Access Requests

Access Requests Standard Operating Procedure

Draft 2.2

Access Requests

Standard Operating Procedure

Page 2 of 41

Table of Contents A. Document control .................................................................................................................. 3

B. Introduction ............................................................................................................................. 4

1. Key definitions ........................................................................................................................ 4

C. Part 1 - Legislation ................................................................................................................. 5

1. Provisions ................................................................................................................................ 5

2. Parameters ............................................................................................................................... 6

D. Part 2 - Case Management ................................................................................................... 7

1. OneTrust ................................................................................................................................... 7

2. Intake ......................................................................................................................................... 8

3. Request-handling ................................................................................................................... 9

E. Part 3 - Request Stages ...................................................................................................... 12

1. Confirmation .......................................................................................................................... 12

2. Retrieval .................................................................................................................................. 14

3. Scheduling ............................................................................................................................. 16

4. Redaction ............................................................................................................................... 17

5. Review ..................................................................................................................................... 20

6. Preparation ............................................................................................................................ 21

7. Release ................................................................................................................................... 21

8. Post-release ........................................................................................................................... 22

9. Closure .................................................................................................................................... 22

F. Part 4 - Restriction Guidance ............................................................................................ 24

1. Introduction ........................................................................................................................... 24

2. Restrictions in the GDPR ................................................................................................... 27

3. Restrictions in the 2018 Act .............................................................................................. 29

4. Restrictions in SI 82 of 1989.............................................................................................. 36

5. Restrictions in SI 83 of 1989.............................................................................................. 37

G. Appendix 1 ............................................................................................................................. 39

1. Consultation .......................................................................................................................... 39

Access Requests


Page 3 of 41

A. Document control 1. Owner 2. Reviewer 3. Approver

Data Subject Requests Lead, Data Protection Unit (DPU)

Data Protection Officer Operations General Manager, DPU

Communicate any observations, queries, or concerns you have about this document to the owner.

4. Version 5. Location 6. Approved 7. Approver 8. Published 9. Update(s)

1.0 Link 28/01/20 RD 30/01/20 First published.

2.0 Link 16/04/21 JP 22/04/21 Substantive revision.

2.1 Link

25/08/21 SOR 26/08/21 Stage 3, Stage 5, part 4, appendices.

2.2 Link 27/08/21 SOR 27/08/21 Style, corrections.

All updates must be noted and explained above.

Revisions must be reviewed and approved.

10. Review 11. Action

27/08/2022 The owner will review and, if necessary, update this document.

Access Requests


Page 4 of 41

B. Introduction The Child and Family Agency processes personal data in order to carry out the functions assigned by

the Child and Family Agency Act 20131 and other legislation.2 Individuals whose personal data Tusla

processes may exercise their General Data Protection Regulation (GDPR)3 rights and seek:

access;4

rectification and/or completion;5

erasure;6

restriction of processing;7

data portability;8

to object,9 and;

not to be subject to automated individual decision-making.10

These rights may be given further effect, or be restricted, by Irish data protection law. In order to

facilitate requesters’ exercise of their rights to the greatest extent possible, all requests must be

carefully considered. This document sets out:

1. a step-by step procedure for access request-handling, and;

2. guidance on the application of relevant data protection law.

1. Key definitions The GDPR assigns specific meanings to certain terms:

‘personal data’ is any information relating to an identified or identifiable natural person.11

an ‘identifiable natural person’ is one who can be directly or indirectly identified, in particular

by reference to an identifier, e.g.:

o a name;

o an identification number;

o location data;

o an online identifier, or;

o specific physical, physiological, genetic, mental, economic, cultural or social factors.12

‘processing’ is any operation – including storage – performed on personal data.13

1 Child and Family Agency Act 2013, section 8 2 See here for more. 3 Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L119/1 4 GDPR, art 15 5 GDPR, art 16 6 GDPR, art 17 7 GDPR, art 18 8 GDPR, art 20 9 GDPR, art 21 10 GDPR, art 22 11 GDPR, art 4(1) 12 ibid 13 GDPR, art 4(2)

Access Requests


Page 5 of 41

C. Part 1 - Legislation 1. Provisions

Charter of Fundamental

rights of the European

Union (the ‘Charter’)

Provides that everyone has the right of access to data which has been

collected concerning him or her.14

GDPR Provides that the requester the right to obtain confirmation as to

whether or not personal data concerning him or her are being

processed and access to the personal data and information about the:

1. processing’s purposes;

2. categories of personal data processed;

3. recipients or categories of recipient to whom personal data

were, are, or will be disclosed;

4. retention period, where possible, or the criteria used to

determine that period if not possible;

5. existence of the rights to rectification, erasure, restriction of

processing, and the right to object;

6. right to complain to the Data Protection Commission (DPC);

7. personal data’s source, if not collected from the requester, and;

8. existence of automated decision-making, including profiling, as

well as meaningful information about the logic, significance,

and envisaged consequences of such processing.15

Provides that where personal data are transferred to a third country or

to an international organisation, the requester shall have the right to

be informed of the appropriate safeguards relating to the transfer.16

Provides that the controller shall provide a copy of personal data

undergoing processing. For any further copies requested, the

controller may charge a reasonable fee based on administrative costs.

Where the request is made by electronic means, and unless otherwise

requested, information shall be provided in a commonly used

electronic form.17

Provides that the right to obtain a copy of personal data shall not

adversely affect others’ rights and freedoms.18

Data Protection Act 2018

(the ‘2018 Act’)

Provides for restriction of the right to access in certain circumstances.

Provides, in Irish law, for data protection rights and obligations –

including the right to access – as they relate to processing in-scope of

the Law Enforcement Directive.19,20

Data Protection (Access

Modification) (Health)

Regulations 1989 (‘SI 82

of 1989’)


14 Charter, art 8(2) 15 GDPR, art 15(1) 16 GDPR, art 15(2) 17 GDPR, art 15(3) 18 GDPR, art 15(4) 19 Directive 2016/680 of the European Parliament and of the C 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA [2016] OJ L 119/89 20 2018 Act, ss 69-104 and 118-128

Access Requests


Page 6 of 41

Data Protection (Access

Modification) (Social

Work) Regulations 1989

(‘SI 83 of 1989’)


2. Parameters

21

The GDPR establishes certain parameters for request-handling,

requiring that:

communication is concise, transparent, intelligible, accessible,

and use plain language;22

o this is the case, in particular, for information addressed to

a child;23

information is provided in writing or by other means;24

requests not be refused unless the requester is demonstrably

unidentifiable;25

information on action taken is provided to the requester within

one month;26,27

o taking into account the complexity and number of

requests, this period may be extended by two months.28

However, the extension and its cause(s) must be

communicated to the requester within one month;29

if no action will be taken, the requester is informed within one

month and advised of their right to lodge a complaint and/or

seek a judicial remedy;30

generally, no fee may be levied, but, if requests are manifestly

unfounded or excessive:

o a reasonable fee may be charged, or;

o the request may be refused, provided;

o the request’s unfounded or excessive character is and

must be demonstrated;31

if doubts arise as to a requester’s identity, additional

information may be requested.32

21 CC parameter by priyanka from the noun project 22 GDPR, art 12(1) 23 ibid 24 ibid 25 GDPR, art 12(2) 26 GDPR, art 12(3) 27 One month is regarded as 30 days, commencing on receipt of the valid request 28 Three months is regarded as 90 days, commencing on receipt of the valid request 29 ibid 27 30 ibid 31 GDPR, art 12(5) 32 GDPR, art 12(6)

Access Requests


Page 7 of 41

D. Part 2 - Case Management 1. OneTrust

i. Login

Tusla uses OneTrust to manage the end-to-end handling of data

subject requests.33 Contact the Privacy Network Manager if a OneTrust

account is required. To access OneTrust, use:

‘Google Chrome’;

‘Microsoft Edge’, or;

‘Mozilla Firefox’.

