Accessing Records and Your Rights

Introduction

For those who have suffered human rights violations, inability to access information and records about their experiences is an ongoing injustice compounding harms already suffered. The right to information and access to records is an aspect of the right to respect for private life protected in Northern Ireland by the Human Rights Act 1998 and the UK General Data Protection Regulation (‘UK GDPR’).

The right to information and access to records is not absolute, but it may only be interfered with to the extent necessary to protect the rights of others. The Independent Panel recommends that, for organisations and public bodies dealing with applications for access to records, a human-rights-based approach to disclosure is imperative. Access to records is, in itself, a form of redress for people who have suffered.

One of the important functions of the Truth Recovery Independent Panel is to provide guidance to people searching for records about themselves and their interaction with Mother and Baby Institutions, Magdalene Laundries and Workhouses. 

The best way to obtain access to records depends on what kind of records you are searching for and who holds them.

Records relating to you can be obtained under data protection law because they contain your personal data. This guidance is intended to help you to use data protection rules to access records relating to you. 

Some records are covered by additional special access rules. Birth certificates and adoption records fall into this category. Guidance in relation to these records is available on our Civil Records page. 

Trying to access records can be difficult. If you are not happy with a decision someone has made in relation to records concerning you, you may need to challenge it. 

The rules can be complex, and you may feel you would benefit from legal advice and assistance. This guidance also includes information about how to access free legal advice and assistance through the legal aid system. 

Legal Advice and Assistance in Accessing Records

The Legal Services Agency Northern Ireland (‘LSANI’) operates a publicly funded legal advice and assistance service. The service can be accessed through almost any solicitors’ office in Northern Ireland. The Law Society of Northern Ireland maintains a directory of solicitors you can use to find a solicitor if you don’t already have one. 

The LSANI’s legal advice and assistance service covers almost any point of Northern Irish law, including the law relating to access to records. Solicitors can write letters on your behalf, including letters to people, organisations or bodies which hold records relating to you. 

The legal advice and assistance service is means-tested, which means that it is only available to people who have income or assets below a particular level. You will need to provide a solicitor with information about your income to find out if you are eligible. Financial eligibility is decided based on your disposable income and assets during the week before your initial meeting. Based on a solicitor’s assessment, LSANI will decide whether you are eligible or not. 

If you are eligible for legal advice and assistance, you may still be required to make a financial contribution.

The Truth Recovery Independent Panel has recommended to the Northern Ireland Executive that the means test be disapplied to applications advice and assistance relating to access to records relating to its investigation. Disapplication of the means test would require legislative amendment, and this is under consideration.

Accessing Records Containing Personal Data

Records relating to you will usually contain your personal data. Your personal data is information about you that identifies you or from which you are identifiable. 

Personal data can be held in many formats, including (but not limited to) paper documents, computerised records, photographs, audio recordings and videos.

In Northern Ireland, the UK GDPR and the Data Protection Act 2018 (‘DPA 2018’) give you a right of access to records containing your personal data held by an organisation or a publicly funded body. 

To access these records, you can make a Subject Access Request. Many organisations and public bodies which hold records containing personal data have a designated email address for receiving and processing such requests.

You will find contact details for institutions including within the Truth Recovery Independent Panel’s terms of reference on our Institutional Records page.

You will find contact details for bodies holding church and other records on our Church and Other Records page.

Making a Data Subject Access Request

The easiest way to make a data Subject Access Request is to send an email to the data protection officer of the organisation or public body you believe holds documents containing your personal data, asking them to send you the records to which you are entitled. 

There is no prescribed form for Subject Access Requests under the UK GDPR, though sometimes organisations and public bodies will suggest that you use their form. If you do so, you should ensure that all the information below is contained in the form. The Independent Panel recommends that applications be made by email so that records of the application are automatically generated. 

Usually, there is no fee for Subject Access Requests. Administrative charges may be applied if a request is excessive and / or unreasonable. 

In processing Subject Access Requests, decision-makers are required to go through the records carefully and individually, taking account of the context and all the circumstances relating to the request. For this reason, it is very important, in making such a request, to set out the context and circumstances as fully as possible. To help you, you may consider using this checklist to write your email:

 

  1. The recipient

    Send the email to the responsible person in the organisation or body to which the request relates using the contact details provided below. 

