We use cookies to give you the best possible online experience. If you continue, we'll assume you are happy for your web browser to receive all cookies from our website. See our Privacy & Cookie policy statement for more information on cookies and how to manage them.

Data protection

All staff who collect and/or control the use of personal data are responsible for compliance with Data Protection legislation. Management will provide support, assistance, advice and training to support compliance with the legislation. Managers have overall responsibility for ensuring compliance with GDPR in the areas which report to them.

Personal data should not be accessed without a direct business requirement and it must never be discussed with nor disclosed to any unauthorised third party.

All staff should familiarise themselves with the provisions of the Data Protection Acts. Further information is available on the website of the Data Protection Commission www.dataprotection.ie

The Board has appointed a Data Protection Officer (DPO) whose role is to assist the Board and its staff in complying with the Data Protection legislation.  The DPO (who is the Assistant Director, Research, Learning, and Development) can be contacted via dataprotection@legalaidboard.ie or at

Data Protection Officer

Legal Aid Board

First Floor,

Montague Court,

7-11 Montague Street,

Dublin 2.

We are committed to keeping data accurate, complete and up-to-date and have appropriate procedures to assist staff in keeping data up-to-date.

For guidance on our retention and destruction policies for law centres please see earlier in this chapter.

The Legal Aid Board is legally required to notify the Data Protection Commission of a breach without undue delay and within 72 hours.

The Data Protection Officer is responsible within the Legal Aid Board for notifying the Data Protection Commission of any breach, this is not the responsibility of other staff in the Legal Aid Board.

The Data Protection Officer (DPO) will liaise with staff to establish all the necessary details in relation to the breach to notify the Data Protection Commission. The following information should be included when informing the Data Protection Officer of a breach:

  1. If you have not notified the DPO of the breach within 72 hours, provide an explanation why
  2. Date and time the breach occurred – and is this an estimate
  3. Date and time you discovered the breach
  4. Did you notify the people affected and if not, why not? (this includes not only the client but other parties identified in the documents.)
  5. Is the breach ongoing?
  6. Explain the nature of the breach and how it occurred
  7. Is any of the following information disclosed
  8. Name, PPSN, contact details, date of birth, passport, driving licence (or other national id card), location data, economic or financial data, criminal convictions, offences or security measures?
  9. Any other details of data released additional to question 8
  10. Do the documents contain any of the following sensitive data? Data relating to race or ethnicity, religious or philosophical beliefs, political opinions, trade union membership, sex life data, genetics, health, genetic or biometric data? If unknown please specify.
  11. How many people are affected - Is there personal data of others in the documents involved? (for example spouse/children named)?
  12. Does the breach relate to vulnerable people?
  13. How many documents are in involved in the breach? The general nature of the documents
  14. Does the breach involve data maintained for the prevention, detection, investigation, prosecution of criminal offences or the execution of criminal penalties in the State?
  15. Have you take any steps, additional to notification, to address the breach?
  16. What internal controls are in place within your office to minimise breaches occurring
  17. Have you secured or retrieved the data?
  18. If retrieval is possible and has not occurred, explain why.

If it is not possible to provide the above information immediately, inform the DPO of this.

The Legal Aid Board is legally required, in some, but not all circumstances to notify the person whose data has been breached. The Data Protection Officer in the Legal Aid Board will advise as to whether the person needs to be notified. Where notification to the person is necessary, this should be done in writing and without undue delay.

Legal Aid Board staff in the section/unit/office who are responsible for the breach are responsible for notifying the person whose data has been breached. A template notification letter is available on the Data Protection tab on iLAB.

It is extremely important that any member of staff who becomes aware of a potential breach of the Data Protection Acts reports the matter to their managing solicitor  and to the Data Protection Officer (DPO), dataprotection@legalaidboard.ie First Floor, Montague Court, 7-11 Montague Street Dublin 2, immediately.  Depending on the seriousness of the breach the managing solicitor concerned may consider that the Director of Civil Legal Aid/Regional Manager should also be informed and if so, they should do so immediately. As an indication, anything other than a relatively minor breach should be reported to the Director of Civil Legal Aid/Regional Manager.

Data protection breaches may include but are not restricted to:

  • loss of or theft of an electronic device, including mobile phones, laptops, dictation equipment (report to IT also)
  • sending mail to the wrong address
  • loss of or theft of official files, briefcase, etc.
  • burglary/trespass etc at Board’s offices (report to Organisation also)
  • misplacement of files or papers
  • leaving a file down in a public place, even temporarily, allowing for someone else to read it or tamper with it
  • incorrect disposal of files which may result in personal data being released inappropriately
  • inappropriate destruction of files

If you are unsure whether a data protection breach has occurred you should immediately inform your managing solicitor and the Data Protection Officer.

If a data subject is not satisfied with the decision in relation to their request, the data subject should be referred to the DPO who will review the request and aim to resolve the issue.