Do not use ‘Internet Explorer’.

To login:

Navigate to the login page;

Enter the email address associated with your account, and;

Enter your password.

OneTrust will display the modules to which access is permitted:

Select ‘Data Subject Requests’.

ii. Navigation

Three navigation panes are used within OneTrust.

Depending on the specific role(s) assigned to you, these panes may differ slightly.

1 2 3 4 5

The top navigation pane (from left to right) allows you to:

1. move between modules;

2. view alerts;

3. view the organisation;

4. view your profile, and;

5. access help and tips.

The left navigation pane to (from top to bottom) allows you to:

1. view the dashboard, and;

2. access the request register.

The register navigation pane to (from left to right) allows you to:

1. create requests;

2. search requests;

33 OneTrust, ‘About Us’ (OneTrust, 2021) <https://www.onetrust.com/company/about-us/> accessed 16 August 2021

1

2

1

2 3 4 5

https://app-de.onetrust.com/

https://www.onetrust.com/company/about-us/

Access Requests


Page 8 of 41

3. modify columns;

4. refresh the register, and;

5. filter requests.

To modify columns:

select the column tool;

use the arrow buttons to move a column to or from ‘Active’,

and;

select ‘Save’.

To filter requests:

select the filter tool;

select ‘Add filter’;

select the desired field;

set the desired properties;

select ‘Save’, and;

select ‘Apply’.

i. The dashboard

When the data subject requests module is opened, the ‘Dashboard’

displays. The dashboard presents metrics relating to open requests.

ii. The register

The register, which can be filtered to display specific cases, lists

requests made to Tusla and is accessible via the left-hand navigation

pane.

2. Intake

i. The portal

Most requests are made via Tusla’s portal, which collects information

needed for request-handling. Portal requests will be assigned to the

relevant region, with an email notification sent to:

[email protected] for requests concerning:

o adoption services.


https://privacyportal-de.onetrust.com/webform/fdd48e30-6053-43f4-bd8d-038230be01da/6acf5eca-1058-4a2d-96a5-f5840f213970

mailto:[email protected]


Access Requests


Page 9 of 41

o Dublin South Central;

o Dublin South East & Wicklow;

o Dublin South West, Kildare & West Wicklow, and;

o Midlands.


o Cavan & Monaghan;

o Dublin North City;

o Louth & Meath, and;

o North Dublin.


o Donegal;

o Galway & Roscommon;

o Mayo;

o Mid West, and;

o Sligo, Leitrim & West Cavan.


o Carlow, Kilkenny & South Tipperary;

o Cork;

o Kerry, and;

o Waterford & Wexford.

[email protected] for:

o requests concerning other services.

ii. Other channels

The GDPR does not require that a request be made in any particular

way. If a request is otherwise received, e.g. by email, post, etc., it must

be recorded via the portal. To record a request:

select ‘Create Request’ in the register navigation pane;

a dialog box will appear;

select ‘Intake - DSRs’, and;

input the necessary information.

3. Request-handling

i. Navigation

When a request is opened, associated information will appear on-

screen. The information displayed depends on the workflow.

In the left-hand pane appear the request’s:

workflow;

owner (approver);

organisation;

submission date;

extension status;

due date;

resolution status, and;

source.

An open request displays its basic details.





https://privacyportal-de.onetrust.com/webform/fdd48e30-6053-43f4-bd8d-038230be01da/6acf5eca-1058-4a2d-96a5-f5840f213970

Access Requests


Page 10 of 41

Select ‘Show More’ to see all details - the information displayed is

that submitted by the requester.

High-level guidance on the request’s current stage displays below

the request details.

ii. Assignment

Email notifications advising that a request has been received are

sent to the relevant mailboxes. Requests must be assigned to an

individual Privacy Officer for handling.

To assign a request:

open the relevant request;

select ‘Approver’ in the left-hand pane;

choose the relevant Privacy Officer;

briefly summarise your action, and;

select ‘Assign’.

iii. Modification

When a request is opened, certain of its properties may be

modified. Requests’ properties should be modified only when

strictly necessary.

In the top navigation pane appear:

1. the request’s reference number;

2. stage, and;

3. a selector.

The top pane selector enables:

1. extension;

2. closure;

3. editing, or;

4. workflow modification.

The ‘Extend’ function:

issues an email to the requester, but;

is not currently in use;

see guidance below at Scheduling for further information.

The ‘Close’ function:

sets a request’s stage to ‘Closed’;

see guidance below at Closure for further information.

1 2 3

1

2

3

4

Access Requests


Page 11 of 41

The ‘Edit’ function:

enables modification of responses submitted via the portal;

see guidance below at Preparation for further

information.

The ‘Change Workflow’ function:

enables modification of the workflow to which a request is

assigned, but;

is not currently in use.

‘Subtasks’ are used to track events that may occur during request-

handling. Their status is displayed in the ‘Subtasks’ tab. To modify

a subtask’s status:

select the relevant subtask;

select ‘Mark as In Progress’, ‘Mark as Complete’, or ‘Mark

as Rejected’ from the dropdown list;

A dialog box will appear:

briefly summarise your action;

if required, add an attachment, and;

select ‘Mark as…’.

‘Activity’ permits the posting of comments concerning the request;

‘DSAR File Upload’ users may also use this function to

upload files that are too large (i.e. over ten megabytes) to be

transmitted by email; see Retrieval for more.

‘History’ records modifications made to requests.

iv. Logging

Access Requests


Page 12 of 41

Copies of documents, e.g. emails, letters, etc., must be logged:

create a folder titled Firstname Lastname – Reference;

structure using the file setup template, and;

log correspondence and documents as they are received.

Contact the Privacy Network Manager if drive access is required.

Always ensure that copies of documentation and correspondence

associated with request-handling are logged in the relevant folder.

v. Tracking

A request’s status is tracked by assignment to a specific stage in

OneTrust. Always ensure that the stage assigned accurately reflects

the request’s progress.

vi. Passwords

34

In certain circumstances, e.g. transmission or storage, password

protection may be required. When password protecting files:

choose a secure password (length is preferable to

complexity);

securely log a copy of the password protected file;

securely log a copy of the password-free file, separately if

necessary, and;

securely log a copy of the password, separately if necessary.

