the right: Summary: Example:
🗵
To the extent “necessary and
proportionate for the administration of
any tax, duty or other money due or
owing to the State or a local authority
in any case in which the non-
application of the restrictions concerned
The circumstances in which this restriction
applies are not expected to arise in the context of
Tusla’s processing.
Nil.
Access Requests
Standard Operating Procedure
Page 30 of 41
would be likely to prejudice the
aforementioned administration”.
iv. Section 60(3)(a)(iv)
Applicable? Restricts the right: Summary: Example:
🗹
To the extent “necessary and
proportionate in contemplation of or
for the establishment, exercise or
defence of, a legal claim, prospective
legal claim, legal proceedings or
prospective legal proceedings whether
before a court, statutory tribunal,
statutory body or an administrative or
out-of-court procedure”.
This restriction, which is one of four related to
legal claims or proceedings, places personal data
outside the right’s scope to the extent that it’s
processed for the purpose of planning for or
carrying out legal proceedings.
This restriction’s scope isn’t limited to claims or
proceedings before the Court. It extends also to
proceedings before a tribunal, a statutory body,
or in connection with an administrative
procedure. This restriction:
requires specific consideration of
necessity and proportionality, and;
isn’t applicable if the claim or proceedings
didn’t proceed or are concluded.
A record holder retrieves a proposal
document concerning planned proceedings
intended to protect Elizabeth T., a highly
vulnerable service user. The proposal
anticipates that the proceedings’
commencement is likely to cause John P.,
the requester, to attempt remove Elizabeth
to another jurisdiction.
As the requester’s personal data are
processed in contemplation of the
proceedings’ establishment, and because his
exercise of the right will likely undermine
them, release must be restricted to the extent
necessary for the proceedings’ exercise.
v. Section 60(3)(a)(v)
Applicable? Restricts the right: Summary: Example:
🗹
To the extent “necessary and
proportionate for the enforcement of
civil law claims, including matters
relating to any liability of a controller
or processor in respect of damages,
compensation or other liabilities or
debts related to the claim”.
This restriction places personal data outside the
rights’ scope to the extent that it’s processed for
the purpose of civil claim enforcement. This
restriction requires specific consideration of
necessity and proportionality.
A record holder retrieves a letter concerning
enforcement of a claim taken against James
K., the requester, on foot of an alleged
breach of contract. The letter anticipates that
enforcement of the claim is likely to cause
James to leave the jurisdiction.
Access Requests
Standard Operating Procedure
Page 31 of 41
As the requester’s personal data are
processed for the purpose of enforcing a civil
law claim, and because his exercise of the
right will likely undermine this, release must
be restricted to the extent necessary and
proportionate for the claim’s enforcement.
vi. Section 60(3)(a)(vi)
Applicable? Restricts the right: Summary: Example:
🗵
To the extent “necessary and
proportionate for the purposes of
estimating the amount of the liability of
a controller on foot of a claim for the
payment of a sum of money, whether in
respect of damages or compensation, in
any case in which the application of
those rights or obligations would be
likely to prejudice the commercial
interests of the controller in relation to
the claim”.
The circumstances in which this restriction
applies are not expected to arise in the context of
the Agency’s processing.
Nil.
vii. Section 60(3)(b)
Applicable? Restricts the right: Summary: Example:
🗹
To the extent that “the personal data
relating to the [requester] consist of an
expression of opinion about the
[requester] by another person given in
confidence or on the understanding that
it would be treated as confidential to a
This restriction places personal data comprising
an expression of opinion about the requester
given by another person to a legitimately
interested recipient outside the right’s scope.
Gabriel L., submits a request to Tusla. A
record holder retrieves a note which records
Philippa G.’s disclosure to a Social Worker of
alleged abuse. The note establishes that
Philippa was given written assurance that
her anonymity would be maintained.
Access Requests
Standard Operating Procedure
Page 32 of 41
person who has a legitimate interest in
receiving the information”.
As the requester’s personal data consist of an
expression of opinion given in the context of
a confidential disclosure, release must be
restricted.
viii. Section 61(1)(a)
Applicable? Restricts the right: Summary: Example:
🗵
To the extent that “the exercise of [the
right to access] would be likely to
render impossible, or seriously impair,
the achievement of [processing … for
archiving purposes in the public
interest]”.
