The Data Protection Acts 1988 and 2003 and the General Data Protection Regulation (GDPR) provide similar rights of access as the Freedom of Information Acts, the main difference being that the Data Protection Acts do not apply to records of deceased persons.

Data Protection is the safeguarding of the privacy rights of individuals in relation to the processing of personal data.

As with the FOI Acts, these rights extend to your own personal records and in specific circumstances, to those of your children. There are exemptions provided for in the Acts, this means that there are specific circumstances when the requested information will not be released. If any of these exemptions are used to withhold information, the reasons will be clearly explained to you.

HIQA, as a Data Controller, must adhere to the eight rules of Data Protection. The eight rules, which apply whether the information is held on computer or in a manual form, are:

  • obtain and process information fairly
  • keep it only for one or more specified, explicit and lawful purposes
  • use and disclose it only in ways compatible with these purposes
  • keep it safe and secure
  • keep it accurate, complete and up-to-date
  • ensure that it is adequate, relevant and not excessive
  • retain it for no longer than is necessary for the purpose
  • provide an individual with a copy of his/her personal data on request.

You must apply in writing and simply refer to the Data Protection Acts. The application fee of €6.35 must accompany the request.

If you wish to contact HIQA regarding Data Protection, you can contact Brian Ahern, Data Protection Officer via email at

When to use the Data Protection Acts

You may use either the Freedom of Information Acts or the Data Protection Acts to access personal information held by public bodies. However, the Data Protection Acts apply only to your own personal information (or in certain circumstances that of your child) and require an application fee of €6.35.

Entitlements under the Data Protection Acts

  • A decision will, in normal circumstances, issue within 40 days of receipt of your request.
  • Details of your entitlement to complain to the Data Protection Commissioner will be included in the decision letter.

Access to information

To make an access request under the Data Protection Acts 1988 and 2003, please submit your request in writing to the Data Protection Officer, Health Information and Quality Authority, Georges Court, Georges Lane, Smithfield, Dublin 7. E-mail:

Please ensure that you describe the records you seek in the greatest detail possible to enable us to identify the relevant records. There may be a fee of €6.35 for an application under the Data Protection acts.