E. Part 3 - Request Stages 1. Confirmation

i. All requests

Noting the GDPR’s parameters for request-handling and the highly

sensitive nature of the personal data Tusla processes, the portal

34 Password by scott dunlap from the noun project

Access Requests


Page 13 of 41

35

advises requesters that action cannot be taken on a request unless

their identity is confirmed.

The portal facilitates provision of certified identity documentation.

The requester’s identity may be confirmed by provision of:

identification, e.g. a copy of a Driver’s License, Passport, or

Public Services Card, which is certified by a member of a

regulated, relevant, profession, e.g. a member of An Garda

Síochána, a general practitioner, or solicitor, or;

correspondence from a member of a regulated, relevant,

profession affirming the requester’s identity.

36

In order to progress the handling of requests, certain information is

required. The portal captures the details of the requester’s

relationship with the Agency to facilitate retrieval of records falling

within the request’s scope. If:

further information is needed, contact the requester;

certified ID was not provided, contact the requester.

If, 30 days after contacting the requester:

insufficient information was provided, refuse and close;

the requester’s identity can’t be confirmed, refuse and close.

37

A requester may seek specific personal data, e.g. in an individual

document, or all personal data relating to them. Always read, in

detail, the specific request submitted. If a request’s scope

encompasses a large volume of records, ask the requester if they

wish to prioritise retrieval of specific personal data.38

Bear in mind, however, that the requester cannot be required to

alter their request’s scope.

ii. Children’s right to access

A child40 may exercise their right to access. In some cases, a

guardian might help them. As regards guardianship, the child’s:

mother and father are guardians if they were married when

the child was born;41

parents are guardians if they are a married same-sex couple

who have jointly adopted the child;42

mother is the automatic guardian if the child was born

outside marriage;43

35 Name card by nibras@design from the noun project 36 CC information by selicon from the noun project 37 CC scope by dinosoftlab from the noun project 38 GDPR, rec 63 and Data Protection Commission, ‘Access and Portability’ (dataprotection.ie) <https://www.dataprotection.ie /en/organisations/know-your-obligations/access-and-portability> accessed 20 August 2021 40 2018 Act, s 29 defines a child as “a person under the age of 18 years” 41 Guardianship of Infants Act 1964, ss 6(1)(a), 6(2), 6(3), and 6(4) 42 Guardianship of Infants Act 1964, s 6(1)(b), 6(3B) 43 Guardianship of Infants Act 1964, s 6(4)

https://www.dataprotection.ie/en/organisations/know-your-obligations/access-and-portability

https://www.dataprotection.ie/en/organisations/know-your-obligations/access-and-portability

Access Requests


Page 14 of 41

39 father is a guardian if he:

o and the child’s mother make a guardianship

declaration;44

o and the child’s mother aren’t married, but have

cohabited for 12 months, 3 of which were after the

child’s birth;45

o is the subject of a Court order appointing him as

guardian;46

o marries the child’s mother after the child’s birth and is

named on the child’s birth certificate;47

guardian may have been appointed by a Court order.48

If a request concerns a child’s personal data:

confirm that the requester is the child’s guardian before

proceeding;

consult with a Social Worker to identify if a care order is in

place. If:

o a care order49 is in place, a guardian cannot exercise on

their child’s behalf;

o a voluntary,50 emergency,51 or interim52 care order is in

place, a guardian may exercise on their child’s behalf.

If guardianship cannot be verified, refuse the request as it relates to

the child. Tusla employees are required to consider the to the best

interests of the child in all matters.53 If necessary, consult with a

Social Worker.

iii. Subtasks

Mark as complete subtask:

1. if the requester’s identity cannot be confirmed;

2. if the requester supplied insufficient information;

3. if the requester’s guardianship of the child cannot be

confirmed;

4. if the requester lodges a complaint with the DPC, and/or;

5. if the requester seeks a judicial remedy.

2. Retrieval

39 CC parenting by chinnaking from the noun project 44 Guardianship of Infants Act 1964, s 2(4) and SI 210 of 2020 45 Guardianship of Infants Act 1964, s 2(4A) 46 Guardianship of Infants Act 1964, s 6A 47 ibid 38 48 Guardianship of Infants Act 1964, s 6C and 6E 49 Child Care Act 1991, s 18 50 Child Care Act 1991, s 4 51 Child Care Act 1991, s 13 52 Child Care Act 1991, s 17 53 Child and Family Agency Act 2013, s 9(1)

Access Requests


Page 15 of 41

i. The search document

Privacy Officers do not hold records relating to Tusla’s delivery of

services. Contact the likely record holder to retrieve records falling

within the request’s scope. To do so:

Send a search document to record holders to retrieve

records falling within the request’s scope.

o To comply with the GDPR’s timeline, records must be

returned within one week of the document’s issue.

A completed document must always be returned, even if no

records are identified.

o If the record holder does not engage, escalate the

matter to your line manager for urgent follow-up.

The search document is intended to ensure that all records falling

within the request’s scope are retrieved and facilitates collection of

information relating to the requester and associated persons’

individual circumstances which is required for request-handling.

ii. Secure transmission

Retrieved records must be transmitted securely:

Use password protected .zip files to send files of less than

ten megabytes via email. To create a password protected

.zip file:

o ensure ‘7-zip’ is installed;

o right-click the relevant file;

o select ‘7-zip’, then ‘Add to archive…’;

o choose the settings indicated;

o enter a secure password;

o Select ‘OK’;

Always log a copy of the original file, password protected

file, and password.

Ensure the password is communicated only to the intended

recipient(s).

Larger files may be uploaded via OneTrust. If the record

holder requires OneTrust DSAR File Upload access, contact

the Privacy Network Manager.

iii. Subtasks


1. if no records are identifiable;

2. if less than 750 pages are retrieved;

3. if more than 750, but less than 1,500 pages are retrieved, or;

Access Requests


Page 16 of 41

4. if over 3,000 pages are retrieved.

3. Scheduling

i. Storage

Retrieved records must be logged. Save:

all retrieved records, search documents, and associated

correspondence under ‘1. Returned’.

a working copy of the records under ‘2 Scheduled’.

ii. Out-of-scope records and duplicates

54

Examine the working copy to identify and remove out-of-scope

records and duplicates:

out-of-scope records may include those comprising only

non-personal data, e.g., blank forms or policy documents, or

those containing only personal data concerning other

individuals;

the right to access entitles the requester to a copy, rather

than multiple copies, of their personal data. Remove

duplicates, which may be returned where a record is stored

by multiple holders, repeatedly filed, or contained within an

email chain.

iii. Complexity and extension

55

Consider whether the handling of the request will be complex.

