GUIDANCE NOTE FOR DATA CONTROLLERS ON THE RELEASE OF PERSONAL DATA TO PUBLIC REPRESENTATIVES
This Office recognises that it is a normal and accepted function of an Irish public representative to represent individual constituents in their dealings with public and private organisations. Such representations typically relate to access to services or to information about those services.
The following guidance note has been prepared as an aid to organisations ("data controllers") that are in receipt of representations made on behalf of individuals ("data subjects") by public representatives (TDs, Senators, MEPs, Councillors). This note also sets out the obligations on public representatives under the Data Protection Acts 1988 and 2003 in relation to the making of such representations for personal information and their responsibilities in relation to information which may come into their possession on foot of these representations.
We advise that, where a public representative makes a written representation on behalf of a constituent, the organisation can generally assume that the constituent has given consent for the release of personal data necessary to respond to the representation.
As the organisation is accountable for personal data it has chosen to release, it should be satisfied that it is reasonable to assume that the individual whose personal data is being released would have no objection to such release through a public representative. In most cases, this is unlikely to be an issue. This would be true, for example, in relation to the many representations on behalf of individuals who simply wish to know when a particular service will be provided.
However, there will be cases where it would be appropriate for the organisation to check with the public representative, or the individual whose personal data is being released, that such release is not going to give rise to later complaints about breach of the Data Protection Acts.
This could arise, for example, where the constituent is making enquiries about the provision of services to a relative of the constituent where it is not clear that the relative supports, or is even aware of, the representation being made. Another example would be where access is being sought to information which would involve disclosure of personal data in relation to others (e.g. it would be wrong to release the names of the top ten individuals on a waiting list without their consent). Yet another example might be where the representation is being made in a context where the constituent is involved in a dispute with third parties. Particular care is needed where the information being released qualifies as "sensitive data" under the Data Protection Acts (e.g. information about the health of an individual).
Public representatives should also be aware of their obligations under the Data Protection Acts. They need to be satisfied that they are acting with the consent of the individual where the response to a representation involves release of that individualís personal data. They should also understand the obligations on organisations to keep personal data confidential and that, in particular cases, this may involve a need to check that the individual concerned has consented to the release of their personal data. When information has been supplied in reply to such representations, the public representative must act in compliance with Section 2 of the Acts which requires data controllers (in this case, public representatives) to comply with certain provisions regarding personal data kept by them:
- the data should not be further processed in a manner incompatible with the purpose for which it was received
- the data should be kept safe and secure while in the possession of the public representative
- the data should not be kept for longer than is necessary
Office of the Data Protection Commissioner
2 November 2007
» Permanent Link