Policing Restrictions

Right to information Law Enforcement Context I

A law enforcement data controller must ensure that the data subject is provided with, or, as appropriate, has made available to him or her, the information specified below in relation to personal data relating to him or her within a reasonable period after the date on which the controller obtains the personal data concerned, having regard to the circumstances in which the data are or are to be processed.

The information concerned is:

  • the identity and the contact details of the controller;
  • the contact details of the data protection officer of the controller, where applicable;
  • the purpose for which the personal data are intended to be processed or are being processed;
  • information detailing the right of the data subject to a request from the controller
  • access to, and the rectification or erasure of, the personal data;
  • information detailing the right of the data subject to lodge a complaint with the Commission and the contact details of the Commission.

This information may be made available to the data subject by means of publication on the website of the controller.


Right to information Law Enforcement Context II

In individual cases where further information is necessary to enable the data subject to exercise his rights, having regard to the circumstances in which the personal data are or are to be processed, including the manner in which the data are or have been collected, any such information, the following shall be furnished

  • the legal basis for the processing of the data concerned;
  • the period for which the data concerned will be retained, or where it is not possible to determine the said period at the time of the giving of the information, the criteria used to determine the said period;
  • where applicable, each category of recipients of the data.

The information is not required to be given where

  • it is already in the possession of the data subject, or
  • where, in particular in the case of processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the provision of the information proves impossible or would involve a disproportionate effort.

Right of access Law Enforcement Context

An individual who believes that personal data relating to him or her have been or are being processed by or on behalf of a controller, if he or she so requests the controller by notice in writing shall be informed by the controller whether personal data relating to him or her have been or are being processed by or on behalf of the controller.

Where such data have been or are being so processed, he shall be provided by the controller with the following information:

  • a description of the purpose of, and the legal basis for, the processing,
  • a description of the categories of personal data concerned,
  • a description of the recipients or categories of recipients to whom the personal data concerned have been disclosed, and
  • a description of the period for which the personal data concerned will be retained, or where it is not possible to determine the said period at the time of the giving of the information, the criteria used to determine the said period;
  • information detailing the right of the data subject to a request from the controller the rectification or erasure of the personal data concerned;
  • information detailing the right of the data subject to lodge a complaint with the Commission and the contact details of the Commission;
  • communication of the personal data concerned;
  • any available information as to the origin of the personal data concerned, unless the communication of that information is contrary to the public interest.

A controller must respond to a request and provide the information specified to the data subject as soon as may be and, in any event not later than one month after the date on which the request is made.


Identifying Requester

When making a request, the data subject shall provide such information as the controller may reasonably require to—

  • satisfy itself as to the identity of the data subject,
  • locate any relevant personal data, and
  • satisfy itself as to whether the personal data concerned are inaccurate or as to the basis on which the data should be erased, as the case may be.

Where a controller has reasonable doubts as to the identity of an individual making a request or reasonably requires additional information to locate any relevant personal data, it may request such additional information from the data  subject as may be necessary to confirm his or her identity or to enable it to locate such personal data or information, as the case may be The period of time from the making of such a request for additional information until the request is complied with shall not be reckonable for the purpose of the timelines.

Where taking into account the complexity of a request and the number of such requests received by the controller, the controller is of the opinion that it requires additional time to consider the

request, it may, once only and within one month from the date of the receipt of the request, extend the time period by such further period not exceeding 2 months as it may specify by notice in writing to the individual making the request. The notice in writing shall include the reason for which the controller is of the opinion that it requires additional time to consider the request.


Must Exclude Third Party Personal Data

Where information that a controller would otherwise be required to provide to a data subject pursuant) includes personal data relating to another individual that would reveal, or would be capable of revealing, the identity of the individual, the controller—

  • shall not provide the data subject with the information that constitutes such personal data relating to the other individual, and
  • shall provide the data subject with a summary of the personal data concerned that in so far as is possible, permits the data subject to exercise his or her rights under the Act, and does not reveal, or is not capable of revealing, the identity of the other individual.

