2. Appraisal, Performance Reports and References


The right of access applies to Appraisal and Performance Reports and the Commissioner considers that the confidentiality provision of section 4(4A)(b)(ii) cannot reasonably be applied to them.


In regard to references, it is often said that these are given in confidence. Notwithstanding this, the Commissioner considers generally that the right of access applies to them. There would need to be particular exceptional circumstances which would cause the Commissioner to be satisfied that the data would not otherwise have been given but for this understanding


3. Medical reports


The Data Protection (Access Modification) (Health) Regulations, 1989 (S.I. No. 82 of 1989) provide that health data relating to an individual should not be made available to that individual, in response to an access request, if that would be likely to cause serious harm to the physical or mental health of the data subject. A person who is not a health professional should not disclose health data to an individual without first consulting the individual’s own doctor or some other suitably qualified health professional.


An employee has a right of access to medical data held by the organisation’s company doctor or medical officer, unless the “harm” exemption, detailed above, applies. Experience is that such situations are rare.


Organisations should have a procedure in place so that when HR data is requested, clarification is sought as to whether the request includes medical data. If medical data is being sought, HR should advise the Company Doctor/Medical Officer who should make the data available to the employee directly.




As with any legislation, certain terms used in the Data Protection Acts, 1988 and 2003, have a quite specific meaning. The following are some important definitions, taken from section 1 of the Act, with additional comments and relevant links provided where appropriate.


Data means automated and manual data  


Automated data means information that -
(a) is being processed by means of equipment operating automatically in response to instructions given for that
Purpose, or
(b) is recorded with the intention that it should should be processed by means of such equipment;


Manual data means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system;


Relevant filing system means any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible;


>>  see guidance note on relevant filing system  


Personal data means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller;


>>  see guidance note on personal data


Note that "personal data" means any information about or relating to the individual. In this respect, the term "personal data" has a different meaning than the term "personal information", as used in the Freedom of Information Act, which is restricted to the sort of private, confidential or sensitive information that might only be known to the individual and his or her family.


LINK»   go to website of the Information Commissioner


Sensitive personal data means personal data as to -


(a) the racial or ethnic origin, the political opinions or the religious or philosophical beliefs of the data subject,


(b) whether the data subject is a member of a trade union


(c) the physical or mental health or condition or sexual life of the data subject,


(d) the commission or alleged commission of any offence by the data subject, or


(e) any proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings;


Data subject is an individual who is the subject of personal data.


Data controller is a person who (either alone or with others) controls the contents and use of personal data.


Data processor is a person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment.


Disclosure - In relation to personal data, includes the disclosure of information extracted from such data and the transfer of such data but does not include a disclosure made directly or indirectly by a data controller or a data processor to an employee or agent of his for the purpose of enabling the employee or agent to carry out his duties; and, where the identification of a data subject depends partly on the data and partly on other information in the possession of the data controller, the data shall not be regarded as disclosed unless the other information is also disclosed.


Comment: Arising from this definition, a transfer of personal data to an agent, who is carrying out a task on your behalf, is not a disclosure, and need not involve a contravention of the Data Protection Act in the same way as a disclosure to a third party. However, to rely on this provision, the principal-agent relationship must be bona fide and accompanied with appropriate safeguards. Where a data processor is involved there must be a contract in place that imposes equivalent security obligations on the processor as would apply to the controller.


LINK»   more about disclosures of personal data to third parties


Processing, of or in relation to information or data, means performing any operation or set of operations on the information or data, whether or not by automatic means, including-


(a) obtaining, recording or keeping the information or data


(b) collecting, organising, storing, altering or adapting the information or data, (c) retrieving, consulting or using the information or data,


(d) disclosing the information or data by transmitting, disseminating or otherwise making it available, or,


(e) aligning, combining, blocking, erasing or destroying the information or data, and, cognate words shall be construed accordingly;


Territorial Application of the Data Protection Act


A Guide to the New Data Protection Rules



Office Premises
Synergy House
10, Oakview Drive
Dublin 15

Contact Info

Tel: +353 (0)1 8215189
Mobile: +353 (0)87 2326927
Email: info@synergy.ie

Find Us