Data Protection in An Garda Síochána
Code of Practice for An Garda Síochána
FOREWORD Data Protection Commissioner
INTRODUCTION Commissioner of An Garda Síochána
RULES OF DATA PROTECTION THAT MUST BE ADHERED TO
AREAS OF RESPONSIBILITY
AUDITS OF DATA PROTECTION PROCEDURES WITHIN AN GARDA SÍOCHÁNA
ENFORCEMENT OF DATA PROTECTION LEGISLATION
I am very happy to be able to formally approve this Code of Practice under the terms of Section 13 of the Data Protection Acts 1988 and 2003. The Code is the result of intensive work by the Garda Commissioner and his staff, working in close co-operation with my Office. It is designed to give operational meaning to the principles of data protection set out in European and National law.
I am confident that the Code will make a significant contribution to improving knowledge and understanding of data protection within An Garda Síochána. I intend to continue to work closely with the Garda Commissioner and his staff to ensure that the guidance set out in the Code is followed in daily practice.
Data Protection Commissioner
We live in an information age and information in the form of data is essential to the business of policing. We all have a responsibility to use the information we gather both effectively and ethically. There is a fine balance between individual privacy and public safety.
In order to maintain public confidence in An Garda Síochána and the delivery of our service to the community, we must ensure that we work to the highest attainable standards. Our integrity includes both the way in which we, as members of An Garda Síochána and those of us working in the policing environment, conduct ourselves and the way in which we ensure the data we hold is compliant with relevant legislation.
The Data Protection Acts 1988 and 2003 have a significant role to play in supporting operational policing. The aim of this Code of Practice is to ensure each employee of An Garda Síochána has an understanding of the concepts of Data Protection and is aware of their own responsibilities. This, in turn, will assist An Garda Síochána in its compliance as an organisation.
Protecting our data is common sense. We need to ensure that data gathered and processed by An Garda Síochána is compliant with Data Protection Legislation. The reading and understanding of this Code by all employees of An Garda Síochána will go a long way towards meeting this requirement.
Data Protection is the safeguarding of the rights of all individuals to privacy and integrity in relation to the processing of their personal data.
The Data Protection Acts 1988 and 2000 confer rights on individuals as well as responsibilities on those persons handling, processing, managing and controlling personal data.
Data means information in a form, that can be processed. It includes both automated or electronic data and manual data.
Automated Data means, broadly speaking, any information on computer, or information recorded with the intention of putting it on computer. Examples of this are entries on the PULSE System or any other electronic database.
Manual Data means information that is kept as part of a relevant filing system, or with the intention that it should form part of a relevant filing system. Examples of this are all traditional paper files such as investigation files and reports and statements as well as personnel and financial records and duty rosters prepared as part of normal operational duties.
Relevant Filing System means any set of information that, while not computerised, is structured by reference to individuals, or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily accessible. Examples of this in An Garda Síochána are Filing Systems for Court and Investigation Files, Fogra Tora, Bulletins, Bulletins issued by Criminal Intelligence Officers, etc.
Personal data in the context of the Data Protection Acts 1988 and 2003, means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller. Examples of this are any report, statement, file or electronically recorded entry from which a living individual can be identified. An individual may also be identified by a unique pseudonym, a nickname, or some other characteristic or feature unique to them. In addition, it may also include a car registration held by An Garda Síochána and relating to a person. It also includes communications data (excluding content) and IP addresses held by An Garda Síochána and relating to a person. The Data Protection Acts do not apply to data that is anonymised to remove any personal data from it.
Access Request is where a person makes a request to An Garda Síochána for the disclosure of their personal data under section 4 of the Acts. Responses issued under the Data Protection Acts to Data Subjects should not be construed as Garda Vetting, Character Reference, Security Clearance or any interpretation of same.
Sensitive personal data relates to specific categories of data which are defined as data relating to a person's racial origin; political opinions or religious or other beliefs; physical or mental health; sexual life; criminal convictions or the alleged commission of an offence or trade union membership. Examples of this are files or entries containing details of allegations, prosecutions or convictions with regard to an individual. This type of Data would form a large portion of the overall Database held by An Garda Síochána.
Processing means performing any operation or set of operations on data, including:
Obtaining, recording or keeping the data,
Collecting, organising, storing, altering or adapting the data,
Retrieving, consulting or using the data,
Disclosing the data by transmitting, disseminating or otherwise making it available,
Aligning, combining, blocking, erasing or destroying the data.