This does not apply where the individual to whom the personal data that would reveal, or would be capable of revealing his or her identity, relate consents to the provision of the information concerned to the data subject making a request.


Furnishing the Information

The obligations to furnish any available information as to the origin othe personal data concerned, (unless the communication of that information is contrary to the public interest) shall becomplied with by supplying the data subject with a copy of the information concerned in permanent form unless the supply of such a copy is not possible or would involve disproportionate effort, or the data subject agrees otherwise.

Where a controller has previously complied with a request), the controller is not obliged to comply with a subsequent identical or similar request by the same individual unless, in the opinion of the controller, a reasonable interval has elapsed between compliance with the previous request and the making of the current request.

For this purpose, regard shall be had to the nature of the personal data, the purpose for which the personal data are processed and the frequency with which the personal data are altered. Where a controller, refuses to act upon a request, it shall, as soon as practicable, so notify the data subject in writing.


Right to rectification

Where a data subject is of the opinion that a controller is processing personal data relating to him or her that are inaccurate, the data subject may make a request in writing to the controller for the controller to rectify the data concerned. Personal data are inaccurate if they are incorrect or misleading as to any matter of fact, or they are incomplete in a material manner.

A controller that receives a request shall, where it is satisfied that the personal data to which the request relates are inaccurate, rectify the data as soon as may be and, in any event, no later than one month after the date on which the request is made.

This is subject to the below limitations. The provision does not apply to personal data that are contained in witness statements.


Erasure and restriction of processing

Where a data subject is of the opinion that a controller is processing personal data relating to him or her in a manner that contravenes the data processing principles, that are required to be erased by the controller in accordance with a legal obligation to which the controller is subject, the data subject may make a request in writing to the controller to erase the data concerned.

A controller that receives a request, where it is satisfied that the above conditions apply to the personal data to which the request relates, erase the data as soon as may be and, in any event, no later than one month after the date on which the request is made.

Where a data subject makes a request and the accuracy of the data is contested by the data subject, and it is not possible to ascertain whether the data are so inaccurate, or  the personal data are required for the purposes of evidence in proceedings before a court or tribunal or in another form of official inquiry, the controller shall restrict the processing of the data and shall not rectify or erase the data, as the case may be.


Notice

Where a controller accepts that the personal data to which the request relates should be rectified, erased or restricted, the controller shall, as soon as practicable, notify in writing the data subject concerned, each controller from which the personal data concerned were received, and each person to whom the personal data concerned were disclosed, of the rectification, erasure or restriction concerned, as the case may be.

Where a person (or body) to whom personal data were disclosed is notified under the above provision of the rectification or erasure of the data or the restriction of the processing of the data,

the person shall rectify or erase, or restrict the processing of, as the case may be, any of the data concerned that the person has under his or her control in the same manner, and to the same extent, as the controller making the notification has rectified or erased, or restricted the processing of, as the case may be, the data concerned.


Information Provided

Where a controller provides or makes available information to a data subject provides or makes available information to, or communicates with, a data subject pursuant to a request under the above provisions, the controller shall take all reasonable steps to ensure the information is provided or made available, or the communication is made, as the case may be, in a concise,intelligible and easily accessible form using clear and plain language.

The information or communication, as the case may be, shall be provided to the data subject by appropriate means, including by electronic means, and in the case of a communication with a data subject pursuant to a request in so far as is possible, be provided in the same form as that in which the request is made.

A controller shall not impose a charge on a data subject for information provided, an information request or for rectification.  Where a data subject makes a request to a controller that is a) manifestly unfounded, or excessive in nature, having regard to the number of requests made by the data subject to the controller, the controller may charge a reasonable fee to the data subject in respect of the request, having regard to the administrative cost to the controller of complying with the request, or refuse to act upon the request.

Information provided pursuant to a request may take account of any amendment of the personal data concerned made since the receipt of the request by the controller (being an amendment that would have been made irrespective of the receipt of the request) but not of any other amendment.