Factors which may contribute complexity to request-handling

include, but are not limited to:

engagement of An Garda Síochána;

multiple requests;

freedom of information request-handling;

TellUs complaint-handling;

prospective or ongoing proceedings, and;

54 CC schedule by supalerk laipawat from the noun project 55 CC jigsaw by mynamepong from the noun project

Access Requests


Page 17 of 41

retrieval of large volumes or records.56

Extension of the response period may be necessary if request-

handling is considered complex. If the response period will be

extended, the requester must be informed within one month of the

request’s receipt.57

If a request’s scope encompasses a large volume of records, ask the

requester if they wish to prioritise retrieval of specific personal

data.58 Bear in mind, however, that the requester cannot be

required to alter their request’s scope.

Consider also arranging for the issuance of a batched response,

with records released to the requester on a regular basis over an

agreed period.

iv. Consultation with a Social Worker

59

In handling a request, the need for consultation with a Social

Worker may arise. The procedure for consultation with a Social

Worker is set out at Appendix 1. Always ensure that a record of

the consultation is logged.

v. Consultation with a Health Practitioner

60

In handling a request, the need for consultation with a Health Practitioner may arise. The procedure for consultation with a Social Worker is set out at Appendix 1. Always ensure that a record of the consultation is logged.

vi. Subtasks

Mark subtask 1. as complete if the response period will be extended.

4. Redaction

56 Small, medium, and large requests are regarded as those comprising<750, <1,500, and >3,000 pages 57 GDPR, art 12(3) 58 ibid 38 59 CC comment document by mateusz kowalewski from the noun project 60 CC messages by designify.me from the noun project

Access Requests


Page 18 of 41

i. Storage

Save a copy of the scheduled records under ‘1. Marked’. If necessary,

create a .pdf copy of the relevant record, e.g. by selecting ‘File’, then

‘Save as’, selecting ‘PDF’, and selecting ‘Save’ in Microsoft Office

ii. Text recognition

Open the record in Adobe Acrobat 2020:

Select ‘Scan & OCR’:

a second navigation pane will appear at the top of the screen;

select ‘Recognize Text’, then ‘In This File’;

choose the relevant pages, and;

select ‘Recognize Text’.

iii. Restriction of the right to access

61

Data protection law restricts the right to access in certain

circumstances. Any restriction must be strictly limited to what is

necessary, in order to ensure the requester can exercise their right

to the greatest extent possible.

All restrictions must be applied with reference to the relevant

provisions of the:

GDPR;

2018 Act;

SI 82 of 1989, or;

SI 83 of 1989.

See Part 4 - Restriction Guidance for more on

the application of restrictions.

iv. Redaction

Open the record in Adobe Acrobat 2020:

Select ‘Redact’;

a second navigation pane will appear at the top of the

screen,

select ‘Mark for Redaction’, then ‘Text & Images’;

o Highlight text or images to mark;

o Log a copy the marked document under ‘1. Marked’.

Note: redactions are not yet applied;

Select ‘Apply’, in the top navigation pane.

o a dialog box will appear.

o select ‘Yes’.

o a left-hand pane will appear;

61 CC redaction by dan hetteix from the noun project

Access Requests


Page 19 of 41

o select ‘Remove’;

o hidden data and metadata, e.g. bookmarks, hidden

elements, etc. are removed when the status bar

indicates ‘Done’.

Log a copy of the redacted document as “Appendix 2” under

‘2. Redacted’.

v. Scheduling

To create a schedule of the specific restrictions which apply to the

requester’s right to access:

Double-click the mark applied to the working copy;

A dialog box will appear. Enter the relevant restriction,

including the specific grounds for its application;

Select ‘Post’;

When all details are entered, select the ‘Ellipsis’ in the right-

hand pane;

Select ‘Create Comment Summary’;

Under:

o ‘Layout’, select ‘Comments only’;

o ‘Paper size’ select ‘A4’;

o ‘Sort comments by’, select ‘Page’;

o ‘Font Size’, select ‘Medium’;

o ‘Include’ select ‘‘All comments’;

o Deselect the tickbox;

o Ensure all pages are included, and;

o Select ‘Create Comment Summary’

The comment summary document will appear in a new window:

Select ‘Edit’ in the right-hand pane;

Retitle the document “Appendix 4 – Detail of restrictions”,

and;

Log a copy of the document as “Appendix 4” under ‘2.

Redacted’.

vi. Page numbering

Open the record in ‘Adobe Acrobat 2020’:

Select ‘Scan & OCR’;

a navigation pane will appear at the top of the screen;

select ‘Bates Numbering’, then ‘Add’.

A dialog box will appear:

o highlight the relevant record;

o select ‘Add files…’ if additional records require

numbering, and;

o select ‘Ok’.

A second dialog box will appear:

o select ‘Insert Bates Number’;

o input the number format to be applied;

o place the string in ‘Right Header Text’, and;

Access Requests


Page 20 of 41

o select ‘Ok’.

vii. Support

62

Contact the Privacy Network Manager if support is needed, e.g.

because:

a file is particularly large or complex;

queries arise, e.g. in relation to the application of a specific

restriction, or;

queries arise, e.g. in relation to the interaction between

data protection law and other legislation.

viii. Subtasks


1. if redaction support was sought, and/or;

2. if a legal query arises.

5. Review

vii. Pathways

63

In order to finalise the handling of the request ensure restrictions

are correctly applied and that the schedule accurately reflects the

applied restrictions. Never proceed to release if you are uncertain

about a restriction’s application. Review your work by:

1. discussing with another Privacy Officer;

2. bringing queries to a regional case conference;

3. querying the DPU via the conference and Privacy Network

Manager, or;

4. supplying the relevant elements to the DPU’s access team

for review.

Tusla’s DPU will carry out regular and spot-check reviews in

order to ensure that access requests are handled in accordance

with the relevant provisions of data protection legislation.

viii. Subtasks

62 CC helpful by adrien coquet from the noun project 63 CC document review by vectors point from the noun project

Access Requests


Page 21 of 41


1. if a Social Worker’s assessment is required, and/or;

2. if a Health Practitioner’s assessment is required.

6. Preparation

i. Finalisation

64

Prior to releasing the response:

prepare the outcome letter, Appendix 1, and Appendix 3;

collate the outcome letter and four appendices, and;

ensure the requester’s contact details are valid so the right

content goes to the right person at the right address.

ii. Governance

65

Ensure that your line manager is appraised of upcoming or

anticipated responses.

7. Release

i. Secure communication

66

The response should be securely communicated to the requester.

Records sent:

electronically must be encrypted and the password

supplied only when receipt is confirmed by the requester;

in hardcopy must be sent by registered post or courier.

Always:

o include return information;

o retain tracking information, and;

64 CC letter by pejyt from the noun project 65 CC approval by template from the noun project 66 CC finish by pedro from the noun project

Access Requests


Page 22 of 41

o instruct carriers that the records may be supplied

only to the intended recipient and never left in a safe

place or otherwise delivered.

8. Post-release

i. Observations, queries, concerns

67

Observations, queries, or concerns may not be submitted in all

cases, however any submissions made by the requester should be

addressed locally to the greatest extent possible in the first

instance. If advice or guidance is required, case-specific queries

should be directed to the Privacy Network Manager.

