Open Access: A citizen’s guide to discovering who holds your info - and what's in there

Our community-driven platform Noteworthy shows you how access your personal information from both public bodies and private companies.

By Ken Foxe

THE KEY TO making good decisions is having access to good information. The team at Noteworthy, the community-led investigative platform from TheJournal, presents this four-part series which aims to give YOU the power to access data from public authorities on matters that impact on your life.

Today, we look at access to personal information.

When people think of getting information from public bodies, they often think of Freedom of Information (FOI). But when it comes to accessing records which contain your personal information, there are now more avenues than FOI.

Of course, it’s still a useful route – while many think of the FOI request as the preserve of journalists for stories about politicians’ expenses or the behind the scenes of some dubious government decision, in fact of the nearly 40,000 FOI requests last year, nearly 60% were for personal information.

Since 2018, however, many citizens have been able to make similar requests instead using the General Data Protection Regulation, more commonly known as GDPR.

Request Type

How Noteworthy uses personal information requests

Freedom of Information has many uses but one thing journalists cannot do is use it to access the personal information of other people.

This is only right and the citizen’s right to privacy when it comes to medical care, social welfare, and other state services is protected.

Where Noteworthy in fact has been able to assist citizens in this regard is to help people tell their own stories by guiding them through the process of accessing their own personal records, and information held about them that they may have been totally unaware of.

In this regard, we have found that going down the route of subject access requests is particularly powerful. Today we would like to share how we have done that – and hope it will be of some use to your own journey of discovery.

How you can make requests for personal information

Personal information is sought by an individual for many reasons.

They might want to know why medical treatment went wrong, why a loved one wasn’t taken care of as well as they should have been, or what was behind a decision to refuse them a state benefit or housing.

This could be so that they can make an appeal, because they plan to take a case to court, or a simple matter of curiosity.

Whatever the reason, there are two key options for citizens in accessing personal information.

We will start with GDPR and how you can make a request for your own records.

The key advantage of GDPR compared to FOI is that it is not only public bodies who have to process your request, but other private and commercial organisations do too.

The journalist Richie Oakley for instance was able to access records (using GDPR’s predecessor law) from gambling company Paddy Power where they tracked his betting history, and the sports and events where he was likely to win and lose money.

It also applies to all the obvious state agencies you can think of – hospitals, the Department of Employment Affairs, the HSE, An Garda Síochána, and so on.

Making a request is simple. The first step is to find out who the data controller for the organisation is.

This point of contact – normally an email address – can usually be found on their website, or with a quick phone call to their offices.

Next, you say that you are making a request under Article 15 of the GDPR for a copy of any information they hold about you. This page from the Data Protection Commissioner will help guide you through the steps.

An important thing to keep in mind is that you will have to provide evidence of who you are.

This is reasonable because otherwise people could abuse the system, and try to seek access to records belonging to another person.

Many people still use the FOI Act to access their own personal information however, not least because it is more familiar.

There are a couple of reasons for this.

With it, you can seek access to a broader range of records and it is a simple matter of sending a request saying “Under the FOI Act, I am seeking the following.”

As part of this series, investigative reporter Maria Delaney wrote about FOI requests and how to make them, which you can read here.  

So, if say a hospital provided you with poor treatment when you were sick; you could access not just the material relating to yourself but records that might give a wider picture of what was happening in the hospital that day.

Sometimes what feels like personal information might not really be personal information.

If your local county council made a decision to dig up the road outside your house yet again, that might feel personal to you but it wouldn’t necessarily be classified as “personal information”.

It would be an administrative decision but nonetheless easily obtainable under FOI.
The same would go for litter, pollution, anti-social behavior, or other environmental issues that were a problem in your area.

Information lawyer Fred Logue of FP Logue Solicitors says it shouldn’t really matter whether you use GDPR or FOI.

It should be automatic – you should get the same treatment whichever one you use. The first thing you should do is ask for the records – you don’t have to fill out a form; you just ask and they have to give it to you.If they’re pushing back on your request, only then should you need to think about your rights.

He said FOI was still used by many for personal information because of its familiarity while having an appeal dealt with is also quicker.

“It shouldn’t be a case of which is better or worse. There should be an equivalence and it shouldn’t make any difference which you use.”

Loved ones

Another advantage of FOI is when you are seeking records relating to a deceased loved one or a person who is incapacitated.

This might crop up where a person has died in a hospital or nursing home and there are questions unanswered over what happened.

Equally, it could apply if a person was in permanent care but did not have the ability to make decisions or requests for themselves.

In his annual report last year, the Information Commissioner made this a particular point of emphasis citing two cases where he had ruled a local authority and a government department must release those types of records. You can find them on Page 37.

Complications

By far the most complicated aspect of “personal information” is that information relating to you might also be personal to somebody else.

A good recent example of this was in the discussion over the archive of the Mother and Baby Home Commission and access to its records.

People can be refused access to their own records if another interest, either public or private, also needs to be protected.

Suffice it to say, cases are not always straightforward and there are many scenarios where competing rights like this can crop up.

There are other areas where access to your own data is not guaranteed.

Many people would, for instance, like to know what (if any) information is held about them by An Garda Síochána – and that is possible.

That might not apply if, say, you are the subject of an ongoing investigation as clearly gardaí need to be able to gather confidential information during an inquiry.

Similarly, information can’t be released if it would be likely to identify somebody else, eg, a witness or a garda source.

The last thing to say is that if you are seeking personal information with a view to pursuing a case in court, it would always be advisable to consult with a solicitor.

Ken Foxe is a director of Right to Know, an organisation set up to pursue transparency and has conducted investigations for Noteworthy.

  • If you found this guide to accessing information useful, you might consider supporting more of Noteworthy’s work with a contribution to our general fund.
  • You can also submit ideas for investigations or stories you would like us to cover here.

Proposals
   Search for Proposals