Privacy policy

1. Introduction
2. Who we are
3. Data Protection Officer
4. Your personal data and how we collect it
5. What we use your data for and the legal basis
6. Who we share your information with
7. How long we keep your personal data

8. Your Data Protection Rights
9. Your right to complain
10. Requirements to Provide Personal Data and Possible Consequences of Failure to Provide
11. Further information
12. Use of cookies
13. Definitions

This Notice provides you with information regarding the personal data about you which is held by the Office of the Information Commissioner.

Introduction

This Privacy Notice (the “Notice”) provides you with information regarding the personal data about you which is held by the Office of the Information Commissioner (the “Information Commissioner”).

The European Communities (Re-Use of Public Sector Information) (Amendment) Regulations 2015 (S.I. No. 525 of 2015) (“the RPSI Regulations”) provide that the Information Commissioner is designated as the Appeal Commissioner. This privacy notice also applies to his function as Appeal Commissioner.

The Information Commissioner fully respects your right to privacy. Your personal data will be treated with the highest standards of security and confidentiality, in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (“Data Protection Legislation”).

This Notice uses certain terms which have a particular meaning under Data Protection Legislation. See the Definitions section of the Notice for an explanation or definition of the relevant terms.

Who we are

The Information Commissioner reviews decisions made by public bodies under the Freedom of Information Act 2014 (the FOI Act) on

requests for access to records,
applications for the amendment of incorrect, incomplete or misleading personal information in records, and
applications for statements of reasons for acts and decisions by persons affected by those acts and decisions.

The Information Commissioner also has a role in

Reviewing the operation of the FOI Act
Publishing reports, guidance notes and other material
Carrying out investigations into how public bodies comply with the Freedom of Information Act

The Information Commissioner also reviews decisions taken by public bodies on requests relating to the re-use of public sector information made under the European Communities (Re-use of Public Sector Information) Regulations 2015.

The Information Commissioner collects and processes personal information known as personal data when carrying out its role and functions as provided under the FOI Act and its associated statutory instruments, including the European Communities (Re-Use of Public Sector Information) (Amendment) Regulations 2015. For the purpose of the Data Protection Legislation, the Information Commissioner is the data controller of your personal data.

Shared services

Certain ‘in house’ services or facilities are jointly shared by the Information Commissioner and the Office of the Ombudsman, the Commissioner for Environmental Information, the Standards in Public Office Commission, the Commission for Public Service Appointments, and the Referendum Commission. These services include accommodation, finance, human resources, communications, legal and information technology (ICT). The Information Commissioner and the Office of the Ombudsman is a joint controller in so far as personal data relating to such shared services is concerned.

We may be contacted at:

Office of the Information Commissioner

6 Earlsfort Terrace, Dublin 2. DO2 W773.

Telephone: (01) 639 5689

info@oic.ie

Data Protection Officer

We have appointed a Data Protection Officer who can be contacted in relation to the details of the Notice. The Data Protection Officer may be contacted at:

Email: dataprotection@ombudsman.ie

Telephone: (01) 639 5760

Postal Address: 6 Earlsfort Terrace, Dublin 2. DO2 W773

The Data Protection Officer is designated for the Office of the Ombudsman, which incorporates the Information Commissioner, the Office of the Information Commissioner, the Commissioner for Environmental Information, the Standards in Public Office Commission, the Commission for Public Service Appointments, and the Referendum Commission.

Your personal data and how we collect it

The personal data we hold and where it comes from will depend on the type of interaction you have with the Information Commissioner.

A large amount of the personal data which we hold about you is provided by you in your phone calls, letters, emails or other communications with the Information Commissioner.

We also hold your personal data where it has been provided by someone else or by someone on your behalf, known as third parties or representatives, respectively. Further details on this are provided below.

People who contact us to make an enquiry

We hold information (personal data) about people who contact the Information Commissioner. This personal data includes, for example, your name and contact details, details relating to the purpose of your contact and any other personal data which you provide.

Applicants for Review

We hold personal data about applicants for review including people on whose behalf an application for review is made. This personal data includes, for example, your name, contact details, details relating to the application for review and any other personal data which you provide.

In conducting a review of an FOI decision under the FOI Act, we also collect personal data about you from FOI bodies or other persons. For example, personal data is sometimes contained in the records which are the subject of an FOI request. Personal data is also sometimes contained in submissions or other communications received from FOI bodies or parties to a review. The personal data received by the Office is wide-ranging, depending on the case. It may include special category personal data.