Rejecting Application to Rectify, Restrict or Erase or Lifting Restriction

Where a controller receives a request and the controller is not satisfied that, as the case may be that the personal data to which the request relates should be rectified, erased or restricted, the controller shall, as soon as practicable, so notify the data subject in writing. The notification shall include the reasons for the controller’s decision under that subsection, and information relating to the data subject’s right to request the Data Protection Commission to verify the lawfulness of the processing concerned.

Where a controller has restricted the processing of personal data and proposes to lift the restriction, the controller shall inform the data subject prior to the lifting of the restriction. Where a controller that restricted the processing of personal data lifts the said restriction, the controller shall notify any person who was notified under the above provisions of the said restriction of the lifting of the restriction as soon as practicable.

The person so notified shall lift any restriction of the processing of the data concerned implemented in the same manner, and to the same extent, as the controller making the notification has lifted the restriction on the processing of the data concerned.

Where a controller, refuses to act upon a request on a lawful basis, it shall, as soon as practicable, so notify the data subject in writing. The notification shall include the reasons for which the controller is refusing to act upon the request, information relating to the right of the data to lodge a complaint with the Commission and the contact details of the Commission.

Where a controller refuses to act upon a request made to the controller by a data subject, it shall be for the controller to demonstrate that the request was manifestly unfounded or excessive in nature.


Restrictions on exercise of data subject rights (Law Enforcement) I

A controller, with respect to personal data for which it is responsible, may restrict, wholly or partly, the exercise of a right of a data subject specified below. This provision applies where the controller is satisfied that restricting the exercise of a right under this provision constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the data subject for the purposes of—

  • avoiding obstructing official or legal inquiries, investigations or procedures,
  • avoiding prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties,
  • protecting public security,
  • protecting national security, or
  • protecting the rights and freedoms of other persons.

Restrictions on exercise of data subject rights (Law Enforcement) II

The purposes for which the rights of a data subject may be excluded, include in particular, the following:

  • the prevention, detection or investigation of offences, the apprehension or prosecution of offenders or the effectiveness of lawful methods, systems, plans or procedures employed for the purposes of the matters aforesaid;
  • the enforcement of, compliance with or administration of any enactment related to criminal procedure and policing
  • ensuring the safety of the public and the safety or security of individuals and property;
  • ensuring the fairness of criminal proceedings in a court or other tribunal;
  • ensuring the security of a penal institution, a children detention school, a remand centre, the Central Mental Hospital, or any system of communications, whether internal or external, of the Garda Síochána, the Defence Forces, the Revenue Commissioners or a penal institution;
  • protecting the life, safety or well-being of any person;
  • preventing the facilitation of the commission of an offence;
  • avoiding the prejudice or impairment of national security, defence or the international relations of the State;
  • avoiding the obstruction or impairment of official or legal inquiries,
  • investigations or procedures or the operation of legal privilege.

Restrictions that may Apply I

The restrictions may apply to the following

  • the right of the data subject in relation to individual cases, including the basis for processing, period held and third-party recipients
  • the rights of the data subject to find out whether data is being held is being used / processed and particulars of such use
  • the right of the data subject to be notified of the restriction of the processing of personal data or of a decision not to rectify or erase data pursuant to a request

Where a controller restricts the exercise of such rights, the controller shall notify the data subject in writing of the restriction of the exercise of the right and the reasons for such restriction, and the right of the data subject to request the Commission to verify the lawfulness of the processing concerned, or to seek a judicial remedy in relation to the said restriction.


Restrictions that may Apply II

This does not apply where to notify the data subject constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the data subject for the purposes of

  • avoiding obstructing official or legal inquiries, investigations or procedures,
  • avoiding prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties,
  • protecting public security,
  • protecting national security, or
  • protecting the rights and freedoms of other persons

Where a controller restricts, pursuant to the above power, the exercise of the right of a data subject the controller shall—

  • create and maintain a record in writing of the factual or legal basis for the decision to so restrict the right concerned, and
  • make such a record available to the Commission, if so requested by the Commission.

