Privacy statement

The Adoption Authority of Ireland is an independent statutory body established on 1 November 2010 by the Adoption Act 2010. The primary purpose of the Adoption Act 2010 is to provide for matters relating to the adoption of children and to give the force of law to the Convention on the Protection of Children and Co-operation in respect of Intercountry Adoption.

The Adoption Authority of Ireland is committed to protecting your privacy. This Privacy Statement tells you about your privacy rights and sets out how we, as a Data Controller, collect and process personal data:

1. As part of our General Adoption Services about

  • Visitors to our websites
  • Individuals who we communicate or interact with in the course of the provision of our services.
  • Individuals whose personal data is provided to us in connection with the provision of our services, whether directly or indirectly.
  • Individuals who attend events we organise.
  • Individuals who are employed or engaged by suppliers of goods or services or parties tendering goods or services.

Table A: How we use personal data we collect – General Adoption Services

2. As part of operating the Contact Preference Register

  • Individuals whose data we collect and process for the purposes of operating the Contact Preference Register (also referred to as the "CPR") and for the purposes of processing applications made in respect of access to birth information and/or tracing services.
  • The CPR was set up under a law passed by the Oireachtas called the Birth, Information and Tracing Act 2022 (the "BITA 2022"). The BITA 2022 places the responsibility on setting up and maintaining the CPR with the Adoption Authority.
  • The main function of the CPR is to enable contact between family members affected by adoption. The CPR serves as a way to lodge a 'contact preference' in relation to birth relatives, adopted persons and other specified persons, including a request for privacy. Applicants to the register can also lodge an item (letter, photograph etc.) for a specified person (e.g. for an adoptee or a birth parent). In the Adoption Authority, we refer to people who use the CPR as ‘applicants’. As an applicant, you can tell us on the CPR application form how much contact you want with your relative.
  • If you are an adopted person, a member of the birth family, or a guardian, caregiver or friend of an adopted person, you can choose to put your details on the CPR. You can: (i) state who you would like to have contact with, (ii) state who you would like to share information with, select the kind of contact you would like, and (iii) select not to have any contact at all.  Please see the CPR information leaflet for more information on who can apply to put their details on the CPR, and the registration process.

Information we collect

“Personal data” means any information about an individual from which that person can be identified. We do not collect any personal data about you on our website, apart from information which you volunteer (for example by emailing us, using our web contact forms, and as set out in our Cookie Policy.

In providing our services, we may also receive personal data directly and indirectly, including from the Child and Family Agency (Tusla), Adoption Agencies, Government Departments, non-statutory bodies such as religious congregations who may hold records concerning birth and early life information, and publicly accessible sources.

Categories of such personal data include: names of adoptive and prospective adoptive parents, birth parents, adopted persons; addresses; contact information; health data; genetic data; religious beliefs; marital status; criminal convictions or offences data, and other information that is relevant to the provision of our services.

In carrying out our functions relating to the CPR, the personal data which we collect and process includes the information you provide when you fill out a CPR application form; any further information you provide to us; information we obtain from a third party such as Tusla; information from our own files and records. In particular:

  1. your name,
  2. your date of birth,
  3. your address and other contact details;
  4. your status as an adopted person or other relevant person, birth relative, adoptive parent, guardian, care-giver or friend;
  5. the names of birth parents, birth relatives and relevant guardian of an adopted person, or other relevant person (where applicable and known);
  6. the place at which care was provided as part of a care arrangement to an adopted person, or other relevant person (where applicable and known);
  7. the adoption society which made arrangements for the adoption (where applicable and known);
  8. your contact preferences;
  9. any other information you share with us, which may include health data; genetic data; religious beliefs; marital status; and other types of information either relating to you or your birth relative or an adopted person;
  10. the identification documents provided by you when you complete the CPR application form;
  11. details of the birth relative(s) or adopted person you would like to contact;
  12. details which an adopted person or other relevant person, birth relative, adoptive parent, guardian, caregiver or friend may have shared concerning you;
  13. whether an information session has been completed with an adopted person in respect of a parent, and
  14. other information which the Minister for Children, Disability and Equality, may require us by regulation to record on the CPR.  If you do not provide us with the personal data we request, we may not be able to provide you with our services or respond to any questions or requests you submit to us via our website, by telephone, email or writing. We will tell you when we ask for personal data whether it is a contractual requirement or needed to comply with our legal obligations.

