This Notice provides you with information regarding the personal data about you which is held by the Office of the Information Commissioner.

 

The European Communities (Re-Use of Public Sector Information) (Amendment) Regulations 2015 (S.I. No. 525 of 2015) provide that the Information Commissioner is designated as the Appeal Commissioner.  This privacy notice also applies to his function as Appeal Commissioner.

The Office of the Information Commissioner fully respects your right to privacy.  Your personal data will be treated with the highest standards of security and confidentiality, in accordance with the General Data Protection Regulation (GDPR) and Data Protection legislation.  This Notice uses certain words or terms which have a particular meaning under GDPR and Data Protection Act 2018 (the Data Protection legislation).  See the Definitions section of this Notice for an explanation or definition of the words.

Your personal data is held by the Office of the Information Commissioner (or ‘the Office’ in this notice) which is the data controller for the purposes of the Data Protection legislation.  The office of the Information Commissioner and the office of the Ombudsman are held by the same person.  Certain ‘in house’ services or facilities are jointly shared by the two Offices – these services include, for example, corporate services, finance and IT. The Office of the Ombudsman is therefore a joint controller in so far as personal data relating to such shared services is concerned.

We may be contacted at:

18 Lower Leeson Street, Dublin 2, DO2 HE97. 

Telephone: (01) 639 5689. 

Email:  info@oic.ie

 

Our Data Protection Officer may be contacted at:

Email:  dataprotection@ombudsman.ie

Telephone: (01) 639 5760

Postal Address: 18 Lower Leeson Street, Dublin 2, DO2 HE97. 

The Data Protection Officer is designated for the Office of the Ombudsman, OIC, OCEI, SIPOC, CPSA and the Referendum Commission.

A very large amount of the personal data which we hold about you is provided by you in your online applications, phone calls, letters, emails or other communications with this Office. 

We also hold personal data which has been provided by someone else or by someone on your behalf.  Where this occurs, further details are provided below.

The personal data we hold and where it comes from will depend on the type of interaction you have with our Office. 

People who make an enquiry

We hold information (personal data) about people who contact this Office to make an enquiry.  This personal data includes, for example, your name and contact details, details relating to your enquiry or the purpose of your contact and any other personal data which you provide. 

Applicants for review

We hold personal data about applicants for review including people on whose behalf an application for review is made.  This personal data includes, for example, your name, contact details, details relating to the application for review and any other personal data which you provide. 

In conducting a review of an FOI decision under the FOI Act, we also collect personal data about you from FOI bodies or other persons.  For example, personal data is sometimes contained in the records which are the subject of an FOI request.  Personal data is also sometimes contained in submissions or other communications received from FOI bodies or parties to a review.  The personal data received by the Office is wide-ranging, depending on the case. It may include special category personal data.

Occasionally, in carrying out research during a review, we get information about you from publicly available sources (such as, public registers or information available on line).

Where fees for a review are due or paid to the Office, we hold financial information relating to the payment of the fees.  Where the amount of the fee payable is reduced because the applicant is a medical card holder or a dependent of a medical card holder, we also hold information about the card holder or dependent which relates to the medical card.

Representatives

We hold personal data about representatives who make enquiries or who make applications for review on behalf of someone else.  This data includes your name, contact details and details relating to the representative capacity or relationship with the person on whose behalf you are making the enquiry or application. It also includes any other personal data which you provide.  Such personal data may also be included in information received from the FOI body or other person involved in a review.

Third parties

Where personal data is about a person who did not make the FOI request, we call that person a ‘third party’. 

Personal data about you can be contained in the records sought by someone else under FOI.  Personal data about you could also be contained in other documents which the Office receives, such as submissions, letters or emails.  This personal data is received from FOI bodies, applicants for review, other parties to the review or other persons with whom the Office is in contact in relation to the review.  The personal data can be wide-ranging, depending on the case, and may include special category personal data.

People making submissions

We hold personal data about people who make submissions to this Office.  This data will include your name, contact details and any other personal data which you provide. 

