Written by Kieran Harte

The purpose of the Freedom of Information Act 2014 (FOI) is to enable the public to have access to records held by FOI bodies.

FOI is similar to data protection and there is a certain amount of overlap because it provides a right of access, including personal records, and to amend factual errors. However, there are also significant differences between FOI and data protection law.

FOI applies only to “FOI bodies”, which includes public bodies such as Government Departments, State Agencies and other public bodies receiving state funding in Ireland, while the Data Protection Acts 1988 to 2018 and the General Data Protection Regulation (GDPR) apply to personal information held by all legal entities, public and private.

FOI requests, identifying the records sought, should be submitted in writing to the FOI body, stating that the application is made under the FOI Act. Data subject access requests (DSARs) for personal information simply need to reach the data controller through one of its official channels. A “record” under FOI can be a paper document, information held on computer, printouts, maps, plans, microfilm, microfiche, audio-visual material, etc.

FOI requests and DSARs are handled free of charge where it concerns access to personal records or personal information, save for limited situations where there is significant number of records under FOI or where a DSAR is deemed to be ‘manifestly unfounded or excessive’ by the controller. There are no initial application charges for FOI requests involving access to non-personal records. Charges apply to reviews and appeals to the Office of the Information Commissioner in relation to these records.

FOI provides access to copies of original records rather than information, and these records can include material across a broad range including statistics, reports, emails, or records of decisions that do not contain any personal information. FOI also applies to the records of deceased persons. On the other hand, data protection is limited to the personal data of living data subjects (natural persons) – it does not apply to information relating to deceased or legal persons.

Records are not created in response to FOI requests. Conversely, the underlying personal information held on data subjects is compiled in response to an access request. However, this doesn’t preclude the possibility of providing copies of original documents as part of a response to a DSAR.

Unless explicitly stated otherwise, DSARs should be understood as referring to all personal data concerning the data subject. However, the controller may ask the data subject to specify the request if they process a large amount of data. If the data subject, who has been asked to specify the scope of its request, confirms to seek all personal data concerning him or her, the controller has to provide it in full. In contrast, there are administrative exemptions available under FOI that limit the scope of FOI requests where there are insufficient particulars provided or where it would cause too much interference with or disrupt the work of an FOI body.

The definition of personal information has similarities under both FOI and GDPR/data protection but is subject to exclusions under FOI, including a public interest test. For example, in relation to directors, public servants and office holders, their identity is not exempted by an FOI body in the context of the particular position held or any records created by the staff member, director or office holder while carrying out his or her official functions.

Generally, decisions on FOI requests are made within 20 working days, while the timeline for a DSAR is, at the latest, within one month of receiving the request.