BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!

 

We received a complaint in September 2011 from an individual in relation to the alleged failure of the Dublin Airport Authority to comply in full with an access request made to it in May 2005. Dublin Airport Authority had responded to this access request in July 2005 stating that it held no personal data in relation to the requester.

 

Some years later, however, a number of documents were produced following a discovery process undertaken by the Dublin Airport Authority pursuant to High Court proceedings. In that context, the data subject was given access to a copy of three documents which contained some personal data relating to him. These documents pre-dated the access request made in 2005. The data subject complained that his right of access had been wrongly denied six years previously.

 

Having examined the documents concerned, we were satisfied that they did contain some personal data relating to the data subject and that those items of personal data did fall due for release at the time of the access request in 2005. We commenced an investigation by contacting the Dublin Airport Authority on the matter and we sought a full explanation in relation to the handling of the access request in 2005.

 

We received correspondence from Dublin Airport Authority’s legal representatives informing us that, following receipt of the access request in May 2005, Dublin Airport Authority identified a small number of documents in its possession relating to the request. They informed us that, at the time of the access request, an assessment of the documents was made in conjunction with legal advice obtained by the Dublin Airport Authority. This concluded that the documents did not constitute personal data within the meaning of the Data Protection Acts given that only passing reference was made to the data subject and that the data subject was not the focus of the documents in question. Consequently, a letter issued to the requester in July 2005 stating that Dublin Airport Authority held no data in relation to him which would be regarded as personal data.

 

The complainant sought a decision on his complaint. The Commissioner subsequently issued a formal decision which found that Dublin Airport Authority contravened Section 4(1)(a) of the Data Protection Acts, 1988 and 2003 by not providing the relevant personal data to the data subject within the time limit specified in respect of the access request made in May 2005.

 

The Commissioner specifically identified on the documents involved the text which he considered to constitute personal data of the data subject concerned. (The documents discovered on foot of the High Court proceedings contained non-personal information as well as some personal data relating to the data subject). As this case demonstrates, a court discovery process undertaken long after the access request was processed uncovered a data protection breach which took place at the time of the processing of the access request and this breach was caused by the data controller's interpretation of the definition of personal data. As a result, the data subject was wrongly denied his right of access to his personal data for a number of years.