Mr. X and Trinity College Dublin

Background
Scope of Review
Preliminary Matter
My Analysis
Decision
Right of Appeal

Whether TCD was justified in refusing access to a record relating to GDPR requests made to it since 2020 on the basis of section 37 of the FOI Act

19 June 2025

Background

On 27 September 2024 the applicant sought access to the following:

1. With respect to GDPR requests made to the College since 2020:

a. the date on which such requests were submitted;

b. the date on which such requests were ‘processed and handed to the requester’; and

c. the type of such requests; i.e. whether they were subject access request (SAR), deletion etc, and which articles of GDPR legislation the requests related to.

2. A copy of the internal procedures within the College for dealing with GDPR requests.

3. The number of staff members (both full time equivalents (FTE) and non-FTEs) which are involved in processing GDPR requests from 2020 to the date of the applicant’s request.

On 24 October 2024 the College issued its decision. With respect to the first part of the applicant’s request, it provided the applicant with aggregate totals of GDPR requests received on an annual basis, broken into Article 15 requests (SARs) and ‘other article requests’. The College refused access to information relating to the date each GDPR request was processed and handed to the requester on the basis of section 37 relating to personal information ‘[d]ue to the possibility of being able to indirectly identify individuals’. It also informed the applicant that ‘it is not possible to provide data on request types that are below 10 as it could be possible to indirectly identify an individual. It could also be possible for a requester to identify themselves within the data set’.

With regard to the second part of the applicant’s request, the College provided the applicant with a copy of its Data Subject Rights Standard Operating Procedure. Finally, with respect to the third part of the applicant’s request, the College informed the applicant that there is one staff member (FTE) coordinating the processing of GDPR requests; namely the Data Protection Officer.

On the same day the original decision issued, the applicant appealed the decision. On 5 December 2024 the internal reviewer issued her decision wherein she upheld the original decision. The internal reviewer also relied on section 37 to refuse access to certain information falling within the scope of the applicant’s request saying ‘it is not possible to provide data on request types that are below 10 as it could be possible to indirectly identify an individual’ and ‘[i]t could also be possible for requester to identify themselves within the data set’. The internal reviewer further said that when releasing information under the FOI Act, it must ensure that it also complies with data protection legislation, making specific reference to guidance from the European Data Protection Board relating to the potential for indirect identification of individuals. The internal reviewer also indicated that it is the College policy to refuse access to datasets with values of <10 under FOI, stating that it is standard practice across many public sector bodies due to the risk of indirect identification of individuals.

I have now completed my review in accordance with section 22(2) of the FOI Act. In carrying out my review, I have had regard to the applicant’s comments in his application for review and to the submissions made by TCD in support of its decision. I have also had regard to the contents of the records concerned. I have decided to conclude this review by way of a formal, binding decision.

Scope of Review

As set out above, the College has provided certain information to the applicant in tabular form with respect the first part of his request. The College has also provided a document entitled ‘202409_Rights_Tracker_request’ to this Office which contains details of the GDPR requests received by the College since 2020. When provided this document to this Office, the College referred to this as ‘the master record containing all of the information coming within the scope of the request’.

In the circumstances of the case, I am satisfied that this record, which I will now refer to the as the tracker document, containing as it does the information sought by the applicant, comprises a record falling within the scope of the first part of the applicant’s request. I am also satisfied that in the circumstances where the applicant, in his appeal to this Office, has not queried the information provided to him relating to the second and third parts of his request, that the applicant is satisfied with such information and I do not need to consider these parts of his request any further.

This review is therefore solely concerned with whether TCD was justified in refusing access to the tracker document enumerating GDPR requests made to the College since 2020 on the basis of section 37(1) of the FOI Act.

Preliminary Matter

Section 22(12)(b) of the FOI Act provides that a decision to refuse to grant an FOI request shall be presumed not to have been justified unless the FOI body concerned shows to the satisfaction of the Commissioner that the decision was justified. This means that the onus is on TCD to satisfy this Office that its decision to refuse access to the record at issue was justified.

Analysis and Findings

Section 37(1)

Section 37(1) of the FOI Act provides that, subject to the other provisions of the section, an FOI body shall refuse a request if access to the record concerned would involve the disclosure of personal information, including personal information relating to a deceased individual. This does not apply where the information involved relates to the requester (section 37(2)(a) refers).

Section 2 of the FOI Act defines personal information as information about an identifiable individual that, either (a) would, in the ordinary course of events, be known only to the individual or members of the family, or friends, of the individual, or (b) is held by an FOI body on the understanding that it would be treated by that body as confidential. Section 2 goes on to specify 14 categories of information which, without prejudice to the generality of the above definition, constitute personal information, including (ix) a number, letter, symbol, word, mark or other thing assigned to the individual by an FOI body for the purpose of identification or any mark or other thing used for that purpose.

