Collection
Protected Data
From Office of the Information Commissioner (OIC)
Published on
Last updated on
From Office of the Information Commissioner (OIC)
Published on
Last updated on
In addition to the data public bodies must release for re-use upon request under the PSI Regulations, the public sector also holds large amounts of “protected data” such as personal data, commercially confidential data, statistically confidential data, and data subject to intellectual property rights, all of which cannot be released for re-use under the PSI Regulations due to its sensitive nature.
This protected data may however be reused under the European Union (European Data Governance Act) Regulations 2024 S.I. No. 272 of 2024 (the DGA Regulations) which transposed into Irish law the Data Governance Act (EU) Regulation (EU) 2022/868 (the DGA) , referred to together here as the DGA legislation.
The DGA legislation has been introduced in order to allow valuable information to be extracted from protected data without compromising its protected nature, and the DGA legislation provide for rules and safeguards to facilitate such reuse whenever it is possible.
Unlike the PSI Regulations and the Open Data Directive, the DGA legislation does not oblige public bodies to release protected data for re-use upon receipt of a request. Rather, if public bodies wish to, they can decide to “opt in” to making specific sets of protected data they hold available for re-use in a manner that does not compromise the sensitive nature of the data.
The DGA legislation provides for rules and safeguards to facilitate such re-use. Safeguards can include, for instance, anonymisation, accessing data in secure processing environments or confidentiality agreements between the public body and the requester. The emphasis of the DGA legislation lies not with release for re-use, but with ensuring protected data can be re-used only if it is possible to do so without compromising its sensitive nature. Nothing in the DGA legislation requires or permits public bodies to release protected data for re-use if the protected nature of the data would be compromised.
In Ireland, the Central Statistics Office has been designated as the “competent body” for assisting public bodies in sharing protected data.
Protected data that public bodies have decided to make available for requests for re-use under the DGA legislation must be listed on a “single information point”. The Public Service Data Catalogue (the Catalogue) has been designated as that single information point in Ireland. Public bodies must provide the Catalogue with information about the types of protected data they propose to make available and/or which they have already made available for re-use. This information must include:
(a) a description of the data,
(b) terms and conditions for re-use, including compliance with the conditions for re-use in Article 5 of the EU Regulation,
(c) procedures for applying for data access and re-use, and
(d) information relating to any fees that may apply.
The Public Service Data Catalogue is also where potential protected data re-users may request to re-use the data in question, or find further information on how to do so.
If you have made a request to re-use protected data listed in the Catalogue and you are unhappy with the public body's decision on your request, you can appeal that decision to us if it falls within three different types of decision, set out below. The Information Commissioner is the Reviews Commissioner for protected data requests.
Under the national implementing DGA Regulations, only a requester who has received a decision falling within three different types of decision, set out below, or for whom the public authority has failed to make any decision, may apply for a review by this Office.
The DGA Regulations provide that any other person affected by a decision of a public body on the re-use of protected data must appeal directly to the High Court.
We can review the following three types of decisions by public bodies:
• refusal to allow the re-use of some or all of the requested categories of protected data;
• allowing access for re-use of the protected data but subject to a fee which the requester considers is not in accordance with Article 6 of the DGA;
• allowing access for re-use of the protected data but subject to a condition which the requester considers is not in accordance with Article 5 of the DGA.
While we are an independent review body, we only have the power to either affirm or remit a public body's decision.
The Reviews Commissioner cannot make a substantive “new” decision in place of a public body’s original decision.
Instead, we are limited to making a finding that a public body was either correct or mistaken in its application of the DGA legislation when it makes a decision falling within the three types of reviewable decisions set out above.
If we find that the public body was mistaken, we send the matter back to that public body for it to make a fresh decision. If a requester is unhappy with the public body’s fresh decision, they may appeal that decision directly to the High Court.
Time limits on public bodies
The public body must make a decision on your protected data request within two months. If the public body fails to reply to your request within two months, this is known as a deemed refusal.
If you have received the public body’s decision or the specified time-frame has elapsed and your request has been “deemed refused” (whichever is sooner), you may apply to this Office for a review of that decision.
Time limits on making appeals
In general, you can apply to us for an appeal within 4 weeks of the public body’s decision. We can extend the time limit if we think there are reasonable grounds for doing so.
Before you request a review, we recommend that you gather all records of your dealings with the public body in relation to the request.
These usually include:
• Your name, address, telephone number, email address and any other contact details
• The name of the public body
• The reference number of the public body's decision (if you have it)
• Details of the parts of the public body's decision you are unhappy with and which you want us to review
Please also ensure that your request for review clearly states that it is being made under the DGA Regulations.
To make an appeal under the DGA Regulations please send an email setting out the above information to info@oic.ie.
If you require any assistance with your request for review, you can also contact us by phone on +353 1 639 5689.