Table B: How we use personal data we collect – Birth Information and Tracing Services

Data Retention

  • Section 44 (1) of the BITA 2022 mandates that the Authority retain and maintain all ‘relevant records’ held, or acquired by it, from the date set out in  S.I. No. 448/2022 i.e. the 3rd of October 2022.
  • We will retain your personal data only for as long as necessary for the purposes for which it was collected; as required by law, and for the exercise and defence of legal claims that may be brought by or against us.
  • We will retain personal data about a job applicant candidate for no more than one year. Any health data is collected in context of managing health epidemic or pandemics will only be retained for so long as is necessary and updated from time to time in line with legal requirements and best practice.
  • Any identification documents which you provide to us when you submit a CPR or Birth Information application will be destroyed once we have verified your identity. For example, name and related personal details, including contact details and contact preferences, which are provided to us in CPR application forms, will remain on the CPR permanently unless you write to us and ask us to change or remove them. Please remember to contact us if your contact details change (see 'Contact Us' below).

Disclosure of your information

We may disclose your personal data to:

  • A third party who provides a service to us, including the Office of the Government Chief Information Officer (OGCIO), Chief State Solicitors Office (CSSO), other legal advisers and auditors who provide a service to us.
  • Tusla – the Child and Family Agency, Accredited Adoption Agencies, the Department of Children, Disability and Equality (DCDE); the General Registers Office (GRO) of the Department of Social Protection (DSP), the Health Service Executive (HSE) and other third parties where necessary for the performance of our functions under the Adoption Acts 2010 (as amended), BITA 2022 or other applicable laws.
  • In relation to the CPR, we may share personal data, including contact details, that are recorded in the CPR with birth relatives or other specified persons where there has been a 'match' with an existing entry on the CPR. This may include contact preference, contact details (where a preference of having contact with the relevant person has been expressed) and any items lodged with us for sharing with the relevant person. If you are the person making the application for information on the CPR or tracing services, your contact details may also be shared with relevant relatives or other specified persons on the CPR where there has been a match.
  • A third party where we are under a duty to disclose or share your personal data in order to comply with any legal obligation or court order, such as the State Claims Agency (SCA), An Garda Síochána, the Court Services, the Personal Injuries Resolution Board (PIRB), the Data Protection Commission (DPC), the Office of the Information Commissioner (OIC) the National Archives of Ireland (NAI) and the Office of the Chief Deciding Officer (OCDO) of the Mother and Baby Home Payment Scheme Executive.
  • A Commission or Tribunal of Inquiry whose terms of refence includes records held by the Adoption Authority.   
  • A third party where it is necessary to protect the vital interests of the data subject or another natural person. For example, our Medical Officer may advise us that it is important that a person is provided with certain medical information. We will endeavour to seek your consent prior to providing a third party with such medical information, unless you are physically or legally incapable of providing consent or we cannot locate you.
  • A third party who tenders to us or provides services or goods to us.

Transfers

To the limited extent that it is necessary to transfer personal data outside of the European Economic Area, we will ensure appropriate safeguards are in place to protect the privacy and integrity of such personal data, including standard contractual clauses under Article 46.2 of the GDPR or an adequacy decision under Article 45 for GDPR. 

Please contact us if you wish to obtain information concerning such safeguards (see Contact Us below)

Links to other websites

Our website may, from time to time, contain links to and from other websites. If you follow a link to any of those websites, please note that those websites have their own privacy policies, and we do accept any responsibility or liability for those policies. 

Please check those policies before you submit any personal data to those websites.

Your rights

You have the right to request access to, rectification, or erasure of your personal data, or restriction of processing or object to processing of your personal data, as well as the right to data portability. In each case, these rights are subject to restrictions as laid down by law. 

The following is a summary of your rights:

  • The right of access enables you to receive a copy of your personal data.
  • The right to rectification enables you to correct any inaccurate or incomplete personal data we hold about you.
  • The right to erasure enables you to ask us to delete your personal data in certain circumstances.
  • The right to restrict processing enables you to ask us to halt the processing of your personal data in certain circumstances.
  • The right to object enables you to object to us processing your personal data where processing is carried out in the public interest and where processing is carried out under official authority.
  • The right to data portability enables you to request us to transmit personal data that you have provided to us, to a third party without hindrance, or to give you a copy of it so that you can transmit it to a third party, where technically feasible.

Restriction of your rights

The BITA 2022 sits within the framework of the GDPR. Similar to GDPR it provides for access to personal information, however unlike GDPR it provides for guaranteed and unredacted access to the suite of information covered by this legislation.

In order to ensure the efficient operation of the Birth Information and Tracing Act 2022, certain rights and obligations provided for in the GDPR are restricted.

As defined in Section 68 of the BITA 2022, the rights and obligations provided for in the following Articles of the General Data Protection Regulation, in so far as those rights and obligations relate to the processing of personal data and special categories of personal data by a person under the 2022 Act, are restricted to the extent necessary and proportionate to enable the person to perform his or her functions under this Act:

  • Article 14 – obligation that a data controller should provide information to the data subject where personal data have not been obtained from the data subject;
  • Article 17 – the right to erasure
  • Article 18 – the right to restriction of processing;
  • Article 21 – the right to object.
  • Article 12 will have an ancillary restriction due to the restrictions of these articles.