Investigations

The Commissioner may carry out an investigation into the practices and procedures of FOI bodies.  In conducting an investigation, we could get personal data about you which is contained in records or submissions received by us from FOI bodies.  This personal data could be wide ranging and may include special category personal data depending on the investigation. 

Occasionally, in carrying out research during an investigation we get personal data from publicly available sources (such as, public registers or information available on line).

Visitors to our website

When someone visits www.oic.ie we collect standard internet log information and details of visitor behaviour patterns. We do this for statistical purposes to find out things such as the number of visitors to the various parts of the site.

We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. We will not associate any data gathered from this site with any personally identifying information from any source.

If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information through our website and will explain what we intend to do with it.

Emailing our office 

We are part of the Government Services network. Any email sent to us, including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with office policy. Email monitoring or blocking software may also be used.

Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

 

Statutory Requests to this Office

We hold personal data about people who make statutory requests to this Office, including for example people who make an FOI request or Data Protection access request looking for records or information from this Office.  The personal data includes your name and contact details and information relating to the statutory request. 

These statutory requests made to this Office could also include personal data about someone other than the person making the request.  Whether they contain personal data and, if so, the type of personal data will depend on the request.  This information comes from the person making the request.

Staff of FOI Bodies

We hold personal data about staff of FOI bodies in relation to their handling of FOI requests.  The personal data includes the name, contact details, grade/role and information relating to the performance of their functions.  This personal data comes from the FOI body or the applicant for review and includes personal data in the FOI request and decision-making records, in the records sought under FOI or in communications with this Office. 

We also hold data about FOI Liaison Officers or other officials in FOI bodies.  This includes the name, contact details and grade/role within the organisation of each official.  This data has been provided by the official, his/her organisation or has been obtained from publicly available sources (such as the organisation’s website).

People on our Mailing List

We have a list of people we communicate with to inform them of publications, current developments and other matters of interest.  This contains your name, description and contact details.

Suppliers / Service Providers / Other People in Contact with this Office

We hold personal data about you where there has been contact between this Office and yourself in relation to various matters, including e.g. contact regarding the supply of goods or services or invitations to this Office to make presentations to seminars, attend conferences etc.  This personal data includes your name, contact details and information relating to the goods or services, the seminar, conference etc.  It comes from your interactions with us.

Others

We have described above all the main categories of people whose personal data we hold.  We can hold data about people who do not fall within these categories.  For example, from time to time we hold personal data about people attending meetings or events with the Office.  We confirm that all personal data is treated with the highest standards of security and confidentiality, in accordance with the General Data Protection Regulation (GDPR) and Data Protection legislation.

Functions under the FOI Act

We use the information about you so that the Information Commissioner can carry out his functions under the Freedom of Information Act 2014, including reviewing decisions made by FOI bodies.  

In legal terms, our use of personal data is:

  • necessary for the performance by the Commissioner of a task carried out in the public interest or in the exercise of official authority vested in the Commissioner
  • necessary for reasons of substantial public interest, on the basis of the Data Protection legislation which is proportionate, respects the essence of the right to data protection and provides suitable and specific measures to safeguard your fundamental rights and interests.

General Administration & Compliance with Legal Obligations

We also hold information about you for the purpose of responding to statutory requests made to the Office (such as access requests under the FOI Act 2014, the Data Protection Act and the Access to Information on the Environment Regulations).  Doing this is necessary for compliance with the Office’s legal obligations. 

We use the mailing list of people we communicate with in order to inform them of publications, current developments and other matters of interest.  We will send you such communications if you consent to us doing so.  If you wish to be removed from this list, please let us know and we will remove you from the list without delay.

We also compile and publish statistics showing information like the number of reviews we receive, but not in a form which identifies anyone.

In reviewing a decision of an FOI body or in carrying out any of the other functions of the Commissioner, we share personal data.  For example, when carrying out a review of a decision of an FOI body, we will need to share information with that body and possibly with other relevant bodies. 

Joint controller: As explained above, the Office of the Ombudsman is joint controller of certain data relating to such services as corporate services, finance and IT.  For data protection purposes your personal data is considered to be shared with the Office of the Ombudsman.

In addition to the sharing of data with the Office of the Ombudsman as joint controller, your data is shared by our Office as set out below.