This, in effect, means that every time a member of An Garda Síochána records an entry in their personal notes such as their notebook, on an official record such as the Custody Record; on a manual file such as a statement of evidence or incident investigation file; or on a computerised database such as PULSE, regarding a living individual or individuals who can be identified from the data, the said member is deemed to be processing the data.
Data Subject is an individual who is the subject of personal data.
Data Processor is a person who processes personal information on behalf of a data controller, but does not include an employee of a data controller who processes such data in the course of his/her employment. For the purposes of the Act this means organisations to which An Garda Síochána out-sources work, such as the payment of fixed charge fines through An Post. The Act places responsibilities on such entities in relation to their processing of the data.
The Data Controller for the purpose of these Acts is the Commissioner of An Garda Síochána.
PULSE is an acronym for Police Using Leading Systems Effectively. Pulse is an I.T. enabled Service Delivery Project. Pulse comprises of 17 operational and integrated system areas. e.g. Crime Recording, Processing of Prisoners and Traffic Management.
Employee Means a member of An Garda Siochana, a Reserve member of An Garda Siochana, all staff under the direction and control of the Garda Commissioner under Section 19 of the Garda Siochana Act 2005 and also including members of the Police Service of Northern Ireland who have been seconded to An Garda Siochana under Section 52 and 53 of the Garda Siochana Act 2005.
4. DATA PROTECTION RULES AN GARDA SÍOCHÁNA MUST ADHERE TO
Obtain and process information fairly
Keep it only for one or more specified, explicit and lawful purposes
Use and disclose it only in ways compatible with these purposes
Keep it safe and secure
Keep it accurate, complete and up-to-date
Ensure that it is adequate, relevant and not excessive
Retain it for no longer than is necessary for the purpose or purposes
Give a copy of his/her personal data to the relevant individual, on Request
4.1. Obtain and process data fairly and lawfully
An Garda Síochána is legally entitled to obtain and process personal data, without the consent of the data subject in circumstances where personal data is obtained or kept for the purposes of preventing, detecting, or investigating offences, or apprehending or prosecuting offenders, where the seeking of such consent would be likely to prejudice these purposes. In all other circumstances to fairly obtain data the data subject must, at the time the personal data is being collected, be made aware of:
the identity of the data controller,
the purpose in collecting the data,
the persons or categories of persons to whom the data may be disclosed, and
any other information which is necessary so that processing may be fair.
To fairly process personal data it must have been fairly obtained in line with above:
the data subject must have given consent to the processing or,
the processing must be necessary for one or more of the following reasons and any one or more will apply to the performance of the functions of An Garda Síochána,
to prevent injury or other damage to the health of a data subject,
to prevent serious loss or damage to property of the data subject,
to protect the vital interests of the data subject where the seeking of the consent of the data subject is likely to result in those interests being damaged,
for the administration of justice,
for the performance of a function conferred on a person by or under an enactment,
for the performance of any other function of a public nature performed in the public interest by a person.
There will be circumstances when the purpose of information or data to be used is obvious. On other occasions it may be necessary to provide an explanation to the individual. An example of this would be where a Garda will seek the consent of victim(s) of crime to pass their details on to an organisation such as Victim Support or other similar support or research group.
In certain situations an individual has little option other than to supply information to An Garda Síochána for policing purposes. In such circumstances it may be necessary for the Garda member to notify the individual of any non obvious use of that information and take into account the individual's wishes regarding any additional use of the data.
The individual should be informed that a statement may be used during any subsequent proceedings.
4.2 Keep it only for one or more specified, explicit and lawful Purposes
An Garda Síochána may only keep data for a purpose/s that are specific, lawful and clearly stated and the data should only be processed in a manner compatible with the purpose. An individual has a right to question the purpose for which An Garda Síochána holds his/her data and An Garda Síochána must be able to identify that purpose.
An Garda Síochána holds information for a variety of purposes. Much of this information is held for the investigation, detection and prevention of offences while other information such as the Keyholders Register, Administrators of Neighbourhood Watch Schemes, and the Electoral Register for instance are held for the performance of functions of a public nature and can only be used for these purposes.
It is also the case that An Garda Síochána obtains and processes personal data in the context of the administration of the organisation. Such data includes data required within an internal management context such as the personnel files of all employees of An Garda Síochána, duty details, operational directives and financial claims. All such information must be obtained and processed in compliance with the Acts and is not subject to the exemptions in the Act for the obtaining and processing information for the investigation or preventing of a criminal offence.