The circumstances in which this restriction
applies are not expected to arise in the context of
Tusla’s processing.
Nil.
ix. Section 61(1)(b)
Applicable? Restricts the right: Summary: Example:
🗵
To the extent that “such restriction is
necessary for the fulfilment of
[processing … for archiving purposes in
the public interest]”.
The circumstances in which this restriction
applies are not expected to arise in the context of
the Agency’s processing.
Nil.
x. Section 61(2)(a)
Applicable? Restricts the right: Summary: Example:
Access Requests
Standard Operating Procedure
Page 33 of 41
🗵
To the extent that “the exercise of [the
right to access] would be likely to
render impossible, or seriously impair,
the achievement of [processing … for
scientific or historical research
purposes or statistical purposes]”.
The circumstances in which this restriction
applies are not expected to arise in the context of
Tusla’s processing.
Nil.
xi. Section 61(2)(b)
Applicable? Restricts the right: Summary: Example:
🗵
To the extent that “that such restriction
is necessary for the fulfilment of
[processing … for scientific or historical
research purposes or statistical
purposes]”.
The circumstances in which this restriction
applies are not expected to arise in the context of
the Agency’s processing.
Nil.
xii. Section 94
Applicable? Provides: Summary: Example:
🗵
Restrictions on exercise of data subject
rights (Part 5)
The circumstances in which this restriction
applies are not expected to arise in the context of
Tusla’s processing.
Part 5 of the 2018 Act, i.e. sections 69 to 104 (as
well as sections 118 to 128), concerns processing
in-scope of the Law Enforcement Directive.89 The
Directive’s provisions don’t apply to the
Agency’s processing, which is carried out within
the GDPR’s scope only.90
Nil.
89 GDPR, art 2(2)(d) 90 GDPR, art 2(1)
Access Requests
Standard Operating Procedure
Page 34 of 41
xiii. Section 158(1)(a)
Applicable? Restricts the right: Summary: Example:
🗵
To the extent that “the restrictions are
necessary and proportionate to
safeguard judicial independence and
court proceedings”.
The circumstances in which this restriction
applies are not expected to arise in the context of
the Agency’s processing.
Nil.
xiv. Section 162(a)(i)
Applicable? Provides that: Summary: Example:
🗹
The right does not apply “to personal
data processed for the purpose of
seeking, receiving, or giving legal
advice”.
Legal advice is oral or written advice given by a
solicitor or a barrister about how the law applies.
This restriction, which is the second of four
related to legal claims or proceedings, places
personal data outside the right’s scope to the
extent that it is processed for the purpose of
seeking, receiving, or giving legal advice.
1. A record holder retrieves a letter which
contains a request for legal advice regarding
Joann O., the requester.
As the requester’s personal data are
processed for the purpose of seeking legal
advice, release must be restricted.
2. A record holder retrieves a cover letter
which encloses legal advice relating to Hugh
C., the requester.
As the requester’s personal data are
processed for the purpose of receiving legal
advice, release must be restricted
xv. Section 162(a)(ii)
Applicable? Provides that: Summary: Example:
Access Requests
Standard Operating Procedure
Page 35 of 41
🗹
The right does not apply “personal data
in respect of which a claim of privilege
could be made for the purpose of or in
the course of legal proceedings,
including personal data consisting of
communications between a client and
his or her legal advisers or between
those advisers”.
Legal professional privilege confers a privilege of
exemption from disclosure of communications
between a lawyer and their client.
This restriction, which is the third of four related
to legal claims or proceedings, places personal
data which attracts legal privilege outside the
right’s scope. There are two types of legal
privilege:
advice privilege, which is attracted by
legal advice given by a lawyer to their
client in any context, and;
litigation privilege, which is attracted by
draft or finalised documentation,
regardless of its source, whose dominant
purpose is in preparation for litigation.
1. A record holder retrieves a letter which
contains privileged legal advice concerning
Kayla D., the requester.
As Kayla’s personal data are contained
within a letter that attracts legal advice
privilege, release must be restricted.
2. A record holder retrieves a submission
regarding Evan C., the requester, which was
received for the purpose of preparing for
litigation commenced by Tusla.