Occasionally, in carrying out research during a review, we get information about you from publicly available sources (such as, public registers or information available on line).

Where fees for a review are due or paid to the Office, we hold financial information relating to the payment of the fees. Where the amount of the fee payable is reduced because the applicant is a medical card holder or a dependant of a medical card holder, we also hold information about the card holder or dependant which relates to the medical card.

Representatives

We hold personal data about representatives who make enquiries or who make applications for review on behalf of someone else. This data includes your name, contact details and details relating to the representative capacity or relationship with the person on whose behalf you are making the enquiry or application. It also includes any other personal data which you provide. Such personal data may also be included in information received from the FOI body or other person involved in a review.

Third parties

Where personal data is about a person who did not make the FOI request, we call that person a ‘third party’.

Personal data about you can be contained in the records sought by someone else under FOI. Personal data about you could also be contained in other documents which the Office receives, such as submissions, letters or emails. This personal data is received from FOI bodies, applicants for review, other parties to the review or other persons with whom the Office is in contact in relation to the review. The personal data can be wide-ranging, depending on the case, and may include special category personal data.

People Making Submissions

We hold personal data about people who make submissions to this Office. This data will include your name, contact details and any other personal data which you provide.

Investigations

The Commissioner may carry out an investigation into the practices and procedures of FOI bodies. In conducting an investigation, we could get personal data about you which is contained in records or submissions received by us from FOI bodies. This personal data could be wide ranging and may include special category personal data depending on the investigation.

Occasionally, in carrying out research during an investigation we get personal data from publicly available sources (such as, public registers or information available on line).

Visitors to our website

When someone visits www.oic.ie we collect standard internet log information and details of visitor behaviour patterns. We do this for statistical purposes to find out things such as the number of visitors to the various parts of the Information Commissioner website.

We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. We will not associate any data gathered from this site with any personally identifying information from any source.

Emailing our office

We are part of Government Networks, which connects public service agencies on a data, voice and video capable network. Any email sent to us, including any attachments, may be monitored and processed by us for security purposes. Email monitoring or blocking software may also be used.

Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

Statutory requests to this office

We hold personal data about people who make statutory requests to the Information Commissioner including, for example, people who make a Freedom of Information (“FOI”) request, a request under the Access to Information on the Environment (AIE) Regulations, a data access request looking for records or information from the Information Commissioner, or an access request under the RPSI Regulations. The personal data held includes your name and contact details and information relating to the statutory request you have made.

A statutory request made to the Information Commissioner could also include personal data about someone other than the person making the request. Whether they contain personal data and, if so, the type of personal data will depend on the request. This information comes from the person making the request.

Staff of public service providers

We hold personal data about staff of FOI bodies in relation to their handling of FOI requests. The personal data includes the name, contact details, grade/role and information relating to the performance of their functions. This personal data comes from the FOI body or the applicant for review and includes personal data in the records sought in communications with this Office.

We also hold data about FOI Liaison Officers or other officials in FOI bodies. This includes the name, contact details and grade/role within the organisation of each official. This data has been provided by the official, his/her organisation or has been obtained from publicly available sources (such as the organisation’s website).

Suppliers / service providers / other people in contact with the Information Commissioner

We hold personal data where there has been contact between you and the Information Commissioner in relation to various matters, including contact regarding the provision of goods or services or invitations to the Information Commissioner’s office to make presentations, attend seminars, or attend conferences. Personal data held includes your name, contact details and information relating to the goods or services, the seminar, conference etc. The personal data is obtained from your interactions with us.

Visitors to our office

We ask all visitors to sign in and out at reception for security and safety reasons. Closed-circuit television (CCTV) operates in public areas of the building for security purposes.

We have Wi-Fi on site for the use of visitors. We provide the address and password. We record the device address and automatically allocate an IP address whilst on site. We log traffic information in the form of sites visited, duration and date sent/received. We don’t ask you to agree to terms, just to the fact that we have no responsibility or control over your use of the internet while you are on site, and we don’t ask you to provide any of your information to get this service.

Webinars & video conferences

When the Office hosts webinars or video conferences, it will require the name, contact number and email address of attendees to facilitate their attendance. Delegate lists will not be published by the Office but attendees' names may be visible to others during the event. We request that attendees use their work contact information where possible, to avoid the unnecessary collection of personal contact details. Similarly, attendees should avoid sharing personal data in any shared ‘chat’ facility as that data may be processed by the service provider.

