This section attempts to explain some of the background to the transfer of records from the Commission of Investigation to the Minister for Children, Equality, Disability, Integration and Youth, the relevant concepts of data protection law which apply and what should happen next.
Is there something we’re missing which you’d like to see an explanation of? Just get in touch and we’ll give it a shot.
Where better to start than with a quote from the Data Protection Commission’s explanation of what data protection is because it is a frequently misunderstood concept. The Data Protection Commission (DPC) is responsible for overseeing processing of personal data in Ireland.
Data protection is a fundamental right set out in Article Eight of the EU Charter of Fundamental Rights.
- Everyone has the right to the protection of personal data concerning him or her.
- Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned, or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
- Compliance with these rules shall be subject to control by an independent authority.
This means that every individual is entitled to have their personal information protected, used in a fair and legal way, and made available to them when they ask for a copy. If an individual feels that their personal information is wrong, they are entitled to ask for that information to be corrected.
Data protection is about protecting the rights of people, not protecting data. Article Eight of the Charter which is quoted in full above identifies two of the most important data protection rights, the right of access and the right to rectification.
The first sentence of the first recital of the General Data Protection Regulation is “The protection of natural persons in relation to the processing of personal data is a fundamental right.”
The General Data Protection Regulation (GDPR) is the law which applies to most kinds of processing of personal data and it applies directly in Ireland (and across the EU), along with further national rules set out in the Irish Data Protection Act 2018.
The GDPR gives individuals rights and imposes obligations on organisations who are processing personal data, called data controllers.
“The processing of personal data should be designed to serve humankind and, within this context, one of the main objectives of data protection law is to enhance data subjects’ control over their data.”
— European Data Protection Board, ‘Statement on restrictions on data subject rights in connection to the state of emergency in Member States’, June 2020
Survivors of incarceration in Ireland’s institutions have been denied crucial parts of their stories, a part of their humanity. Any continuation of this denial is not in any way serving humankind.
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
The GDPR protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.
Examples of the types of personal data which may be contained in the archive of the Mother and Baby Homes Commission of Investigation include
Records held in respect of mothers who gave birth in the institutions:
Records held in respect of children who were born in the institutions:
What constitutes data processing in European law is considerably broader than many people realise. Any of the following activities, when applied to personal data or sets of personal data qualify as processing
So doing almost anything with personal data besides thinking about it constitutes data processing.
When the Commission of Investigation erased the audio recordings of 550 testimonies people gave to its Confidential Committee it processed personal data.
Even if the Department of Children Equality, Disability, Integration and Youth took the Commission of Investigation’s archive which is due to be transferred at the end of February 2021 and put it in storage with no intention of doing anything with it for a long time, the Department is still processing personal data.
Data protection law gives these concepts real substance.
All personal data processed by an organisation must be processed in accordance with the principles of data protection. The first of these principles is “lawfulness, fairness and transparency”.
“The principle of fair processing governs primarily the relationship between the controller and the data subject … Controllers should notify data subjects and the general public that they will process data in a lawful and transparent manner and must be able to demonstrate the compliance of processing operations with the GDPR. Processing operations must not be performed in secret and data subjects should be aware of potential risks. Further-more, controllers, so far as possible, must act in a way which promptly complies with the wishes of the data subject, especially where his or her consent forms the legal basis for the data processing.”
— European Union Fundamental Rights Agency, Handbook on European Data Protection Law , page 118
Recital 60 of the GDPR says “The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes”. This means you cannot be left unaware that someone is processing your personal data.
“This principle establishes an obligation for the controller to take any appropriate measure in order to keep the data subjects – who may be users, customers or clients – informed about how their data are being used. Transparency may refer to the information given to the individual before the processing starts, the information that should be readily accessible to data subjects during the processing, but also to the information given to data subjects following a request of access to their own data.
Processing operations must be explained to the data subjects in an easily accessible way which ensures that they understand what will happen to their data. This means that the specific purpose of processing personal data must be known by the data subject at the time of the collection of the personal data. The transparency of processing requires that clear and plain language be used. It must be clear to the people concerned what are the risks, rules, safeguards and rights regarding the processing of their personal data.”
— European Union Fundamental Rights Agency, Handbook on European Data Protection Law , page 120
People in Europe have the right to ask any organisation whether or not it holds any personal data which concerns them. If the organisation does hold personal data concerning them then they have the right to access that data, be provided with a copy of the data and receive relevant additional information about the processing of their personal data.
In almost all circumstances the information should be provided free of charge and within one month of the request being made. If the organisation doesn’t give the person who requests it a copy of their personal data then it must give them an explanation of why it cannot or will not do so.
Asking for a copy of your data is done by sending an organisation what is called a Subject Access Request or Data Subject Access Request.
If an organisation does not respond to a Subject Access Request fully or at all, then a complaint can be made to the Data Protection Commission.
If these records contain the personal data of living people then the GDPR applies to them, and all the data subject rights in the GDPR apply. People are entitled to make Subject Access Requests and the holders of these records are obliged to respond to these requests.
If the records in question contain the personal data of more than one person (commonly called mixed data) then the organisation must carry out a balancing test when deciding how much of the information to release to the person making the Subject Access Request.
Data protection rights apply to personal data no matter which body holds the personal data. The Minister for Children Equality, Disability, Integration and Youth has implied on several occasions that the GDPR only applies to the records in the Archive when it transfers to his department. This is not the case.
The number of institutions examined by the Commission of Investigation is small compared to the total number of organisations which were involved in the incarceration of women and children and illegal adoptions. If these bodies or their successors hold records which contain personal data then the GDPR applies to those bodies too.
Sometimes organisations may refuse to give access personal data because to do so would also reveal the personal data of somebody else.
The GDPR anticipates that many records will contain this mixed data by stating that one person obtaining a copy of their information should not “adversely affect the rights or freedoms of others”.
This means that if the record containing the personal data requested also contains the personal data of other people then the data controller has to do a balancing of rights exercise.
The person making the Subject Access Request has a right to access their personal data; the other person whose personal data is also contained in the record has their own data protection rights and possibly other rights such as intellectual property rights which must be considered.
Since the GDPR says that the result of this balancing exercise “should not be a refusal to provide all information to the data subject”, the controller should be able to provide people who make Subject Access Requests with most of their personal data while redacting that of other individuals.
What is new is a commitment by the Taoiseach, the Attorney General and the Minister for Children, Equality, Disability, Integration and Youth to handle these requests properly. It’s an opportunity for the state to earn back some trust by doing properly what TUSLA, the Commission of Investigation and multiple other departments and agencies have failed to do.
“I am of the view that the general data protection regulation, GDPR, applies to requests for access to personal data. This is also the view of the Attorney General. … The expansion of GDPR is interesting and affects how we will affirm the rights of people to access their own personal data, which is now a legal requirement at European level which should be adhered to.“
“More generally, I can assure the Deputy that, as a regulation, the GDPR is directly applicable and it did not require transposition into Irish law. … While Irish law must be interpreted in line with EU law to the extent that it is possible to do so, in case of conflict, EU law would prevail over any inconsistent domestic law in accordance with the principle of primacy of EU law.”
There’s been a lot of confusion about what information people want. Nobody is proposing public access for all to every record. Nobody is suggesting that adopted people should be given the contact details of their parents.
Information about the early part of their lives is what they want. They want to be able to own their own stories.
All content on this site and in the downloadable guides is published under a Creative Commons licence (CC BY-NC-ND 4.0) except if otherwise noted. You are free to copy and redistribute the material as long as you give appropriate credit, you do not use the material for commercial purposes, and you do not change the material.