4.3 Use and disclose data only in ways compatible with these Purposes
Disclosure in the context of data protection is the provision of personal data to a third party by any means whether written, verbally or electronically.
The Act places serious responsibilities on every employee of An Garda Síochána not to disclose data in relation to any individual to any other individual who is not entitled by law to receive it. Personal Data is used within An Garda Síochána in the normal course of operational functions.
Any use or disclosure must be necessary for the purpose/s or compatible with the purpose/s for which the data is collected and kept. An employee of An Garda Síochána making a disclosure should consider whether the data subject would be surprised to learn that a particular disclosure is taking place. If the potential answer to this question is yes then there is a need to question the basis for the disclosure prior to making it.
In all cases the identity of the recipient of the disclosure should be established along with the specific purpose of the disclosure and the legal basis/power to disclose the relevant data. A record of all disclosures should be maintained. In cases where there is any doubt as to disclosure, or the status of the data concerned, a file should be submitted to Assistant Commissioner, Crime and Security for directions.
Examples of legitimate disclosures are;
disclosures of information held by An Garda Síochána to Law Officers, other Law Enforcement Agencies for the investigation, prevention and detection of offences, on the basis of Mutual Assistance Agreements, Interpol, Europol. To the Health Service Executive in respect of Child Welfare issues, etc. The Courts Service and other agencies with a statutory investigative/ enforcement role, etc,
a member of An Garda Síochána providing the registered owner details of a car to an injured party under the provisions of the Road Traffic Act or to a person legitimately representing their interests,
statements or information issued to the media which are managed within An Garda Síochána's Media Strategy as established within the terms of An Garda Síochána Code Chapter 17 entitled Media.
Accessing or Disclosing personal data for any purpose other than that for which it was obtained is prohibited. Examples of this would be an employee of An Garda Síochána:
accessing and/or disclosing details of the owner of a motor vehicle, the knowledge of which the employee had obtained as a consequence of their role within An Garda Síochána, to any other member of the public without the consent of the owner of the vehicle and where there is no legal basis for the disclosure,
accessing and/or disclosing details of any person's criminal convictions to a party not entitled to receive it, the knowledge of which the employee had obtained from PULSE, or other Garda Databases, another employee of An Garda Síochána, without a business need to be aware of the information and without the consent of the person who is the subject of the conviction,
accessing details of a person on PULSE for their own personal use. Members found to be in breach of this provision, may be committing an offence under the Garda Síochána Act 2005; the Garda Complaints Act 1986 and An Garda Síochána Discipline Regulations. Furthermore such members may be exposing themselves and the organisation to litigation from an injured party and proceedings against An Garda Síochána under the Data Protection Acts.
Disclosure through transferring personal data abroad
There are special conditions that have to be met before transferring personal data outside the European Union, where the receiving country does not have an EU approved level of data protection law. At least one of the following conditions must be met in that the transfer is:
consented to by the data subject,
required or authorised under an enactment, convention or other instrument imposing an international obligation on this State,
examples: Europol Act 1997, Schengen Agreement 1999 and the European Convention for Mutual Assistance in Criminal Matters 1959, as amended,
necessary for the purpose of obtaining legal advice,
necessary to urgently prevent injury or damage to the health of a data subject,
part of the personal data held on a public register,
authorised by the Data Protection Commissioner, which is normally the approval of a contract which is based on an EU model,
the transfer is necessary for reasons of substantial Public Interest.
4.4 Keep Data safe and secure
Appropriate security measures must be taken against unauthorised access to, or alteration, disclosure or destruction of, personal data and against their accidental loss or destruction. The security of personal information is all-important, but the key word here is appropriate, in that it is more significant in some situations than in others, depending on such matters as confidentiality and sensitivity and the harm that might result from an unauthorised disclosure. High standards of security are, nevertheless, essential for all personal information. The nature of security used may take into account what is available, the cost of implementation and the sensitivity of the data in question.