As set out above, the sole record for which I need to make a determination on is the tracker document supplied by TCD to this Office. The document comprises a list of GDPR requests, numbered according to academic year, containing details of the date the request was received, the date a response was provided and the specific Article of the General Data Protection Regulation relevant to the request. The document does not contain the names of requesters, any details in relation to the specific nature of any request beyond the relevant Article, nor does it include any identifying number which the College may have assigned to each request. Over the course of the time period set out in the applicant’s original request; namely from 2020 to September 2024, approximately 130 entries are set out in the tracker document.

In his correspondence with this Office, the applicant said he did not consider that the release of aggregate data of the type sought by him could potentially indirectly identify individuals who had submitted GDPR requests to TCD. In particular, the applicant said that the information sought does not disclose any personal details when presented in a summarized format.

Pursuant to section 22(12)(b) of the Act, which places the onus on the FOI body of justifying its refusal of a request, I would expect that TCD would show clearly how the disclosure of the information at issue in this case would allow specific individuals to be identified. When inviting submissions during the course of the review, I asked TCD to explain how this outcome could arise, given that the tracker document does not contain names or other details relating to any particular individual.

In its submissions to this Office, TCD said that GDPR requests are generally received from staff and students but on occasion from third parties, such as other College users, contractors etc. It said that the tracker document contains information such as the date a GDPR request was received, the date the request was completed and the specific nature of the request and, if released, this information could be used to indirectly identify individuals. It said that it believes that the information comprises personal information of the sort covered by subsection (ix) as referred to above; namely, a number, letter, symbol, word, mark or other thing assigned to the individual by an FOI body for the purpose of identification or any mark or other thing used for that purpose. It said it believes that the information in the record falls within this definition as ‘the combined information relates to specific individuals at an institutional level and can be used to indirectly identify them’. In particular, TCD said that due to the small number of requests associated with non-Article 15 requests, it considers that the release of the specific non-Article 15 provision at issue would make it possible to identify an individual and therefore, be considered personal information.

TCD also made reference to a number of provisions of data protection legislation in support of its position. More specifically, it said that it also relevant to consider the definition of personal information as set out in the General Data Protection Regulation. It made specific reference to Article 4 of the GDPR which defines personal data as ‘any information relating to an identified or identifiable natural person (‘the data subject’) ; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’ [TCD’s emphasis]. It said that it considers that the information in the record contains ‘pseudonymous personal data’ and TCD said that such data is still considered personal information under GDPR. TCD further said that although the information does not have ‘direct personal identifiers’, it can still be linked to specific individuals within the College. It said that such information cannot be considered to be anonymous ‘as the source data stills exists and pseudonymisation only provides limited protection for the identity of individuals’.

TCD further made reference to Article 24 of the GDPR and said that in line with this provision it is obliged to implement appropriate technical and organisational measures to ensure, and be able to demonstrate, that processing is performed in compliance with the legislation in a manner that safeguards the fundamental data protection and privacy rights of individuals whose personal data is under the control of the College. TCD said that it is required to consider all means that could likely be used to identify the individuals to whom records relate. It said that many of the documents released under the FOI Act are released to individuals who are part of the College community. It said that it considers that such documents ‘can be uploaded to websites which increases the risk of identification and potential breach of relevant individuals’ personal data and privacy rights’.

TCD also quoted two extracts from the Data Protection Commission’s Guidance Note on Anonymisation & Pseudonymisation (available on its website at the following link) as follows:

“In general terms, a natural person can be considered as “identified” when, within a group of persons, he or she is "distinguished" from all other members of the group. Accordingly, the natural person is “identifiable” when, although the person has not been identified yet, it is possible to do it … Thus, a person does not have to be named in order to be identified. If there is other information enabling an individual to be connected to data about them, which could not be about someone else in the group, they may still “be identified ” [Page 4]

and

“In some cases, it may be possible to infer a link between two pieces of information in a set of data, even though the information is not expressly linked. Where this is possible, data protection law continues to apply, and there remains a risk of re-identification that should be considered by organisations which should be appropriately safeguarded .” [Page 7]

In addition, TCD referred to the FOI Code of Practice (published by the Central Policy Unit of the Department of Public Expenditure and available on its website at the following link) stating that this Code takes a cautious approach to publishing data relating to personal requests making specific reference to section 6.1 of the Code which states as follows:

“Disclosure logs in relation to non-personal requests should be published on a regular basis (e.g. quarterly). This requirement to publish details only applies to non-personal requests under no circumstances should any details of personal requests ever be published, whether they are received from individuals themselves or on their behalf as provided for in the legislation. This does not prevent the publication of summary information in relation to the number of such requests (including the number of parts of each request) received for statistical purposes. ”

Making specific reference to the requirement on public bodies to routinely publish disclosure logs detailing requests made to the body under the FOI Act, TCD said that the only information on personal requests which a body is required to publish is the total number of requests received. It said that there is no reporting requirement to provide further detailed information such as the number of requests for access to records or amendment of records, the number of such requests which were granted, part-granted or refused, and the dates such requests were received and processed. TCD also noted that Notice 16 of the Central Policy Unit relating to FOI Disclosure Logs (available on its website at the following link ) states that a public log of FOI requests ‘should not contain details in relation to personal requests nor should it contain details of requesters which could be considered personal’.