Ensure copies of documentation and correspondence associated

with post-release activity are logged.

ii. Complaints, judicial remedies

The requester has the right to lodge a complaint with the DPC

and/or to seek a judicial remedy. Communicate notification of

any complaint or proceedings to the Privacy Network Manager.


with judicial remedies are logged.

iii. Subtasks

Mark subtask 1. as complete if observations, queries, or concerns

are submitted.

9. Closure

i. Timelines

Requests should be closed after 30 days if

67 CC question by scott dunlap from the noun project

Access Requests


Page 23 of 41

after release, no further correspondence is received, or;

following the issuance of a response to regarding the

requester’s observations, queries, or concerns, no further

correspondence is received.

If necessary, a request can be reopened.


with closures are logged.

Access Requests


Page 24 of 41

F. Part 4 - Restriction Guidance 1. Introduction

68

“[Personal data] is a threshold concept for the application of

data protection law generally; if data being processed are not

personal data, their processing is not [in-scope of the right]”.69

This means that restriction of the right, requires consideration of

its scope. The right gives the requester the possibility of obtaining

information concerning, and a copy of, their ‘personal data’. The

GDPR’s definition of personal data, which is set out above at Key

definitions comprises four elements:70

“any information” may, among other things, include

names, identification numbers, or descriptions of

situations. The Court of Justice of the European Union

(CJEU) interprets “any information” broadly.71

“relating to” refers to the link between a piece of

information and the requester. As above, the CJEU

generally interprets “relating to” broadly.72

“identified or identifiable” is also interpreted broadly. In

practical terms, this element means that even

information that isn’t immediately linked to the requester

may be personal data.73 When considering whether

information identifies a requester, or could make them

identifiable, account should be taken of the “means

reasonably likely to be used”74 to identify them.

“natural person” narrows the right’s scope to information

concerning living individuals. It is possible, however, that

information relating to deceased or legal persons may

also constitute personal data relating to a requester.75

The expansive definition of personal data means that requests

must be considered with reference to the requester and associated

persons’ individual circumstances.

68 CC introduction by andi from the noun project 69 Lee A. Bygrave, Luca Tosoni, ‘Article 4(1) Personal Data’ in Christopher Kuner, Lee A. Bygrave and Christopher Docksey (eds) The EU General Data Protection Regulation (GDPR) A Commentary (Oxford University Press 2020) 105 70 European Data Protection Board, Guidelines on personal data breach notification under Regulation 2016/679 (18/EN wp250, rev.01, European Data Protection Board 2018) 71 See, for example: C-465/00, C-138/01, and C-139/01 Rechnungshof (C-465/00) v Österreichischer Rundfunk and Others

[2003] para 64, C-101/01 Reference to the Court under Article 234 EC by the Göta hovrätt (Sweden) for a preliminary ruling

in the criminal proceedings before that court against Bodil Lindqvist [2003] para 27, C-524/06 Heinz Huber v Bundesrepublik Deutschland [2008] paras 31 and 43, C-73/07 Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy and

Satamedia Oy [2008] para 35, C-291/12 Michael Schwarz v Stadt Bochum [2013] para 27, C-293/12 and C-594/12 Digital

Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner

Landesregierung and Others [2014] para 26, C-212/13 František Ryneš v Úřad pro ochranu osobních údajů [2014] para 22, C-201/14 Smaranda Bara and Others v Casa Naţională de Asigurări de Sănătate and Others [2015] 29, C-582/14 Patrick

Breyer v Bundesrepublik Deutschland [2016] para 49, C-434/16 Peter Nowak v Data Protection Commissioner [2017] paras

34 and 36, and C-345/17 Request for a preliminary ruling from the Augstākā tiesa. [2019] para 32 72 See, for example: C-434/16 Peter Nowak v Data Protection Commissioner [2017] para 35, C-141/12 and C-372/12 YS v Minister voor Immigratie, Integratie en Asiel and Minister voor Immigratie, Integratie en Asiel v M and S. [2014] para 48 73 See, for example: C-582/14 Patrick Breyer v Bundesrepublik Deutschland [2016] paras 43 and 46 74 GDPR, rec 26 75 See, for example: C-92/09 and C-93/09 Volker und Markus Schecke GbR (C-92/09) and Hartmut Eifert (C-93/09) v Land Hessen [2010] para 53, C-419/14 WebMindLicenses kft v Nemzeti Adó- és Vámhivatal Kiemelt Adó- és Vám Főigazgatóság [2015] para 79, T-670/16 Digital Rights Ireland Ltd v European Commission [2017] para 25

Access Requests


Page 25 of 41

i. Necessity and proportionality

76

77

The Charter requires that “[a]ny limitation on the exercise of the

[right to access] must be provided for by law and respect the

essence of [the right]. Subject to the principle of proportionality,

limitations may be made only if they are necessary and

genuinely meet objectives of general interest recognised by the

Union or the need to protect the rights and freedoms of

others.”78 When considering:

necessity;

o factually describe the need for the restriction;

o describe the right, i.e. access, that will be affected;

o define the objective of the restriction, and;

o confirm that the restriction is applied in the least

invasive way possible.

proportionality;

o describe the importance of the objective;

o assess the restriction’s scope, extent, and intensity;

o evaluate the fairness of the restriction, and;

o confirm the restriction is appropriate to the need.79

The European Data Protection Supervisor publishes detailed

guidance on the assessment of necessity80 and proportionality81.

These documents outline that, generally, restriction of the right

to access must be grounded in legislation, be strictly necessary,

and be strictly limited. In practical terms, restrictions must be

applied sparingly and only where required with reference to the

applicable data protection legislation.

ii. Specific restrictions

82

The restrictions set out in the GDPR, 2018 Act, SI 82 of 1989,

and SI 83 of 1989 are detailed below with reference to whether,

or to what extent, the circumstances in which they apply arise in

the context of the Agency’s processing.

iii. Example 1

Applicable: Provides that : Summary: Example:

76 CC hierarchy of need by linector from the noun project 77 CC golden ratio by chaowalit koetchuea from the noun project 78 Charter, art 52(1) 79 European Data Protection Supervisor, ‘The EDPS quick-guide to necessity and proportionality’ (EDPS, 28 January 2020) <https://edps.europa.eu/sites/edp/files/publication/20-01-28_edps_quickguide_en.pdf> accessed 16 April 2021 80 European Data Protection Supervisor, ‘Assessing the necessity of measures that limit the fundamental right to the protection of personal data: A Toolkit’ (EDPS, 11 April 2017) <https://edps.europa.eu/sites/default/files/publication/17-06-01_necessity_toolkit_final_en.pdf> accessed 16 April 2021 81 European Data Protection Supervisor, ‘Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data’ (EDPS, 25 February 2019) <https://edps.europa.eu/sites/default/files/publication/19-02-25_proportionality_guidelines_en.pdf> accessed 16 April 2021 82 CC prohibited by fabric from the noun project

https://edps.europa.eu/sites/edp/files/publication/20-01-28_edps_quickguide_en.pdf

https://edps.europa.eu/sites/default/files/publication/17-06-01_necessity_toolkit_final_en.pdf

https://edps.europa.eu/sites/default/files/publication/17-06-01_necessity_toolkit_final_en.pdf

https://edps.europa.eu/sites/default/files/publication/19-02-25_proportionality_guidelines_en.pdf

Access Requests


Page 26 of 41

🗹

“The relevant

legislation is set out

in this column.”