The justification for these restrictions is as follows:

Article 14 – the obligation that a data controller should provide information to the data subject where personal data have not been obtained from the data subject.

  • It would be near impossible for a data controller to comply with this obligation given the historic nature of the records, the volume and diversity of the records and the different social norms and administrative practices in place at the time they were created.

Some records will have been collected by the data controller, for instance the adoption file retained by the Adoption Authority. In other cases, such as county home or adoption society records, the Authority is now the data controller, however, the records were created by the relevant religious orders or local authorities.

Article 17 - The right to erasure

  • The right to erasure does not apply to data under the Act. The Act relies on releasing information that is present on records and the ability to erase data is contrary to that.
  • Article 17(3) of the GDPR sets out the exemptions whereby the right to erasure does not apply and the exemption set out at 17 (3) (b) applies to data under the Birth Information and Tracing Act, 2022.

Where a data subject becomes aware of an inaccuracy, an application pursuant to the Article 16 right to rectification, by means of providing a supplementary statement, can be made to the data controller.

Article 18 – the right to restriction of processing

  • A parent named in the records may wish to restrict processing on grounds that they believe there are inaccuracies. The onus would then lie with the data controller to verify the accuracy or otherwise of the disputed historical record and ensure that any processing of the data is restricted while this verification is taking place.
  • The verification may be wholly impossible or may be extremely difficult and onerous in terms of historic records. During the time that the data controller is carrying out the verifications, the data cannot be processed and this will have implications for an application made by an adopted person.
  • In cases where accuracy cannot be verified or remains contested, it could result in a restriction of lengthy and indefinite duration, during which time the rights of the other party (i.e. the applicant) to their origins information cannot be vindicated.

It may be noted that the right to rectification is not restricted and, so, a person with a concern in relation to inaccuracies on a historical record would be able to request rectification, for example, by providing a clarifying statement to be appended to the record.

Article 21 – the right to object

  • The core purpose of the BITA 2022 legislation is to enshrine in law the right of a person to know his or her origins and provide for the release of a birth certificate and birth information to adopted people and others in all cases.
  • By restricting this GRPR Article 21 right, data controllers will no longer be obliged to consider applications of objection to processing on a case-by-case basis and this will reduce delays and blockages to the release of origins information to an adopted person.

You also have the right to withdraw your consent to our processing of your personal data at any time (without affecting the lawfulness of processing based on consent before its withdrawal), in circumstances where we rely on this legal basis to process your data, for example, the CPR.

In addition, in relation to the CPR, you have the following specific rights under the BITA 2022:

  • the right to request the Adoption Authority to cancel any entry made in the CPR in respect of you; and
  • the right to request the Adoption Authority to amend or delete any information contained in an entry in the CPR in respect of you (except for the fact of an information session having been held, if applicable).

If you wish to exercise any of these rights, please contact us (See Contact Us below)

Security and where we store your personal data

We are committed to protecting the security of your personal data. We use a variety of technologies, as clients of the Office of the Government Chief Information Office (OGCIO) and procedures to help protect your personal data from unauthorised access and use. 

As effective as modern security practices are, no physical or electronic security system is entirely secure. We cannot guarantee the complete security of our database, nor can we guarantee that information you supply will not be intercepted while being transmitted to us over the internet. 

Any transmission of personal data is at your own risk. 

We have implemented strict internal guidelines to ensure that your privacy is safeguarded at every level of our organisation. We will continue to revise policies and implement additional security features as new technologies become available.

Changes to this Privacy Statement

We reserve the right to change this Privacy Statement from time to time at our sole discretion. If we make any changes, we will post those changes here and update the “Last Updated” date at the bottom of this Privacy Statement. However, if we make material changes to this Privacy Statement, we will notify you by means of a prominent notice on website prior to the change becoming effective. Please review this Privacy Statement periodically for updates.

Complaints

You have the right to lodge a complaint with the Data Protection Authority, in particular in the Member State of your residence, place of work or place of an alleged infringement, if you consider that the processing of your personal data infringes the GDPR. In Ireland, this is the Data Protection Commission.

Contact Us

Our Data Protection Officer (DPO) is available to answer any data protection and privacy-related questions you may have. 

You can contact the DPO at dataprotection@aai.gov.ie or by writing to: 

The DPO
Adoption Authority of Ireland
Shelbourne House
Ballsbridge
Dublin
D04H6F6

We will do our best to promptly resolve any concerns you may have about how we protect your privacy and personal data.

Last Updated: 9 January 2026