  2. The subject

    The subject of your email should be ‘Subject Access Request under Article 15 of the UK GDPR’

  3. Information about you

    Set out your name, address, date of birth, telephone number and how you would prefer to be contacted by return e.g. email address. You may then be asked to supply evidence of your identity (a copy of your driving licence / passport) and evidence of your address (a copy of a recent bank statement / utility or council tax bill / television licence). We suggest that you do not send this evidence with your initial request just in case it goes to the wrong person.

  4. The reason for application

    Set out why you are applying for records containing your personal data, and why the records are important. This will be personal to you, but because the decision-maker is required to consider your request in the context of all the circumstances, the more information you can provide about those circumstances, the better. If you expect that the records you are requesting contain information you already have about other people, you should say so, as this will be taken into account in making the decision about how much of the information needs to be redacted. If you think the record may contain information about a person who has already died, it is a good idea to include a copy of their death certificate (or, if they died more than 100 years ago, their birth certificate) as evidence of their death. This will prevent their data being redacted. Information about accessing birth and death registration records is available on our Civil Records page.

  5. How you would like your records to be provided

    Set out how you would like your records to be provided. Asking for your records by email has the advantage of creating an automatic record in case you need to ask for a review. 

How Requests Are Processed

The right of access to personal data is not absolute. It may be subject to some limitations and exceptions. As well as giving you a right of access to your personal data, the law protects the rights and freedoms of others. This means that access to records which contain the personal data of other people can be refused, or that records to which access is granted may have personal details of other people redacted; that is, blacked out. 

In deciding whether to grant access to records, the person making the decision needs to balance your right of access with the personal data rights of others. In coming to their decision, they consider:

  • Whether the person is alive or dead, because only living people are protected by data protection law. 

  • Whether the other person consented to the disclosure of their personal data. They may ask the other person for their consent to disclose their personal data to you. If you would prefer that they not do so, you can ask them not to. 

  • Whether, even if the person does not consent, it is reasonable to disclose the records.

In deciding whether it is reasonable, the following circumstances must be taken into account:

  • The type of information that would be disclosed;

  • Any duty of confidentiality that the person holding the records owes to the other person;

  • Any steps the applicant has taken to obtain the other person’s consent;

  • Whether the other person is capable of giving consent; and

  • Whether the other person has refused to give consent.

The law presumes that it is reasonable to release information if the person in question is a health professional, a social worker or an education worker. Generally, the personal data of such people in any records covered by your request should not be redacted. 

Another matter which should be considered is whether the information that would be disclosed about another person is information that you already have. If you think the records you are looking for contain information that you already know about other people, you should mention this in your letter. 

Finally, the person making the decision should consider how important the information is for you. For this reason, it is a good idea to include in your data Subject Access Request some information about why you are looking for the records and why they are important for you. The more important they are for you, the less likely it is that another person’s interest in non-disclosure will outweigh your interest in obtaining access. 

When you make a Subject Access Request, you should receive an acknowledgement and an indication of when your request will be replied to. You should receive the reply within one month. If the request is complex, the period can be extended for a further two months, but they must still notify you within the first month if they are applying such an extension.

Receiving Your Records

You will receive the records covered by your request in electronic form unless you have expressly requested them in another form, for example, on paper. You can request to receive both, but an administration charge can be applied if you ask for multiple copies of documents. 

You will receive a list of the records covered by your request. You should be able to tell from the list which records are being disclosed, which are being redacted, and which are being withheld, and the legal basis for that disclosure, redaction or withholding.  

Historic records can be difficult to understand. They may also contain distressing information. Information you were not expecting may be included, and information you were expecting may be missing or redacted. 

Support services are available through the Victims and Survivors Service (‘VSS’) and their community partners WAVE and Adopt NI, where specialist advocacy staff can help you with understanding records. You can find information on accessing support in understanding your records on the Victims and Survivors Service website.

Applying for an Internal Review

If you believe you have been wrongly refused access to records under the UK GDPR, or you believe that too much information has been redacted in the records you have received, you can make a complaint to the person, organisation or body concerned. It is a good idea to keep copies of any emails or letters you send in case you need to take the matter further. 