The standard of security expected of all employees of An Garda Síochána includes the following:
access to the information restricted to authorised staff on a "need-to- know" basis in accordance with a defined policy,
computer systems password protected,
information on computer screens and manual files kept hidden from callers to offices,
back-up procedures in operation for computer held data, including off-site back-up,
all waste papers, printouts, etc. disposed of carefully by shredding,
all employees must log off from PULSE and other computers on each occasion when they leave the workstation,
personal security passwords must not be disclosed to any other employee of An Garda Síochána,
all Garda premises to be secure when unoccupied,
a designated person will be responsible for all the above within An Garda Síochána with periodic reviews of the measures and practices in place.
Every contact on PULSE leaves a trace and every employee should be acutely aware that all activity under their registered number and password on PULSE is recorded. During an Audit or Investigation procedure they may be asked to account for the reasons they accessed a particular individual's data at any given time and what they did with it afterwards. An Garda Síochána will ensure that appropriate data protection and confidentiality clauses are in place with any processors of personal information on its behalf.
4.5 Keep Data accurate, complete and up-to-date
Apart from ensuring compliance with the Acts, this requirement has an additional importance in that An Garda Síochána may be liable to an individual for damages if it fails to observe the duty of care provision in the Acts applying to the handling of personal data.
To comply with this rule An Garda Siochana will ensure that:
clerical and computer procedures are adequate to ensure high levels of data accuracy,
the general requirement to keep personal data up-to-date has been fully implemented,
appropriate procedures are in place, including periodic review and audit, to ensure that each data item is kept up-to-date.
The Garda Information Services Centre ensures the accuracy of information by:
using trained personnel to record incident details on PULSE through sequential questioning of the Garda member having regard to the requirements of the incident concerned,
reviewing each and every incident to a specified standard,
recording all phone calls from members of an Garda Siochána in connection with the creation and updating of incidents and comparing the information entered on PULSE with the information on the recorded calls on an ongoing basis,
developing and operating a Quality Process to ensure call takers and reviewers are operating to a high standard,
identifying areas where errors are most commonly made and providing training to eliminate those errors,
in addition District Officers and Supervisors as part of their Operational Functions monitor the details of incidents recorded on PULSE on an ongoing basis.
Section 6 of the Acts gives a person a right to seek to have personal data amended or erased where it can be shown that it is incorrect. Examples of this are the updating of court outcomes to show the exact situation at any given time and ensuring that all biographical data, especially name and date of birth of a Data Subject is correct.
4.6 Ensure data is adequate, relevant and not excessive
An employee of An Garda Síochána can fulfill this requirement by making sure they only seek and retain the minimum amount of personal data needed for the specified purpose.
To comply with this rule each employee should ensure that the information held is:
adequate in relation to the purpose/s for which it is kept,
relevant in relation to the purpose/s for which it is kept,
not excessive in relation to the purpose/s for which it is kept.
As an example, it is strongly suggested that members should stick to the facts when recording all incidents and not record unsustainable remarks, allegations or hearsay in relation to any incident or investigation. Opinions, except where evidentially founded, should not be recorded. A member should exercise discretion when seeking certain types of information from a data subject in a public place, e.g. date of birth.
4.7 Retain data for no longer than is necessary for the purpose or Purposes
This requirement places a responsibility on An Garda Síochána to be clear about the length of time data will be kept and the reason why the information is being retained. To meet this requirement An Garda Síochána will ensure that files are regularly purged and that personal data is not retained any longer than necessary.
All electronic and manual data will be retained in line with the Garda Commissioner's policy on records management in An Garda Síochána. For the purposes of retention, Data will be categorised into essential and non-essential files. Specific timeframes will be established in respect of the retention of all data contained on such files within An Garda Síochána. All members will be informed of policy in respect of data retention by way of relevant Garda HQ Directives and shall ensure that all data under their control is managed and retained in line with the Commissioner's policy as established therein.
As an example, all investigation files and incident records regarding Headline and Indictable Crimes and Incidents will be retained for 30 years as Departmental Records in line with the provisions of the National Archives Act 1986. Decisions in respect of the further retention of such files will be made on a case by case basis following the 30 year period as specified.
4.8 Give a copy of his/her personal data to that individual, on Request
On making an access request any individual, about whom An Garda Síochána keeps personal data, is entitled to:
a copy of the data being kept about him/her,
know the purpose/s for processing his/her data,
know the identity of those to whom the organisation discloses the data,
know the source of the data, unless it is contrary to public interest,
know the logic involved in automated decisions,
a copy of any data held in the form of opinions, except where such opinions were given in confidence.