Finally, TCD said that generally, requests received under GDPR are related to legal or medical matters. TCD also said that release of information relating to such requests ‘may cause stress and anxiety to individuals, particularly those who would be considered vulnerable’. It said that requesters do not submit GDPR requests with the understanding that specific details related to them would become publicly available. TCD further said that it is committed to preserving data security and maintaining confidentiality with regard to individuals who trust the institution to process their personal data. It said that the release of the information in the tracker document would lead to a heightened risk of a data breach as well as interfere with the role of the College’s Data Protection Officer (DPO) who is considered responsible for the data at issue.

My Analysis

At the outset, I would like to make a number of comments in relation to the interplay between data protection legislation and the FOI Act. I have already brought these to the attention of TCD as part of my review.

In its submission, TCD made specific arguments concerning the application of the principles of the General Data Protection Regulation to the operation of the FOI Act. In particular, I have understood a number of the arguments advanced to effectively mean that TCD is concerned that release of information in response to the applicant’s request would contravene its obligations under data protection legislation.

Article 86 of the General Data Protection Regulation provides that personal data in official documents held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be disclosed by the authority or body in accordance with Union or Member State law to which the public authority or body is subject in order to reconcile public access to official documents with the right to the protection of personal data pursuant to the Regulation.

Section 44 of the Data Protection Act 2018 provides that, for the purposes of Article 86, personal data contained in a record may be disclosed where a request for access to a record is granted under and in accordance with the FOI Act 2014 pursuant to an FOI request.

Data protection legislation does not prohibit public bodies from processing FOI requests where the records sought contain personal information relating to individuals other than the requester. The FOI Act is entirely independent of data protection legislation and FOI requests for access to records must be processed in accordance with the provisions of the FOI Act. Indeed, the FOI Act provides for the release of personal information of third parties in certain circumstances, including where the public interest in granting the request outweighs, on balance, the public interest in protecting the privacy rights of the individuals concerned. Any concerns a public body has about the release of personal information relating to individuals other than the requester can and should be addressed by considering the applicability of the exemption contained in section 37 to the records at issue.

Therefore, whilst noting the extensive arguments advanced by TCD with regard to the General Data Protection Regulation, I must confine my review to the provisions of the FOI Act and more specifically in this case to section 37. In addition, with regard to TCD’s comments on the CPU guidance with respect to the compilation of FOI disclosure logs, while I have had regard to these arguments, I do not consider them to be of specific relevance when examining the applicability of section 37 in this case.

It is apparent from the definition of personal information that a record does not have to specifically name a particular individual for the information in the record to comprise personal information. It is sufficient that the individual is identifiable from the information in question. The essence of the arguments advanced by TCD appears to be that although the information contained in the record does not specifically refer to individuals by name, it considers that by virtue of the comparatively small number of GDPR requests received, alongside the specific combination of information set out in the tracker document, release of the record would indirectly identify individuals, particular those within the College community.

As I have outlined above, the information at issue solely comprises a list of GDPR requests, numbered according to academic year, containing details of the date the request was received, the date a response was provided and the specific Article of the General Data Protection Regulation relevant to the request.

I accept that where information may not, on the face of it, be about an identifiable individual, it may still be personal information if it allows the individual to be identified. I also accept that the number of GDPR requests in the years in question is arguably relatively small. That said, I fail to see how the release of the information contained in the tracker document would lead to the identification of individuals. I accept that certain individuals who have submitted GDPR requests to TCD in the time period in question may be in a position to identify themselves as referenced in the numbers but such information is already known to those individuals. I do not see how the wider public would be able to identify individuals from the release of the information at issue.

I am satisfied, in all of the circumstances, that disclosure of the information in the tracker document will not involve the disclosure of personal information. In particular, I am not satisfied that the information in the record can be said to comprise a number, letter, symbol, word, mark or other thing assigned to the individual by an FOI body within the meaning of subsection (ix). I find therefore that section 37(1) does not apply to this record.

Accordingly, as I have found section 37(1) not to apply, I do not consider it necessary to consider any other of the provisions of section 37.

Decision

Having carried out a review under section 22(2) of the FOI Act, I hereby annul TCD’s decision. I find that it was not justified in refusing access to the tracker document on the basis of section 37(1) and I direct that it be released to the applicant.

Right of Appeal

Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated not later than four weeks after notice of the decision was given to the person bringing the appeal.

Mary Connery

Investigator