Regulations

Regulations may be made specifying a category of processing to be a category of

processing in respect of which the exercise of general rights may be restricted. The Minister of the Government making regulations shall have regard to—

  • the nature, scope and purposes of the category of processing concerned,
  • whether, having regard to those matters, the restriction concerned is one to which the balancing of rights in a democratic society would apply, and
  • any risks arising for the rights and freedoms of data subjects.

The Regulations made shall—

  • respect the essence of the right to data protection and protect the interests of the data subject, and
  • restrict the exercise of data subject rights only in so far as is necessary and be
  • proportionate to the aim sought to be achieved.

Indirect exercise of rights and verification by Commission Law Enforcement Context

Where an individual—

  • is aware, having been notified), that the exercise of his or her rights have been restricted by a controller as provided above, or
  • believes that the exercise of his or her rights have been so restricted and that he

or she has not been notified of the said restriction the individual may make a request in writing to the Commission to verify whether the controller is processing personal data relating to him or her and if so, whether the processing is in compliance with Part.5 of the Data Protection Act 2018.

Where the Commission receives a request, it may take such steps as appear to it to be appropriate, The Commission, having taken the steps shall inform the individual making the request that all necessary verifications or reviews have been carried out by the Commission, and f his or her right to seek a judicial remedy.

This does not require the Commission to disclose to a data subject whether or not a controller has processed, or is processing, personal data relating to him or her.


Law Enforcement Context

The access and  other rights do not apply to the processing of personal data by Forensic ScienceIreland of the Department of Justice and Equality, insofar as it relates to the processing ofpersonal data in the context of the forensic criminal investigation functions performed by Forensic Science Ireland, including the analysis of specimens,

  • an investigation being undertaken by An Garda Síochána or the Garda Síochána Ombudsman Commission, or
  • the approval, supply, testing and maintenance of apparatus and of equipment.

Confidential Opinions and Inquiries

The general right of access does not apply

  • in respect of personal data relating to the data subject that consists of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential, or
  • the recipients or categories of persons to whom that data have been disclosed in so far as a recipient referred to therein is a public authority which may receive data in the context of a particular inquiry in accordance with the law of the State.

References and Sources

Data Protection Act 1988

Data Protection (Amendment) Act 2003

Data Protection Act 2018

Data Protection (Fees) Regulations 1988, S.I. No. 347 of 1988

Data Protection Act 1988 (Commencement) Order 1988, S.I. No. 349 of 1988

Data Protection (Registration Period) Regulations 1988, S.I. No. 350 of 1988

Data Protection (Registration) Regulations 1988, S.I. No. 351 of 1988

Data Protection Act 1988 (Restriction of Section 4) Regulations 1989, S.I. No. 81 of 1989

Data Protection (Access Modification) (Health) Regulations 1989, S.I. No. 82 of 1989

Data Protection (Access Modification) (Social Work) Regulations 1989, S.I. No. 83 of 1989

Data Protection Act 1988 (Section 5 (1) (D)) (Specification) Regulations 1993, S.I. No. 95 of 1993

Data Protection Commissioner Superannuation Scheme 1993, S.I. No. 141 of 1993

Data Protection Act 1988 (Section 16(1)) Regulations 2007, S.I. No. 657 of 2007

Data Protection (Fees) Regulations 2007, S.I. No. 658 of 2007

Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007

Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007

Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009, S.I. No. 421 of 2009

Data Protection Act 1988 (Section 2B) Regulations 2011, S.I. No.486 of 2011

Data Protection Act 1988 (Section 2B) Regulations 2012, S.I. No.209 of 2012

Data Protection Act 1988 (Section 2A) Regulations 2013, S.I. No.313 of 2013

Data Protection Act 1988 (Commencement) Order 2014, Sino. 337 of 2014

Data Protection Act 1988 (Section 2B) Regulations 2015, S.I. No.240 of 2015

Data Protection Act 1988 (Section 2A) Regulations 2016, S.I. No.220 of 2016

Data Protection Act 1988 (Section 2B) Regulations 2016, S.I. No.426 of 2016

Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016, S.I. No. 427 of 2016

Data Protection (Amendment) Act 2003 (Commencement)Order 2003, S.I. No. 207 of 2003