An Garda Síochána has clear coordinated procedures in place to ensure that all relevant manual files and computers are checked for the data in respect of which the access request is being made.
To make an access request the data subject must:
apply to An Garda Síochána for access to their personal data under section 4 of the Data Protection Acts 1988 and 2003,
give any details which might be needed to help identify him/her and locate all the information you may keep about him/her e.g. previous addresses, dates of incidents etc,
pay the appropriate access fee.
Every individual about whom a data controller keeps personal information has a number of other rights under the Act, in addition to the right of access.
These include the right to have any inaccurate information rectified or erased and the right to complain to the Data Protection Commissioner. In response to an access request An Garda Síochána must:
supply the information to the individual promptly and within 40 days of receiving the request,
provide the information in a form which will be clear to the ordinary person, e.g. any codes must be explained in ordinary language.
Where an access request is being refused, the reasons for the refusal of the request must be clearly outlined to the Data Subject.
Method of Application Requests for personal data should be made in writing on the prescribed form to:
The Garda Central Vetting Unit, Racecourse Road, Thurles, Co Tipperary.
Responding to Requests Once a valid request is received (as above), An Garda Síochána must reply within forty days, even if personal data is not held or an exemption is relied upon.
N.B. When employees of An Garda Síochána receive queries and files from the Garda Central Vetting Unit in respect of Data Protection access requests they should ensure that they are responded to promptly so as to enable the organisation to meet its obligations in respect of this 0 day rule.
Circumstances where Access to Personal Data may be denied An Garda Síochána is not obliged to disclose information in response to a subject access application if it identifies another individual. Information about a third party can only be disclosed if:
the third party has given consent to the person making the request
in certain circumstances it is reasonable to disclose the information without the consent of the other individual.
In these circumstances, due regard will be given to a balance of interest of the parties concerned. In any event every effort will be made by An Garda Síochána to supply personal data in a redacted format to the requesting party.
Information may also be withheld where its release as part of an access request may be prejudicial to the investigation, detection or prevention of a crime. Where the release of such information would no longer be prejudicial to the above it will be released to a data subject.
Where An Garda Síochána is of the view that the release of personal data to a data subject as part of an access request may have a negative impact on the physical or mental health of a person it will be released to the person's General Medical Practitioner in the first instance.
Requests Made on Behalf of Another
Children Subject Access Requests can be accepted from a child if, in the opinion of the Garda Commissioner, the child has sufficient intellectual ability to understand the nature of the request.
A parent or guardian can exercise the right, and receive the reply, if:
the child does not have the intellectual ability to understand the nature of the request, and
the parent is acting in the best interests of the child and there is no information to suggest that the parents of the child are in dispute and where such release would be appropriate. An access request on behalf of a child will not be acceded to if it would likely be relevant to any ongoing abuse/welfare allegations that may involve the requester.
An Garda Síochána may receive subject access requests by agents such as solicitors acting on behalf of an individual. The Garda Commissioner will satisfy himself as to the identity of the agent and seek sufficient information about the individual he is acting for, to assist in establishing identity and locating the data sought.
The Garda Commissioner will seek written confirmation from the individual authorising the agent to make the request. All responses will normally be sent directly to the Data Subject at their home address as provided. Where a request is made for the information to go to a place other than the individual's home address, the relationship between the individual and the agent, will be a factor in determining whether to comply with the request. e.g. Client/Solicitor.
Disclosures issued under the Data Protection Acts to Data Subjects should not be construed as Garda Vetting, Character Reference, Security Clearance or any interpretation of same.
5. AREAS OF RESPONSIBILITY
The Garda Commissioner Ultimate responsibility for the compliance of each employee of An Garda Síochána with the Data Protection Acts rests with the Garda Commissioner.
The Garda Commissioner will be responsible for:
overseeing the management of data protection matters within An Garda Síochána,
ensuring that reporting lines exist to allow other employees of An Garda Síochána to raise matters relating to data protection at a senior level,
managing the Organisations statutory obligations in respect of the Data Protection Acts including; compliance with the Data Protection Principles, registration with the Data Protection Commissioner and securing individuals rights under the Acts,
maintaining an up to date knowledge of Data Protection legislation and general developments in other relevant areas (e.g. Freedom of Information Act) and to ensure that this Code of Practice is disseminated and adhered to throughout the Organisation,
promoting data protection awareness through training, policy development, advice and guidance, ensuring that operating rules and general policy guidance in support of this Code of Practice and all matters relating to the Acts are available to all staff,
ensuring information and systems comply with the Data Protection Principles and that appropriate security arrangements exist to protect data, including where necessary, that suitable contracts are drawn up relating to the processing of data held for An Garda Síochána by third parties. e.g. processing for fixed charge penalty systems,
investigation and resolution of complaints made in relation to personal data and to assist where appropriate in the investigation of disciplinary and criminal matters,
providing for liaison on all data protection matters between An Garda Síochána and the Data Protection Commissioner.