Applicants for Review / Representatives / Third Parties/ People Making Submissions/ Staff of FOI Bodies

We share your personal data with: the relevant FOI body or bodies; applicants for review and/or their representatives; potentially affected third parties; original requesters; persons making submissions; legal representatives of the Office and the courts.

On occasion, we share your information with service providers, including, for example, translators. 

In processing payment of fees to this Office or the refund of such fees, we share your personal data in relation to such payments or refunds with our payment service providers.

We may publish the details of cases handled by our Office in our Annual Report or elsewhere. Usually we do not identify any applicants unless the details have already been made public or unless the applicant explicitly consents.

The length of time we hold your personal data for will depend on the type of document or record which contains the data.  Our Records Retention Policy sets out the time periods for different types of record.  See the table below for further details:

Record Description – Personal Data contained in:

Retention Period

 

Records documenting the investigation of decisions of FOI bodies/AIE public authorities/RPSI bodies (electronic and hard copy)

 

  • Retain aspects of the main details form (date received, name, address, body, date closed, closure reason) and decision letter indefinitely for all cases on electronic format
  • Retain electronic and hard copy case records of cases subject of Superior Court appeals for 1 year post finalisation of the proceedings, including finalisation of costs
  • Retain other electronic case records and hard copy files for 1 year post closure

 

Main records the subject of a review by the OIC/appeal to OCEI/RPSI review  (electronic and hard copy)

  • 2 months after closure (except for decisions appealed to the Superior Courts)
  • Retain subject records of cases subject to Superior Court appeals until finalisation of the proceedings, including finalisation of costs.

 

Records relating to decisions of the OIC/OCEI/RPSI appealed to the superior courts, affidavits sworn, all legal advice received, and other legal correspondence.

  • Legal advice – Superseded plus 1 year
  • Retain other material for 1 year post finalisation of the court case, including finalisation of costs

Records relating to FOI/DP/AIE & other statutory requests received by the Office.

  • Retain activity log of requests indefinitely
  • Retain electronic and hard copy case records of cases subject of Superior Court appeals for 1 year post finalisation of the proceedings, including finalisation of costs
  • Retain all other electronic case records and hard copy files for 1 year post closure

 

General questions/ queries from members of the public (includes queries received by email)

  • Retain records for 1 year

 

Emails from public bodies/authorities and others comprising queries/ review related emails etc received to the FOI/OCEI Mail. 

  • 6 months after receipt the email is deleted from the OIC FOI/OCEI Mailbox, once attached to case where required or stored in the relevant General Enquires database

Such personal data as may be contained in briefing material; presentations; general correspondence with public bodies/authorities, journalists, academics, NGOs; contacts list for public bodies/authorities; speeches/talks given by the Commissioner & staff; records/comments/ correspondence on the FOI Act 2014 and the AIE Regulations (including re. funding).

 

  • Retain policy type correspondence indefinitely
  • Retain presentations until superseded
  • Retain speeches indefinitely
  • Delete all other records after 1 year

Records relating to media queries, press releases etc.

  • Records relating to media queries 1 year
  • Press releases 10 years

 

Information published under the FOI Act  (annual reports, publication schemes, section 41 reports, and section 46 reports ), investigations carried out under section 44 of the FOI Act & reports to Oireachtas

  • Drafts and related material - publication plus 5 years, or publication of subsequent periodic report whichever is later.
  • Published reports & reports to the Oireachtas – retain indefinitely

Records used by the OIC for reference, including judgments involving the Office, legal advice, correspondence with public bodies in relation to FOI matters, research performed by staff, standard paragraphs used by the OIC, internal guidance notes, and guidance notes published by the OIC.

  • Superseded plus 3 years

Records relating to the management/administration of the OIC/OCEI/RPSI

  • Superseded plus 3 years
  • Contact lists – Retain /Maintain current list

Presentations/ documents for OIC/OCEI/RPSI training.

