Data Protection

The GDPR and Data Protection Act 2018 (“the 2018 Act”) is designed to protect people's privacy. The 2018 Act confers rights on individuals in relation to the privacy of their personal data as well as responsibilities on those persons holding and processing such data. 

Data Protection Principles

The Authority is committed to adhering to, and demonstrating compliance with, the following principles relating to the processing of personal data as set out in Data Protection Laws.

Personal data shall be:

Data Retention

Retention means how long we keep your personal data. The retention periods for personal data held by the AAI are based on the requirements of the data protection legislation and on the purpose for which personal data is collected and processed.

The retention periods applied by the AAI to personal data which it processes are also, in certain circumstances, based on legal and regulatory requirements to retain information for a specified period.

Personal Data

Personal data means data relating to a living person who is or can be identified from the data itself or in conjunction with other information that is in, or is likely to come into, the possession of the Authority. This data can be held on computers or in manual files. 

Processing of Your Personal Data

Most of the personal data we process is obtained from you when you provide it directly to the AAI, but we may also obtain personal data about you from the AAI’s processors whom we have a Data Sharing Agreement with in place. The AAI’ is required to engage with our processors in the course of our performance of our statutory functions and activities.

The personal data we collect from or about you or through our systems helps us to comply with our legal obligations or to carry out our statutory functions and activities. The personal data we collect, the basis of processing and the purposes of processing are detailed in our General Privacy Notice.

Keeping Your Personal Data Secure

The AAI operates and uses technical and physical security measures to protect your personal data.

We have in particular taken appropriate security measures to protect any personal data held by the AAI from accidental or unlawful destruction, loss or alteration, and from unauthorised disclosure or access. Access to your personal data is only granted on a need-to-know basis to those people within the AAI whose roles require them to process your personal data and, in certain circumstances, to third parties.

For further information, please see the AAI’s General Privacy Notice.

Accessing Your Personal Data

You can make a request for your personal data by contacting our Data Protection Officer via email at DataProtection@aai.gov.ie  or alternatively by writing to:

Data Protection Office
Adoption Authority of Ireland
Shelbourne House
Shelbourne Raod
Ballsbridge
Dublin 4
D04 H6F6

Please note, requests can also be made by telephone. However, in line with the AAI’s protocol for processing DSARs you will be required to provide certified identification to confirm your identity.

For convenience, the AAI has compiled a DSAR application from to assist the Authority in locating any of your personal data we may hold. Please note, there is no obligation to fill out this form, but it does assist us in locating your personal data.

The AAI acknowledges that some requesters may have very limited information about their adoption placement.  If you indicate an individual who was involved in the adoption process is now deceased. We understand that this may be a sensitive and highly personal topic for you. Where a person is deceased, the GDPR does not apply to them. While this factor alone does not determine if data can be shared with you in all cases, it may mean that personal information in relation to that person can be shared to you. For this reason, if you know that a contact is deceased, please share confirmation of that with us by producing a death certificate or other confirmation that the person is deceased.

A response to an access request will issue as soon as is possible. Where possible, we respond to DSARs within one month. Where necessary, we respond within three months.

If you would like to request that we amend the accuracy or completeness of your personal data, restrict the processing of your data or seek erasure of your data please contact our Data Protection Officer.

Please note, under the Birth Information and Tracing Act 2022 it is now an offense for the Adoption authority to destroy or delete ‘relevant record’ as defined  in Section 2 Sub-section 1 of the 2022 Act.

Exceptions to the Right of Access

The GDPR and the 2018 Act sets out a small number of circumstances in which the right to access personal records can be limited. This is necessary in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society, on the other hand. Case law and other legal factors may also be relevant to the consideration of your request. For example, where a birth parent has refused to consent to the sharing of their data, or where the disclosure of data may, on balance, have an adverse effect on an individual involved, the data may be withheld.

Responsibilities of the Authority

The Authority’s responsibilities under Data Protection Laws include:

• implementing appropriate technical and organisational measures to secure personal data 
• implementing appropriate agreements with third parties who access the personal data we hold or we transfer personal data to
• implementing data protection measures by default when we design systems and processes 
• conducting data protection impact assessments when designing new types of data processing and using new technologies
• maintaining procedures for data subjects to exercise their rights under Data Protection Laws
• maintaining personal data breach procedures 
• ensuring that adequate governance of our data protection policies and procedures are in place, including the appointment of a Data Protection Officer.

Disclosure

Any information (including any personal data) that you provide to the AAI may in certain circumstances be disclosed by the AAI to third parties. Your personal data may be shared confidentially by the Authority in performing its statutory functions with third parties such as Túsla as permitted or required by applicable law. Your personal data may also be confidentially shared with the Authority’s legal advisors for the purpose of receiving legal advice or assistance. The AAI may disclose such information to third parties where required or permitted to do so by law.

For further details of the situations in which the AAI may disclose personal data to third parties and for information on how the AAI collects and uses personal data, please see the AAI’s General Privacy Notice.

The Data Protection Commission

The Data Protection Commission is responsible for upholding the rights of individuals under Data Protection Laws. Individuals who feel their rights are being infringed can complain to the Data Protection Commission, who will investigate the matter, and take whatever steps may be necessary to resolve it.

The Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland

www.dataprotection.ie
Email: info@dataprotection.ie
Phone: 01 7650100 / 1800437 737