All employees of An Garda Síochána
All employees of An Garda Síochána have a duty to ensure compliance with the principles of Data Protection as set out in Chapter 4 and will undertake to follow the provisions of this Code of Practice in accordance with Garda policy and procedures.
All employees of An Garda Síochána are charged with the responsibility of ensuring that all data that they access, manage and control as part of their daily duties is done so in accordance with the Data Protection Acts and this Code of Practice.
Employees found in breach of the Data Protection Rules may be found to be committing an offence under the Data Protection Acts 1988 and 2003; the Garda Síochána Act 2005; the Garda Complaints Act 1986 and An Garda Síochána Discipline Regulations. Furthermore such members may be exposing themselves and the organisation to litigation from an injured party.
All current and former employees of An Garda Síochána, will be held accountable in relation to all data processed, managed and controlled by them during the performance of their duties in An Garda Síochána.
6. AUDITS OF DATA PROTECTION PROCEDURES WITHIN AN GARDA SÍOCHÁNA
To ensure the quality of data retained by An Garda Síochána, and that access to and usage of such data is appropriate within the terms of this Code, each District Officer will, as part of his/her quarterly inspection and audits in line with the Garda Commissioner's policy, examine data under the headings of Quality Control; Data Accuracy; Access to Data; and Usage of Data.
In addition to this, the Garda Professional Standards Unit will conduct examinations and reviews of Data Protection procedures as part of their ongoing examination and review process.
Furthermore, external audits of all aspects of Data Protection within An Garda Síochána may be conducted on a periodic basis by the Office of the Data Protection Commissioner.
7. ENFORCEMENT OF DATA PROTECTION LEGISLATION
Data Protection Commissioner
The Act establishes the independent office of Data Protection Commissioner. The Data Protection Commissioner is appointed by Government and is independent in the performance of his functions. The Data Protection Commissioner's function is to ensure that those who keep personal data in respect of individuals comply with the provisions of the Data Protection Acts. In furtherance of this function, the Data Protection Commissioner will also have responsibility for monitoring the implementation of this Code of Practice.
The Data Protection Commissioner has a wide range of enforcement powers to assist him in ensuring that the principles of Data Protection are being observed. These powers include the serving of legal notices compelling a data controller to provide information needed to assist his enquiries, or compelling a data controller to implement a provision of the Act.
The Data Protection Commissioner also investigates complaints made by the general public in relation to personal data and has wide powers in this area. He can, for example, authorise officers to enter premises and to inspect personal information kept on computer or relevant filing system. Members of the public who wish to make formal complaints in respect of breaches of the Data Protection Acts may do so by writing to the office of the Data Protection Commissioner, Station Road, Portarlington, Co Laois.
Any member of the public with a more general complaint in relation to the behaviour of a member of An Garda Síochána should address their complaint to the Garda Síochána Ombudsman Commission. More information in this regard may be found at www.gardaombudsman.ie.
Individual Gardai in the normal course of their duties are not empowered to investigate breaches of the Data Protection Act(s). Members of the public who report breaches of the Data Protection Act(s) to individual members of An Garda Síochána should be referred to the office of the Data Protection Commissioner as outlined above or to access further information at www.dataprotection.ie.
Where employees of An Garda Síochána, in the normal course of their duties, become aware that an individual including employees of An Garda Síochána may be breaching the Acts or have committed or are committing an offence under the Acts, they should report the matter through normal communication channels to Assistant Commissioner, Crime & Security. A data controller found guilty of an offence under the Acts can be fined amounts up to €100,000, on conviction on indictment and/or may be ordered to delete all or part of a database if relevant to the offence.
All files requesting advice and assistance on data protection issues within An Garda Síochána should be directed to:
Garda Central Vetting Unit/Garda Criminal Records Office
Tel: Lo-Call 1890 488 488/00353 504 27300
Office Hours: 9am-5pm Monday – Friday