Checked restrictions

apply in the context of

Tusla’s processing.

Art. 15(1) and (4) GDPR, ss

60(3)(a)(iv), (v), 60(3)(b),

and 162(a) of the 2018 Act,

rs 4(1) and 5(1) of SI 82 of

1989, and rs 4(1) and (3) of

SI 83 of 1989

iv. Example 2

Applicable: Provides that : Summary: Example:

🗵

“The relevant

legislation is set out

in this column.”

Crossed restrictions

don’t apply in the

context of Tusla’s

processing.

Ss 60(3)(a)(i) – (iii),

60(3)(a)(vi), 61, 94, and 158 of the 2018 Act.

Access Requests


Page 27 of 41

2. Restrictions in the GDPR

i. Article 15(1)

Applicable? Provides that : Summary: Example:

🗹

“The [requester] shall have the right to

obtain from the controller confirmation

as to whether or not personal data

concerning him or her are being

processed, and, where that is the case,

access to the personal data”.

The right is to the requester’s personal data only,

however:

certain non-personal data, e.g. the

headings under which a requester’s

personal data is recorded, should be

supplied to contextualise Tusla’s

processing, and;

others’ personal data may relate to a

requester, e.g. Tusla employees’ names

and assignment to their case.

1. A record holder retrieves a safety

statement concerning a premises with which

Ash T., the requester, has no connection. As

the statement is non-personal data, it falls

outside the right’s scope and may be excluded

from the response.

2. A record holder retrieves a form

containing the requester’s name and contact

information. Fields which could include

others’ personal data are blank. As the blank

fields contextualise Tusla’s processing, the

form should be released in full.

ii. Article 15(4)

Applicable? Provides that: Summary: Example:

🗹

The requester’s “right to obtain [a copy

of personal data] shall not adversely

affect the rights and freedoms of

others.”

Rights and freedoms are set out in documents

such as the Charter, the European Convention on

Human Rights, and the Constitution. A response

to the requester can’t adversely affect others’:

rights, e.g. to security of the person,83 or

to respect for private and family life,84 or;

freedoms, e.g. of thought, conscience, and

religion,85 or of expression and

information.86

1. A record holder retrieves the minutes of a

meeting that Paul S., Sylvia T., and a Social

Worker attended. As Paul attended the

meeting with Sylvia and the Social Worker,

he likely knows the minutes’ contents and

their release is unlikely to cause adverse

effects.

83 Charter, art 6 84 Charter, art 7 85 Charter, art 10 86 Charter, art 11

Access Requests


Page 28 of 41

The GDPR doesn’t define adverse effect, but its

lawfulness, fairness, and transparency principle

is relevant. In this connection, the:

DPC notes that “[i]t should be

transparent to individuals that personal

data [are] or will be processed”,87

United Kingdom’s Information

Commissioner's Office states that “you

should only handle personal data in

ways that people would reasonably

expect and not use it in ways that have

unjustified adverse effects on them.” 88

If the response to a requester diminishes another

person’s enjoyment of a right or freedom, it will

give rise to adverse effects. A person’s rights and

freedoms generally expire with them, this means

that a release cannot adversely affect deceased

persons. Art. 15(4) is applicable only when

personal data’s release to the requester will result

in a concrete adverse effect on a specific right or

freedom enjoyed by another person.

The concrete adverse effect on a specific right or

freedom must be cited when applying Art. 15(4).

Consideration of its application should be guided

by the requester and associated persons’

circumstances. Consult with a Social Worker, as

outlined at Appendix 1, if information required

for the application of this restriction is needed.

2. Michael B. submits an access request to

Tusla for birth and adoption information. A

record holder retrieves a document listing

Gabrielle B. as Michael’s mother. An

enclosed note states that during her

engagement with the Adoption Information

and Tracing Service, Gabrielle indicated that

she doesn’t wish to interact with Michael.

The requester and associated persons’

individual circumstances are considered to

assess whether the release of mixed personal

data, i.e. personal data relating to both

Michael and Gabrielle, will adversely affect

Gabrielle’s rights and freedoms. A Social

Worker is consulted to obtain information

needed to inform the restriction’s

application.

As Gabrielle has indicated that she doesn’t

wish to interact with Michael, it appears

likely that the release of mixed personal data

will adversely affect her right to respect for

private and family life. As such, Michael’s

right to access must be restricted as regards

mixed personal data relating to Gabrielle and

such personal data must be excluded from

the response, citing the specific adverse

effect on the relevant right.

87 DPC, ‘Principles of Data Protection’ (DPC) <https://www.dataprotection.ie/en/individuals/data-protection-basics/principles-data-protection> accessed 16 April 2021 88 Information Commissioner’s Office, ‘Principle (a): Lawfulness, fairness and transparency’ (Information Commissioner’s Office) <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/> accessed 16 April 2021

https://www.dataprotection.ie/en/individuals/data-protection-basics/principles-data-protection

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/

Access Requests


Page 29 of 41

3. Restrictions in the 2018 Act

i. Section 60(3)(a)(i)

Applicable? Restricts the right: Summary: Example:

🗵

To the extent “necessary and

proportionate to safeguard cabinet

confidentiality, parliamentary

privilege, national security, defence and

the international relations of the State”.

The circumstances in which this restriction

applies are not expected to arise in the context of


Nil.

ii. Section 60(3)(a)(ii)


🗵


proportionate for the prevention,

detection, investigation and prosecution

of criminal offences and the execution of

criminal penalties”.



the Agency’s processing.

Nil.

iii. Section 60(3)(a)(iii)


🗵


proportionate for the administration of

any tax, duty or other money due or

owing to the State or a local authority

in any case in which the non-

application of the restrictions concerned




Nil.

Access Requests


Page 30 of 41

would be likely to prejudice the

aforementioned administration”.

iv. Section 60(3)(a)(iv)


🗹


proportionate in contemplation of or

for the establishment, exercise or

defence of, a legal claim, prospective

legal claim, legal proceedings or

prospective legal proceedings whether

before a court, statutory tribunal,

statutory body or an administrative or

out-of-court procedure”.

This restriction, which is one of four related to

legal claims or proceedings, places personal data

outside the right’s scope to the extent that it’s

processed for the purpose of planning for or

carrying out legal proceedings.

This restriction’s scope isn’t limited to claims or

proceedings before the Court. It extends also to

proceedings before a tribunal, a statutory body,

or in connection with an administrative

procedure. This restriction:

requires specific consideration of

necessity and proportionality, and;

isn’t applicable if the claim or proceedings

didn’t proceed or are concluded.