  • Superseded plus 1 year

Information on Staff, not contained in formal HR records

  • In accordance with HR policies and procedures
  •  

Under the GDPR and Data Protection legislation certain rights in relation to your personal data held by the Office (including the right of access, the right to information, to rectification & erasure, to restriction on processing, to objection to processing and to portability) are restricted.  These rights do not apply with regard to the personal data kept by the Commissioner for the performance of his or her functions.

In relation to other personal data about you which is held by the Office, you have certain rights.  These rights arise in certain circumstances and are subject to certain exemptions.  The rights are:

  • right to access the data – you have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data
  • right to rectification – you have the right to request that inaccurate personal data be corrected and that incomplete personal data be completed
  • right to erasure (or right to be forgotten) – you have the right to request that personal data be deleted
  • right to restriction of processing or objection to processing – you have the right to request that our use or processing of your data be restricted or to object to our processing of your data
  • right to data portability – you have the right to request that personal data be given to you or another person in a transferable or machine readable form.

If your personal data is held by us on the basis of your consent (or explicit consent), you have the right to withdraw that consent at any time.

If you would like to exercise any of your rights, please contact:

The Data Protection Officer

Email:  dataprotection@ombudsman.ie

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate.

You also have the right to lodge a complaint with the Data Protection Commission.  The Data Protection Commission may be contacted at:

Website: www.dataprotection.ie

Email:  info@dataprotection.ie

Telephone:  (0761) 104 800; Lo-Call 1890 25 22 31. 

Postal Address: Canal House, Station Road, Portarlington, Co Laois, R32 AP23. 

If you are making an enquiry or seeking a review of a decision of an FOI body, we may need certain information in order to respond to you or to carry out the review.  If you do not give us the information, we will not be able to respond or carry out the review.

The Commissioner may occasionally need to exercise a power which he has under the FOI Act 2014 to require certain information to be provided.  Where the Commissioner exercises his power in this regard, there is a statutory requirement to provide the information sought.   On the particular occasions where the Commissioner decides to exercise this power, he will formally notify a person of this requirement.  A person who fails or refuses to comply with such a notified requirement issued by the Commissioner is guilty of an offence. 

This privacy notice was drafted with clarity in mind. It does not provide exhaustive detail of all aspects of Office of the Information Commissioner’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Please feel free to contact us. 

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

Information Commissioner Site cookie acceptance

Name: Accept_cookies

Purpose: This cookie is used to record if a user has accepted the use of cookies on the Information Commissioner website.

More information: To withdraw your consent after accepting this cookie, delete the accept cookies cookie. Find out how at www.aboutcookies.org

Google Analytics

Name: Google Analytics _utma, _utmb, _utmc, _utmz

Purpose: These cookies are used to collect information about how visitors use our site. The cookies collect information in an anonymous form that does not identify a visitor. They provide information regarding the number of visitors to the site, where visitors have come to the site from and the pages they visited. We use this information to compile reports and to help us improve the way our website works, for example by making sure users are finding what they need easily.

More information: You can find the Google Analytics Privacy Policy here:

https://support.google.com/analytics/answer/6004245

To opt out of being tracked by Google Analytics across all websites visit the Google site

These cookies are used to collect information about how visitors use our site. The cookies collect information in an anonymous form that does not identify a visitor. They provide information regarding the number of visitors to the site, where visitors have come to the site from and the pages they visited. We use this information to compile reports and to help us improve the way our website works, for example by making sure users are finding what they need easily.

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data Protection Act 2018  Amongst other things, this Act gives further effect to the GDPR (see below) in areas where Member State flexibility is permitted. 

Data Protection Officer  The GDPR requires some organisations to designate a Data Protection Officer (DPO).  Article 39 of the GDPR states that the data protection officer “shall have at least the following tasks:

  1. to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
  2. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  3. to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
  4. to cooperate with the supervisory authority;
  5. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.”

Data Subject means the identified or identifiable natural person to whom the personal data relates – see also the definition of personal data below.

The General Data Protection Regulations (GDPR) is an EU Regulation relating to data protection which came into force on 25 May 2018. 

Joint Controller.  Where two or more controllers (see above) joint determine the purposes and means of processing, they are joint controllers.

Personal Data means any information relating to an identified or identifiable natural person (‘data subject ’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Special Categories of Personal Data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.