Data Protection (Amendment) Act 2003 (Commencement) Order 2007, S.I. No. 656 of 2007

Data Protection (Amendment) Act 2003 (Commencement) Order 2014

EU Legislation

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Irish Books

EU Data Protection Law Kelleher & Murray           2018

Information & Technology Communications Law Kennedy & Murphy         2017

Social Networking           Lambert               2014

Law Society PPG Hyland Technology & Intellectual Property Law                 2008

Information Technology Law in Ireland   2 Kelleher & Murray       2007

Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016

Privacy & Data Protection Law in Ireland                Kelleher               2015

Data Protection: A Practical Guide to Irish & EU Law         Carey    2010

Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003

EU and UK Texts

Information Technology and Intellectual Property Law 7th ed 2018 Bainbridge 2018

Guide to the General Data Protection Regulation and the UK Data Protection Act 2nd ed

Rosemary Jay 2018

Government and Information: The Law Relating to Access, Disclosure and Their Regulation 5th ed

Patrick Birkinshaw, Mike Varney 2018

Commentary on the EU General Data Protection Regulation Christopher Kuner, Lee A. Bygrave, Christopher Docksey 2018

A User’s Guide to Data Protection: Law and Policy A User’s Guide to Data Protection: Law and Policy 3rd ed Paul Lambert 2018

Protecting Individuals Against the Negative Impact of Big Data: Potential and Limitations of the Privacy and Data Protection Law Approach Manon Oostveen July 2018

Information Exchange and EU Law Enforcement Information Exchange and EU Law Enforcement Anna Fiodorova 2018

Data Privacy and Cybersecurity: A Practical Guide Rafi Azim-Khan 2018

The General Data Protection Regulations (GDPR): How to get GDPR consent Simon McNidder 2018

The Cambridge Handbook of Consumer Privacy Edited by: Evan Selinger, Jules Polonetsky, Omar Tene 2018

Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 5th ed Peter Carey 2018

The EU General Data Protection Regulation (GDPR): A Commentary Lukas Feiler, Nikolaus Forgo, Michaela Weigln 2018

A Practical Guide to the General Data Protection Regulation (GDPR) Keith Markham 2018

EU Data Protection Law EU Data Protection Law Denis Kelleher, Karen Murray 2018

New European General Data Protection Regulation: A Practitioner’s Guide Edited by: Daniel Rucker, Tobias Kugler 2017

Encyclopaedia of Data Protection and Privacy Annual Subscription Rosemary Jay, Hazel Grant, Sue Cullen, Timothy Pitt-Payne 2017

Determann’s Field Guide to International Data Privacy Law Compliance 3rd ed 2017

The EU General Data Protection Regulation (GDPR): A Practical Guide Paul Voigt, Axel von dem Bussche 2017

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide Alan Calder, Richard Campo, Adrian Ross 2017

Privacy, Data Protection and Cybersecurity in Europe Privacy, Data Protection and Cybersecurity in Europe Edited by:  Wolf J. Schunemann, Max-Otto Baumann 2017

Guide to the General Data Protection Regulation: A Companion to the 4th ed of Data Protection Law and Practice Rosemary Jay 2017

Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Mariusz Krzysztofek 2016

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Alan Calder, Richard Campo, Adrian Ross 2016

Data Protection and Privacy: International Series Data Protection and Privacy: International Series 3rd ed Edited by: Monika Kuschewsky 2016

Data Protection: The New Rules Ian Long 2016

A User’s Guide to Data Protection A User’s Guide to Data Protection 2nd ed Paul Lambert 2016

The Foundations of EU Data Protection Law Orla Lynskey 2015

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015

Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 4th ed Peter Carey 2015

Data Protection: Law and Practice 4th ed with 1st Supplement Data Protection: Law and Practice 4th ed with 1st Supplement Rosemary Jay 2014

Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014

Cloud Computing Law Christopher Millard 2013

Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013

Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013

A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013

Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012

Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012

Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011

Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011

Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011

Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010

Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008