A record holder retrieves a proposal

document concerning planned proceedings

intended to protect Elizabeth T., a highly

vulnerable service user. The proposal

anticipates that the proceedings’

commencement is likely to cause John P.,

the requester, to attempt remove Elizabeth

to another jurisdiction.

As the requester’s personal data are

processed in contemplation of the

proceedings’ establishment, and because his

exercise of the right will likely undermine

them, release must be restricted to the extent

necessary for the proceedings’ exercise.

v. Section 60(3)(a)(v)


🗹


proportionate for the enforcement of

civil law claims, including matters

relating to any liability of a controller

or processor in respect of damages,

compensation or other liabilities or

debts related to the claim”.

This restriction places personal data outside the

rights’ scope to the extent that it’s processed for

the purpose of civil claim enforcement. This

restriction requires specific consideration of

necessity and proportionality.

A record holder retrieves a letter concerning

enforcement of a claim taken against James

K., the requester, on foot of an alleged

breach of contract. The letter anticipates that

enforcement of the claim is likely to cause

James to leave the jurisdiction.

KathleenOReilly5

Cross-Out

Access Requests


Page 31 of 41


processed for the purpose of enforcing a civil

law claim, and because his exercise of the

right will likely undermine this, release must

be restricted to the extent necessary and

proportionate for the claim’s enforcement.

vi. Section 60(3)(a)(vi)


🗵


proportionate for the purposes of

estimating the amount of the liability of

a controller on foot of a claim for the

payment of a sum of money, whether in

respect of damages or compensation, in

any case in which the application of

those rights or obligations would be

likely to prejudice the commercial

interests of the controller in relation to

the claim”.




Nil.

vii. Section 60(3)(b)


🗹

To the extent that “the personal data

relating to the [requester] consist of an

expression of opinion about the

[requester] by another person given in

confidence or on the understanding that

it would be treated as confidential to a

This restriction places personal data comprising

an expression of opinion about the requester

given by another person to a legitimately

interested recipient outside the right’s scope.

Gabriel L., submits a request to Tusla. A

record holder retrieves a note which records

Philippa G.’s disclosure to a Social Worker of

alleged abuse. The note establishes that

Philippa was given written assurance that

her anonymity would be maintained.

Access Requests


Page 32 of 41

person who has a legitimate interest in

receiving the information”.

As the requester’s personal data consist of an

expression of opinion given in the context of

a confidential disclosure, release must be

restricted.

viii. Section 61(1)(a)


🗵

To the extent that “the exercise of [the

right to access] would be likely to

render impossible, or seriously impair,

the achievement of [processing … for

archiving purposes in the public

interest]”.




Nil.

ix. Section 61(1)(b)


🗵

To the extent that “such restriction is

necessary for the fulfilment of

[processing … for archiving purposes in

the public interest]”.




Nil.

x. Section 61(2)(a)


Access Requests


Page 33 of 41

🗵

To the extent that “the exercise of [the

right to access] would be likely to

render impossible, or seriously impair,

the achievement of [processing … for

scientific or historical research

purposes or statistical purposes]”.




Nil.

xi. Section 61(2)(b)


🗵

To the extent that “that such restriction

is necessary for the fulfilment of

[processing … for scientific or historical

research purposes or statistical

purposes]”.




Nil.

xii. Section 94

Applicable? Provides: Summary: Example:

🗵

Restrictions on exercise of data subject

rights (Part 5)




Part 5 of the 2018 Act, i.e. sections 69 to 104 (as

well as sections 118 to 128), concerns processing

in-scope of the Law Enforcement Directive.89 The

Directive’s provisions don’t apply to the

Agency’s processing, which is carried out within

the GDPR’s scope only.90

Nil.

89 GDPR, art 2(2)(d) 90 GDPR, art 2(1)

Access Requests


Page 34 of 41

xiii. Section 158(1)(a)


🗵

To the extent that “the restrictions are

necessary and proportionate to

safeguard judicial independence and

court proceedings”.




Nil.

xiv. Section 162(a)(i)


🗹

The right does not apply “to personal

data processed for the purpose of

seeking, receiving, or giving legal

advice”.

Legal advice is oral or written advice given by a

solicitor or a barrister about how the law applies.

This restriction, which is the second of four

related to legal claims or proceedings, places

personal data outside the right’s scope to the

extent that it is processed for the purpose of

seeking, receiving, or giving legal advice.

1. A record holder retrieves a letter which

contains a request for legal advice regarding

Joann O., the requester.


processed for the purpose of seeking legal

advice, release must be restricted.

2. A record holder retrieves a cover letter

which encloses legal advice relating to Hugh

C., the requester.


processed for the purpose of receiving legal

advice, release must be restricted

xv. Section 162(a)(ii)


Access Requests


Page 35 of 41

🗹

The right does not apply “personal data

in respect of which a claim of privilege

could be made for the purpose of or in

the course of legal proceedings,

including personal data consisting of

communications between a client and

his or her legal advisers or between

those advisers”.

Legal professional privilege confers a privilege of

exemption from disclosure of communications

between a lawyer and their client.

This restriction, which is the third of four related

to legal claims or proceedings, places personal

data which attracts legal privilege outside the

right’s scope. There are two types of legal

privilege:

advice privilege, which is attracted by

legal advice given by a lawyer to their

client in any context, and;

litigation privilege, which is attracted by

draft or finalised documentation,

regardless of its source, whose dominant

purpose is in preparation for litigation.

1. A record holder retrieves a letter which

contains privileged legal advice concerning

Kayla D., the requester.

As Kayla’s personal data are contained

within a letter that attracts legal advice

privilege, release must be restricted.

2. A record holder retrieves a submission

regarding Evan C., the requester, which was

received for the purpose of preparing for

litigation commenced by Tusla.


contained within a letter which attracts legal

litigation privilege, release must be

restricted.

xvi. Section 162(a)(iii)


🗹

The right does not apply “where the

exercise of such rights or performance

of such obligations would constitute a

contempt of court”.

Contempt of court protects the administration of

justice by ensuring the Court’s orders are obeyed.

This restriction, which is the fourth of four

related to legal claims or proceedings, places

personal data outside the rights’ scope to the

extent that release would give rise to contempt.

A record holder retrieves a report concerning

Wesley C., which was submitted by a Social

Worker during proceedings for renewal of

his care order that were held in camera. The

report contains personal data relating to

Jack C., the requester.

As the proceedings were held in camera,

release must be restricted.

Access Requests


Page 36 of 41

4. Restrictions in SI 82 of 1989

i. Regulation 4(1)


🗹

“Information constituting health data

shall not be supplied by or on behalf of a

data controller to the [requester] in

response to [an access request] if it

would be likely to cause serious harm to

[the physical or mental health of the

requester].”

SI 82 of 1989 defines ‘health data’ as personal

data relating to physical or mental health.91

This restriction places health data whose release

will likely seriously harm the requester’s physical

or mental health outside the right’s scope.