As the requester’s personal data are
contained within a letter which attracts legal
litigation privilege, release must be
restricted.
xvi. Section 162(a)(iii)
Applicable? Provides that: Summary: Example:
🗹
The right does not apply “where the
exercise of such rights or performance
of such obligations would constitute a
contempt of court”.
Contempt of court protects the administration of
justice by ensuring the Court’s orders are obeyed.
This restriction, which is the fourth of four
related to legal claims or proceedings, places
personal data outside the rights’ scope to the
extent that release would give rise to contempt.
A record holder retrieves a report concerning
Wesley C., which was submitted by a Social
Worker during proceedings for renewal of
his care order that were held in camera. The
report contains personal data relating to
Jack C., the requester.
As the proceedings were held in camera,
release must be restricted.
Access Requests
Standard Operating Procedure
Page 36 of 41
4. Restrictions in SI 82 of 1989
i. Regulation 4(1)
Applicable? Provides that: Summary: Example:
🗹
“Information constituting health data
shall not be supplied by or on behalf of a
data controller to the [requester] in
response to [an access request] if it
would be likely to cause serious harm to
[the physical or mental health of the
requester].”
SI 82 of 1989 defines ‘health data’ as personal
data relating to physical or mental health.91
This restriction places health data whose release
will likely seriously harm the requester’s physical
or mental health outside the right’s scope.
This restriction is applicable only for as long as
serious harm is likely to occur and, as outlined
below, must be applied in connection with r 5(1).
Appendix 1 outlines the procedure for
consultation with the appropriate Health
Practitioner.
A record holder retrieves a report containing
health data whose release may seriously
harm the requester’s mental health and
emotional condition. Consultation with the
appropriate Health Practitioner indicates
that release of certain of the report’s
contents will likely seriously harm the
requester’s mental health.
As the personal data are likely to seriously
harm the requester’s mental health, release
must be restricted.
ii. Regulation 5(1)
Applicable? Provides that: Summary: Example:
🗹
“A data controller who is not a health
practitioner shall not supply
information constituting health data in
response to [a request], or withhold any
such information on the grounds
specified in Regulation 4 (1), unless he
has first consulted the person who
appears to him to be the appropriate
[health practitioner].”
This restriction requires that any release or
withholding of health data proceed only
following consultation with the appropriate
Health Practitioner.92
Appendix 1 outlines the procedure for
consultation with the appropriate Health
Practitioner.
A Privacy Officer intends to restrict access to
health data whose release will likely
seriously harm the requester’s mental health
and to release other health data which is not
anticipated to cause serious harm.
As regulation 5 of SI 82 requires
consultation with the appropriate Health
Practitioner prior to any release or
91 SI 82 of 1989, reg 3 92 SI 82 of 1989, r 3
Access Requests
Standard Operating Procedure
Page 37 of 41
withholding of health data, such
consultation must occur before proceeding.
5. Restrictions in SI 83 of 1989
i. Regulation 4(1)
Applicable? Provides that: Summary: Example:
🗹
Information constituting social work
data shall not be supplied to the
[requester] in response to [an access
request] if it would be likely to cause
serious harm to [the physical or mental
health or emotional condition of the
requester]”.
SI 83 of 1989 defines ‘social work data’ as
personal data kept for, or obtained in the course
of, carrying out social work by a public authority
or other body.93 The definition of ‘social work
data’ excludes ‘health data’, which is defined by
SI 82 of 1989.94
This restriction places personal data constituting
social work data which will likely seriously harm
the requester’s physical health, or mental health
or emotional condition outside the right’s scope.
This restriction is applicable only for as long as
serious harm is likely to occur.
Consult with a Social Worker, as outlined at
Appendix 1, if information required for the
application of this restriction is needed.
A record holder retrieves a report containing
social work data whose release may seriously
harm the requester’s mental health and
emotional condition. Consultation with a
social worker indicates that release of the
report’s contents will likely seriously harm
the requester’s mental health.
As the personal data are likely to seriously
harm the requester’s mental health, release
must be restricted.
ii. Regulation 4(3)
Applicable? Provides that: Summary: Example:
93 SI 83 of 1989, ibid 94 ibid
Access Requests
Standard Operating Procedure
Page 38 of 41
🗹
“If the social work data include
information supplied to a data
controller by an individual (other than
an employee or agent of the data
controller) while carrying out social
work, the data controller shall not
supply that information to the
[requester in response to an access
request] without first consulting that
individual.”