The Office may record webinars for information purposes. It will provide advance notification when an event is being recorded. Recorded events capture the image and audio of any presenters. Attendees may have the option of sharing their image and audio during the session. If they choose to do so, this will also be captured in the recording. Where events feature a moderated Q&A, attendees who choose to interact with the Q&A may have their comments published and viewed by others at the event and they will also form part of the recording.

Attendees should ensure that they follow their own organisational policies and guidelines for video-conferencing, so they know what rules to follow and steps to take to minimise data protection risks. They should also familiarise themselves with the online service provider’s privacy policy to inform themselves as to how that provider processes personal data.

Others

We have described above all the main categories of people whose personal data we hold. We can hold data about people who do not fall within these categories. For example, from time to time we hold personal data about people attending meetings or events with the Office. We confirm that all personal data is treated with the highest standards of security and confidentiality, in accordance with the Data Protection legislation.

What we use your data for and the legal basis

Functions under the FOI Act

We process your personal data so that the Information Commissioner can carry out his functions under the FOI Act. In most circumstances this is in order for the Information Commissioner to review a decision taken by a public body on an FOI request.

We also process your personal data so that the Information Commissioner can carry out his functions under the European Communities (Re-Use of Public Sector Information) (Amendment) Regulations 2015 (S.I. No. 525 of 2015).

The Information Commissioner does not use automated individual decision making (i.e. making a decision solely by automated means without any human involvement) or profiling (i.e. automated processing of personal data to evaluate certain things about an individual).

In legal terms, our use of personal data is:

necessary for the performance by the Information Commissioner of a task carried out in the public interest or in the exercise of official authority vested in the Information Commissioner
necessary for reasons of substantial public interest, on the basis of the Data Protection legislation which is proportionate, respects the essence of the right to data protection and provides suitable and specific measures to safeguard your fundamental rights and interests.

General administration & compliance with legal obligations

We also hold information about you for the purpose of responding to statutory requests made to the Office (such as access requests under the FOI Act 2014, Data Protection legislation, and the Access to Information on the Environment Regulations). Doing this is necessary for compliance with the Office’s legal obligations.

We use the mailing list of people we communicate with in order to inform them of publications, current developments and other matters of interest. We will send you such communications if you consent to us doing so. If you wish to be removed from this list, please let us know and we will remove you from the list without delay.

We also compile and publish statistics showing information like the number of review applications we receive, however, no personal data is contained in such statistics.

Who we share your information with

In reviewing a decision of an FOI body or in carrying out any of the other functions of the Commissioner, we share personal data. For example, when carrying out a review of a decision taken by an FOI body, we will need to share information with that body and possibly with other relevant bodies. We share it with your representative, if you have nominated one and have given your consent.

Depending on your interaction with the Information Commissioner, we share your personal data with the appropriate public service provider(s)); your representative; any affected third parties; original requesters; legal representatives of the Information Commissioner and the courts. Such personal data is only shared where necessary for the performance of our functions.

On occasion, where necessary, we share your information with service providers, including, for example, translators. The transfer will be done within the requirements of the Data Protection Legislation.

Decisions of the Information Commissioner are required to be published under section 47 of the FOI Act and this is done in anonymised form. We may publish the details of reviews handled by the Information Commissioner in its Annual Report, an Investigation Report, or elsewhere. We do not identify any applicants or third parties, unless the details have already been made public, or the applicant or third party explicitly consents to being identified.

Shared services

The Office of the Information Commissioner shares resources with the Ombudsman, the Commissioner for Environmental Information, the Standards in Public Office Commission, the Commission for Public Service Appointments, and the Referendum Commission. These services include accommodation, finance, human resources, communications, legal and information technology (ICT).

Due to the shared ICT resource, a limited amount of your personal data (your contact details only) can be processed by the other bodies listed above.

Processing outside the European Economic Area (EEA)

The Information Commissioner will not ordinarily transfer personal data outside of the European Economic Area (EEA) or third countries with an adequacy decision unless, for example, we are corresponding with a customer or person related to an enquiry or review who resides overseas. In the event that this position changes, the Information Commissioner will comply with its obligations under Article 46 of GDPR by adopting one of the appropriate measures approved by the Data Protection Commission and the European Commission to ensure that such transfers are lawful.