This restriction is applicable only for as long as

serious harm is likely to occur and, as outlined

below, must be applied in connection with r 5(1).

Appendix 1 outlines the procedure for

consultation with the appropriate Health

Practitioner.

A record holder retrieves a report containing

health data whose release may seriously

harm the requester’s mental health and

emotional condition. Consultation with the

appropriate Health Practitioner indicates

that release of certain of the report’s

contents will likely seriously harm the

requester’s mental health.

As the personal data are likely to seriously

harm the requester’s mental health, release

must be restricted.

ii. Regulation 5(1)


🗹

“A data controller who is not a health

practitioner shall not supply

information constituting health data in

response to [a request], or withhold any

such information on the grounds

specified in Regulation 4 (1), unless he

has first consulted the person who

appears to him to be the appropriate

[health practitioner].”

This restriction requires that any release or

withholding of health data proceed only

following consultation with the appropriate

Health Practitioner.92

Appendix 1 outlines the procedure for


Practitioner.

A Privacy Officer intends to restrict access to

health data whose release will likely

seriously harm the requester’s mental health

and to release other health data which is not

anticipated to cause serious harm.

As regulation 5 of SI 82 requires


Practitioner prior to any release or

91 SI 82 of 1989, reg 3 92 SI 82 of 1989, r 3

Access Requests


Page 37 of 41

withholding of health data, such

consultation must occur before proceeding.

5. Restrictions in SI 83 of 1989

i. Regulation 4(1)


🗹

Information constituting social work

data shall not be supplied to the

[requester] in response to [an access

request] if it would be likely to cause

serious harm to [the physical or mental

health or emotional condition of the

requester]”.

SI 83 of 1989 defines ‘social work data’ as

personal data kept for, or obtained in the course

of, carrying out social work by a public authority

or other body.93 The definition of ‘social work

data’ excludes ‘health data’, which is defined by

SI 82 of 1989.94

This restriction places personal data constituting

social work data which will likely seriously harm

the requester’s physical health, or mental health

or emotional condition outside the right’s scope.

This restriction is applicable only for as long as

serious harm is likely to occur.

Consult with a Social Worker, as outlined at

Appendix 1, if information required for the

application of this restriction is needed.

A record holder retrieves a report containing

social work data whose release may seriously

harm the requester’s mental health and

emotional condition. Consultation with a

social worker indicates that release of the

report’s contents will likely seriously harm

the requester’s mental health.

As the personal data are likely to seriously

harm the requester’s mental health, release

must be restricted.

ii. Regulation 4(3)


93 SI 83 of 1989, ibid 94 ibid

Access Requests


Page 38 of 41

🗹

“If the social work data include

information supplied to a data

controller by an individual (other than

an employee or agent of the data

controller) while carrying out social

work, the data controller shall not

supply that information to the

[requester in response to an access

request] without first consulting that

individual.”

This restriction requires that social work data

received from someone other than a Tusla

employee not be released agent without first

consulting the provider.

Consult the provider, as outlined at Appendix 1,

if information required for the application of this

restriction is needed.

A record holder retrieves a letter submitted

by Christopher P., a member of the public,

regarding service delivery to the requester.

As the requester’s personal data are social

work data provided by someone other than a

Tusla employee or agent, the provider must

be consulted before release.

Access Requests


Page 39 of 41

G. Appendix 1 1. Consultation

95

Article 15(4) GDPR, regulations 4(1) and 5 of SI 82 of 1989, and

regulations 4(1) and (3) of SI 83 of 1989 require that the response

to a request not:

adversely affect others’ rights and freedoms;

seriously harm the requester’s physical or mental health

or emotional condition;

include social work data received from someone other

than a Tusla employee or agent without first consulting

the provider, or;

include or withhold health data without first consulting

the appropriate Health Practitioner.

Noting these requirements, Privacy Officers must consider:

the nature of the personal data, which may include special

categories of personal data;96

the requester and associated persons’ individual

circumstances, and;

the context in which the request was received.

This consideration involves assessment of different factors,

depending on the nature, scope, context, and purposes of the

relevant processing. Requests, for example, whose scope includes

personal data associated with adoption may factor the state’s

operation of a closed system of adoption, the Commission of

Investigation into Mother and Baby Homes and certain related

matters’ publication of its Final Report, and contemporary

reporting in this connection.

Having considered the nature, scope, context, and purposes of the

relevant processing, including the requester and associated

persons’ individual circumstances, the assigned Officer may

consider that health data fall within the request’s scope or that

release of certain personal data will likely adversely affect others’

rights and freedoms or seriously harm to the requester’s physical

or mental health or emotional condition.

Although, in particular, serious harm may be anticipated, Privacy

Officers alone are not equipped or expected to carry out a

comprehensive assessment in this connection. Consult with a

Social Worker if necessary in order to ensure the request is

handled such as to facilitate demonstration of compliance in

respect of the applicable data protection law.97

i. Article 15 and the Regulations 4(1)

95 CC consult by teewara soontorn, from the noun project 96 GDPR, art. 9(1) defines ‘special categories of personal data’ (or ‘sensitive data’ as at recital 10 GDPR) as “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation” 97 GDPR, art 5(2)

Access Requests


Page 40 of 41

98

Consult with a Social Worker. If the consultation indicates that

releasing the relevant personal data:

isn’t likely cause serious harm to the requester’s physical

or mental health or emotional condition, proceed to

release;

will likely cause serious harm to the requester’s physical

or mental health or emotional condition, proceed to apply

the relevant restriction(s) as set out above at Part 4.

ii. Regulation 4(3)

99

Consider consulting the person, other than a Tusla employee or

agent who provided the personal data regarding its possible

release. If, within the GDPR’s thirty-day request-handling

timeframe, consultation with the provider:

is possible, proceed to release;

isn’t possible, proceed to apply the relevant restriction(s)

as set out above at Part 4.

iii. Regulation 5(1)

100

If health data falls within the request’s scope, consult the

appropriate Health Practitioner, i.e.:

the registered medical practitioner who cares, or most

recently cared, for the requester in connection with the

health data’s subject matter;101

when more than one such person is available, the person

most suitable to advise,102 or;

where no such person is available, a Health Practitioner

possessing the necessary experience and qualifications to

advise.103

As Social Workers are registrants of a designated

profession,104,105,106 they may be regarded the appropriate Health

Practitioner for the purposes of SI 82 of 1989.

98 CC process by anna sophie from the noun project 99 CC process by andrejs kirma from the noun project 100 CC process by christopher holm-hansen from the noun project 101 SI 82 of 1989, r 5(2)(a) 102 SI 82 of 1989, r 5(2)(b) 103 SI 82 of 1989, r 5(2)(c) 104 SI 82 of 1989, r 3 105 Health and Social Care Professionals Act 2005, ss 3(1) and 4(1)(k) 106 Health Identifiers Act 2014, s2(1)

Page 41 of 41

Documents

Access Requests