Data Protection

What is personal data?

The Data Protection Acts 1988 & 2003 define personal data as:

  • data relating to a living data subject who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.

What is a data subject?

A data subject is an individual who is the subject of personal data.

What is a data controller?

Data controllers are those who, either alone or with others, control the contents and use of personal data.

What is the age of consent for collection and processing of personal data?

The minimum age at which a person can give consent to having their personal data processed is not specified in the Data Protection Acts.

Section 2A(1) of the Acts provides that, where a person by reason of his or her physical or mental incapacity or age, is or is likely to be unable to appreciate the nature and effect of giving consent, such consent may be given by a parent or guardian or a grandparent, uncle, aunt, brother or sister of the person provided that the giving of such consent is not prohibited by law.

Where a person is under the age of majority (18), the Acts require the data controller to make a judgement on whether the young person can appreciate the implications of giving consent.

The rights of parents are given strong protection in the Constitution and in legislation. It would therefore be prudent for a school to obtain the consent of  a student’s  parents or guardians to the processing of  personal data concerning  her or him, unless the processing is required by law or is self-evidently necessary (for example, the keeping of attendance and other routine student records).

Are there any exceptions to the right of access?

Section 5 of the Data Protection Acts provides that individuals do not have a right to see information relating to them where any of the following circumstances apply:

  • If the information is kept for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders, or assessing/collecting any taxes or duties - but only in cases where allowing the right of access would be likely to impede any such activities.
  • If granting the right of access would be likely to impair the security or the maintenance of good order in a prison or other place of detention.
  • If the information is kept for certain anti-fraud functions - but only in cases where allowing the right of access would be likely to impede any such functions.
  • If granting the right of access would be likely to harm the international relations of the State.
  • If the information concerns an estimate of damages or compensation in respect of a claim against the organisation, where granting the right of access would be likely to harm the interests of the organisation.
  • If the information would be subject to legal professional privilege in court.
  • If the information is kept only for the purpose of statistics or carrying out research, but only where the information is not disclosed to anyone else, and where the results of the statistical work or research are not made available in a form that identifies any of the individuals involved.
  • If the information is back-up data.
  • Restrictions on access to medical data and social work data. (To protect the individual from information about himself or herself which might cause serious harm to his or her physical or mental health or emotional well-being).

Where can I get more information about my rights under the Data Protection Act?

The Data Protection Commissioner's Website offers an explanation of the rights and responsibilities under the Data Protection Acts and information is also available from

The Data Protection Commissioner's Office
Canal House,
Station Road,
Co. Laois.

You can contact the Data Protection Commissioner's Office by email ( or by phone 1890 252231.

Related Links: