Back-up data are data kept only for the limited purpose of replacing other data in the event of their being lost, destroyed or damaged. As back-up data are copies of "live" data, they are not considered to be subject to an access request made under Article 15 of the General Data Protection Regulation (GDPR).

Data kept for any other purpose, such as archive data, would not be considered “back-up data” and therefore should be included in any Article 15 request for a copy of one’s personal data.

If there is potential that the people named in those records are still alive then their consent is required, otherwise the release of their personal data could be considered a breach. If it could be reasonably assumed that the individuals named in these books/registers are now deceased, there would be no data protection issue.

The right to access your personal data is a basic right and applies by law regardless of the type of body or entity that is holding your personal data. Accordingly, you have a basic right to access your personal data held by, amongst others, doctors, hospitals or consultants treating you in a private or public capacity. In response to such a request, you should receive anything held on file or computer by the health professional or facility that relates to you or from which you can be identified.

Section 56 of the Data Protection Act 2018 provides for an Article 15 right of access to results, scripts of examination and results of an appeal. Article 15 requests made in relation to examination results or scripts completed during the course of an examination, are taken to be made on the later of:

(a) The date of the first publication of the results of the examination, or

(b) The date of the request

An Article 15 request for the result of an appeal against an examination is taken to have been made on the later of:

The Central Bank of Ireland, under the Credit Reporting Act 2013 as amended, maintains a central record of repayments made on loans, whether mortgages or personal, and credit cards. To get a copy of your credit report further information is available on the Central Credit Register website.

This can be a complex area and depends on the policy of the data controllers in question and any preferences that the individual(s) involved may have expressed. However, from a data protection perspective, any entity/data controller/service provider with a policy of transacting business with the named account holder only is perfectly entitled to adopt that approach.

The right of access under Article 15 of the General Data Protection Regulation (GDPR) applies to a person's own personal data. Therefore, access requests tend to be made by the individual themselves in relation to their own personal data.  It would however be reasonable to comply with an access request submitted on a person's behalf by their own solicitor.

The one-month time frame has elapsed and I have not got my data; what can I do?

If, following the expiry of the one-month time limit, you have not received a response at all from the data controller regarding your subject access request it is open to you to submit a reminder to the data controller. At the same time, you can also submit a formal complaint to the Data Protection Commission (DPC).

I am not happy with the responses of the data controller, what can I do?

Yes. Article 23 of the General Data Protection Regulation (GDPR) and various provisions under the Data Protection Act 2018 (such as section 60) set out a number of circumstances in which your right to obtain a copy of your personal data can be lawfully restricted  by a data controller. This is necessary in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society, on the other hand.

Data controllers must respond to such requests within one month of receipt of the request, although this one-month time frame can be extended by up to two further months if, for example, the request is complex (Article 12(3) of the General Data Protection Regulation (GDPR)).