Things to look out for in the reply to your data Subject Access Requests include:

  • Access to documents has been refused even though redaction would have been sufficient to protect the identifying information of other people.

  • Names, addresses and dates of people who have been shown to be dead (or who should be presumed, based on the age they would be, to be dead) are blacked out.

  • Information you already know is blacked out.

  • Information that does not relate to other people at all is blacked out.

  • Documents are completely blacked out. 

You should explain in your complaint why you think the information which has been withheld should be disclosed. 

If your complaint to the person, organisation or body concerned does not resolve the situation, you can decide to take the matter further by making a complaint to the independent national body responsible for protecting data and information rights: the Information Commissioner’s Office (‘ICO’).

Another option is to apply for a Court Order that the person, organisation or body holding the records you seek comply with the UK GDPR in relation to your data Subject Access Request, but because this mechanism is more expensive and involves the risk, if your application should fail, that you would have to pay the other side’s costs, it is a good idea to try to obtain access to your records from the ICO first.

Complaining to the Information Commissioner’s Office

If your complaint to the person, organisation or body concerned does not resolve the situation, you can make a complaint to the independent national body responsible for protecting data and information rights: the Information Commissioner’s Office (‘ICO’).

A complaint to the ICO should be made within three months of your last meaningful contact with the person, organisation or body from whom you sought the records. 

You can make your complaint using the form on the ICO website, by calling their helpline or by writing to them at the following address: 

The Information Commissioner’s Office,
10th Floor,
Causeway Tower,
9 James Street South,
Belfast, BT2 8DN. 

The ICO online complaints tool is available on the ICO website. Before you start the process, you will need to make sure you have downloaded all the documents — including emails — you will be submitting. The ICO’s system accepts Word, Excel and other Microsoft Office files, Open Office, text, message, pdf, email and image files. 

Depending on your income and assets, you may be eligible for legal advice and assistance in relation to a complaint to the ICO. People who have legal representation tend to have better outcomes than people who do not, so if you are eligible, it is a good idea to take advantage of this service.

When the ICO receives your complaint, it will usually conduct an investigation into the matter by contacting the person, organisation or body against whom the complaint was made to gather information and assess whether data protection laws have been complied with. Depending on the outcome of the investigation, the ICO may provide guidance to them on how to rectify the issue by providing you with the records to which you are entitled.

If, when you receive the decision of the ICO you are still dissatisfied, you can apply for a case review. You need to do this within three months of the ICO decision you are unhappy with. The ICO has a team of reviewing officers who review decisions to make sure they have been reached correctly. 

Going to Court 

Even after a decision of the ICO has been reviewed internally, you may still feel that the law has not been properly applied and that records to which you are entitled have been wrongly withheld. If this is the case, you will have several options:

  • You can apply to the High Court of Justice Northern Ireland (‘High Court’) to challenge the decision of the ICO by way of a process called judicial review.

  • You can apply to the High Court for a compliance order, requiring the controller of your records to comply with your data Subject Access Request. 

Judicial review

Judicial review is the process by which a judge examines the legality of how a body arrived at its decision. The judge, who sits in the Judicial Review Court, considers whether the decision reached is undermined by some illegality, irrationality, failure to balance rights correctly or procedural unfairness. Based on its consideration of the evidence the Judicial Review Court can order the decision or action to be set aside (quashed) and require the body to follow a lawful process to come to a decision. 

Applying to the High Court for a Compliance Order

If a person, organisation or body fails to comply with your data Subject Access Request, you have the right under the DPA 2018 to apply to the High Court for a compliance order; that is, an order that the controller of the records comply with your request. 

Legal aid

Applications for judicial review and for compliance orders involve going to the High Court so it is advisable to have legal representation and to consider the potential cost implications. The LSANI operates a system of civil legal aid through solicitors across Northern Ireland which can provide legal representation once eligibility is established. Legal aid for such applications is subject to a means test, so you will need to provide information about your income and assets to a solicitor to see if you are eligible. Additionally, a solicitor will have to make a case to the LSANI that your case is strong enough to merit legal aid from public funds.