How long we keep your personal data

The personal information you have provided will be processed by the Information Commissioner for the purposes outlined in the Notice and will be kept according to our retention policy. The retention policy sets out the time periods for how long information is kept by the Information Commissioner for different purposes, and as a result of our legal requirements. The length of time we hold your personal data for will depend on the type of document or record which contains the personal data.

Your Data Protection Rights

Article 23 of the GDPR and Section 60 of the Data Protection Act 2018 provides that certain rights in relation to your personal data held by the Information Commissioner are restricted. (including the right of access, the right to rectification and erasure, right to restriction of processing, right to object to processing and right to data portability). These particular rights are restricted where the personal data is kept by the Information Commissioner for the performance of his functions.

The following rights are provided under Data Protection Legislation:

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing

You have the right to object to processing of your personal data under certain circumstances. If your personal data is held by us on the basis of your consent, you have the right to withdraw that consent at any time.

Your right to data portability

You have the right to request that personal data be given to you or another person in a transferable or machine readable form.

Your right to object to automated decision making

You have the right to object to automated individual decision making (i.e. making a decision solely by automated means without any human involvement) and profiling (i.e. automated processing of personal data to evaluate certain things about an individual). The Information Commissioner does not make any decisions using wholly automated means.

Please note the above rights arise in certain circumstances and are subject to certain exemptions. In particular, the Information Commissioner is required by statute to keep information obtained from public service providers and others confidential. Please note this may restrict the scope of your rights. In particular:

your rights may be limited by the legal requirements in the FOI Act,
where we are using your data to carry out our statutory functions, because there are strong public interest reasons for us to process personal information in order to carry out our functions,
your data protection rights may be restricted by the rights and freedoms of third parties,
we have another legal requirement to use your personal information in a particular way.

If we cannot comply with your request, we will let you know why this is the case.

If you would like to exercise any of your rights, please contact the Data Protection Officer:

Email: dataprotection@Ombudsman.ie

Telephone: (01) 639 5760

Postal Address: 6 Earlsfort Terrace, Dublin 2. DO2 W773

Your right to complain

We try to meet the highest standards when collecting and processing personal information. If you have a query or complaint about the use of your personal information by the Information Commissioner, the Data Protection Officer is available to assist you in the first instance.

You also have the right to lodge a complaint with the Data Protection Commission. The Data Protection Commission can be contacted at:

Website: www.dataprotection.ie

Email: info@dataprotection.ie

Telephone: (0761) 104 800; Lo-Call 1890 25 22 31.

Postal Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28.

Requirements to Provide Personal Data and Possible Consequences of Failure to Provide

If you are making an enquiry or seeking a review of a decision of an FOI body, we may need certain information in order to respond to you or to carry out the review. If you do not give us the information, we will not be able to respond or carry out the review.

The Commissioner may occasionally need to exercise a power which he has under the FOI Act 2014 to require certain information to be provided. Where the Commissioner exercises his power in this regard, there is a statutory requirement to provide the information sought. On the particular occasions where the Commissioner decides to exercise this power, he will formally notify a person of this requirement. A person who fails or refuses to comply with such a notified requirement issued by the Commissioner is guilty of an offence.

Further information

This Notice is does not provide exhaustive detail of all aspects of the Information Commissioner’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Please feel free to contact us. Please note the Notice may be updated from time to time.

Use of cookies

We use a cookies tool on our website to gain consent for the optional cookies we use. Cookies that are necessary for functionality, security and accessibility are set, and are not deleted by the tool.

Definitions

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Data Protection Act 2018: Amongst other things, this Act gives further effect to the GDPR (see below) in areas where Member State flexibility is permitted. The Act is available online.
Data Protection Officer: GDPR requires some organisations to designate a Data Protection Officer (DPO). Article 39 of the GDPR states that the data protection officer “shall have at least the following tasks:

1. to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;

2. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

3. to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;

4. to cooperate with the supervisory authority;

5. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.”

Data Subject means the identified or identifiable natural person to whom the personal data relates – see also the definition of personal data below.
The General Data Protection Regulations (GDPR) is an EU Regulation relating to data protection which came into force on 25 May 2018. The Regulation is available online.
Joint Controller. Where two or more controllers (see above) jointly determine the purposes and means of processing, they are joint controllers.
Personal Data means any information relating to an identified or identifiable natural person (‘data subject ’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Special Categories of Personal Data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

Created: May 2018

Modified: October 2019

Modified: November 2020