This restriction requires that social work data
received from someone other than a Tusla
employee not be released agent without first
consulting the provider.
Consult the provider, as outlined at Appendix 1,
if information required for the application of this
restriction is needed.
A record holder retrieves a letter submitted
by Christopher P., a member of the public,
regarding service delivery to the requester.
As the requester’s personal data are social
work data provided by someone other than a
Tusla employee or agent, the provider must
be consulted before release.
Access Requests
Standard Operating Procedure
Page 39 of 41
G. Appendix 1 1. Consultation
95
Article 15(4) GDPR, regulations 4(1) and 5 of SI 82 of 1989, and
regulations 4(1) and (3) of SI 83 of 1989 require that the response
to a request not:
adversely affect others’ rights and freedoms;
seriously harm the requester’s physical or mental health
or emotional condition;
include social work data received from someone other
than a Tusla employee or agent without first consulting
the provider, or;
include or withhold health data without first consulting
the appropriate Health Practitioner.
Noting these requirements, Privacy Officers must consider:
the nature of the personal data, which may include special
categories of personal data;96
the requester and associated persons’ individual
circumstances, and;
the context in which the request was received.
This consideration involves assessment of different factors,
depending on the nature, scope, context, and purposes of the
relevant processing. Requests, for example, whose scope includes
personal data associated with adoption may factor the state’s
operation of a closed system of adoption, the Commission of
Investigation into Mother and Baby Homes and certain related
matters’ publication of its Final Report, and contemporary
reporting in this connection.
Having considered the nature, scope, context, and purposes of the
relevant processing, including the requester and associated
persons’ individual circumstances, the assigned Officer may
consider that health data fall within the request’s scope or that
release of certain personal data will likely adversely affect others’
rights and freedoms or seriously harm to the requester’s physical
or mental health or emotional condition.
Although, in particular, serious harm may be anticipated, Privacy
Officers alone are not equipped or expected to carry out a
comprehensive assessment in this connection. Consult with a
Social Worker if necessary in order to ensure the request is
handled such as to facilitate demonstration of compliance in
respect of the applicable data protection law.97
i. Article 15 and the Regulations 4(1)
95 CC consult by teewara soontorn, from the noun project 96 GDPR, art. 9(1) defines ‘special categories of personal data’ (or ‘sensitive data’ as at recital 10 GDPR) as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation” 97 GDPR, art 5(2)
Access Requests
Standard Operating Procedure
Page 40 of 41
98
Consult with a Social Worker. If the consultation indicates that
releasing the relevant personal data:
isn’t likely cause serious harm to the requester’s physical
or mental health or emotional condition, proceed to
release;
will likely cause serious harm to the requester’s physical
or mental health or emotional condition, proceed to apply
the relevant restriction(s) as set out above at Part 4.
ii. Regulation 4(3)
99
Consider consulting the person, other than a Tusla employee or
agent who provided the personal data regarding its possible
release. If, within the GDPR’s thirty-day request-handling
timeframe, consultation with the provider:
is possible, proceed to release;
isn’t possible, proceed to apply the relevant restriction(s)
as set out above at Part 4.
iii. Regulation 5(1)
100
If health data falls within the request’s scope, consult the
appropriate Health Practitioner, i.e.:
the registered medical practitioner who cares, or most
recently cared, for the requester in connection with the
health data’s subject matter;101
when more than one such person is available, the person
most suitable to advise,102 or;
where no such person is available, a Health Practitioner
possessing the necessary experience and qualifications to
advise.103
As Social Workers are registrants of a designated
profession,104,105,106 they may be regarded the appropriate Health
Practitioner for the purposes of SI 82 of 1989.
98 CC process by anna sophie from the noun project 99 CC process by andrejs kirma from the noun project 100 CC process by christopher holm-hansen from the noun project 101 SI 82 of 1989, r 5(2)(a) 102 SI 82 of 1989, r 5(2)(b) 103 SI 82 of 1989, r 5(2)(c) 104 SI 82 of 1989, r 3 105 Health and Social Care Professionals Act 2005, ss 3(1) and 4(1)(k) 106 Health Identifiers Act 2014, s2(1)
Top Related