If a data subject is still not satisfied with the decision in relation to their request s/he has the right to raise a concern with the Data Protection Commission (DPC) who will investigate the matter. The DPC outline three types of access request complaints:

  • no response to an access request
  • incomplete response to an access request
  • exemptions to withhold data being applied incorrectly

The Commission has legal powers to ensure that data subject’s rights are upheld. If we refuse to release personal data to a data subject, it must be clearly communicated to the data subject why that information is being withheld.

The Data Protection Act 2018 sets out some limited circumstances in which an organisation may not be required to provide a data subject with a copy of their personal data: 

  • to safeguard cabinet confidentiality, judicial independence and court proceedings, parliamentary privilege, national security, defence and the international relations of the State
  • for the prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties
  • for the administration of any tax, duty or other money due or owing to the State or a local authority.
  • in contemplation of or for the establishment, exercise or defence of, a legal claim, prospective legal claim, legal proceedings or prospective legal proceedings whether before a court, statutory tribunal, statutory body or an administrative or out-of-court procedure
  • for the enforcement of civil law claims, including matters relating to any liability of an organisation in respect of damages, compensation or other liabilities or debts related to the claim, or
  • For the purposes of estimating the amount of the liability of an organisation on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of those rights or obligations would be likely to prejudice the interests of the organisation in relation to the claim.

In addition, an organisation may not be required to provide a copy of personal data where the data consists of an expression of opinion about a data subject by another person given in confidence, or on the understanding that it would be treated as confidential, to a person who has a legitimate interest in receiving the information.

An individual's right of access may also be restricted where, in the opinion of a medical professional, to grant access to the data would be likely to cause serious harm to the individual's physical or mental health. Access to personal data kept for, or obtained in the course of, carrying out of social work by a public authority, public body, voluntary organisation or other body may be similarly restricted.

The GDPR also provides that the right to obtain a copy of your personal data must not adversely affect the rights and freedoms of others.

Further information on limiting data subject rights and the application of Article 23 of the GDPR can be found on the website of the Data Protection Commission.

Under the Data Protection Acts, data subjects have the right to obtain confirmation of whether or not personal data concerning them is being processed.

Where personal data concerning them is being processed, data subjects have the right to a copy of their personal information and other additional information as follows:

  • Purpose(s) of the processing;
  • Categories of personal data;
  • Any recipient(s) of the personal data to whom the personal data has or will be disclosed, in particular recipients in third countries or international organisations and information about appropriate safeguards;
  • The retention period or, if that is not possible, the criteria used to determine the retention period;
  • The existence of the following rights –
    • Right to rectification (to have the data corrected)
    • Right to erasure (to have the data deleted)
    • Right to restrict processing
    • Right to object
    • –and to request these from the controller.
  • The right to lodge a complaint with a supervisory authority (in Ireland this is the Data Protection Commission). 
  • Where personal data is not collected from the data subject, any available information as to their source;
  • The existence of automated decision making, including profiling and meaningful information about how decisions are made, the significance and the consequences of processing.  

The EU General Data Protection Regulation (GDPR) was enacted in 2016 and came into force after a two-year preparation period on 25 May 2018. GDPR considerably strengthens data protection legislation and lays out six principles for processing of personal data. These are:

  1. Lawfulness, fairness and transparency
    Data should be gathered and used in a way that is legal, fair, transparent and understandable. The public have the right to know what data is being gathered and to have this corrected or removed
  2. Purpose limitation
    Organisations should only use data for a legitimate purpose specified at the time of collection. This data should not be shared with third parties without permission
  3. Data minimisation
    Data collected by organisations must be limited strictly to what is required for the purpose stated. Organisations must not collect data without specific purpose
  4. Accuracy
    The personal data held should be accurate, kept up to date, and, if it is no longer accurate, should be rectified or erased
  5. Storage limitation
    Personal data should only be stored for as long as is necessary. Data can be archived securely and used for research purposes in the future. Where possible, the personally identifiable information should be removed to leave anonymous data
  6. Integrity and confidentiality
    Personal data should be held in a safe and secure way that takes reasonable steps to ensure the security of this information and avoid accidental loss, misuse or destruction

The GDPR applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.

The Data Protection Act 2018 changes the previous data protection framework, which was established under the Data Protection Acts 1988 and 2003. Among its provisions, the Act:

  • Establishes a new Data Protection Commission (replacing the Data Protection Commissioner) as the State’s data protection authority
  • Transposes the law enforcement Directive into national law
  • Gives further effect to the GDPR in areas where member states have flexibility
  • Pursuant to the GDPR and the Data Protection Acts 1988–2018, the Legal Aid Board is a data controller.

The Data Protection Act 2018 established a new Data Protection Commission (replacing the former Data Protection Commissioner) as the State’s data protection authority. The Data Protection Commission may carry out investigations in the form of data audits, including accessing the premises of a controller or processor.

The Commission can order an organisation to change their processes, comply with data subject requests, issue warnings as well as commence legal proceedings against a controller or processor. There are different penalties, depending on the importance of the breach that are outlined in the Data Protection Act 2018.

A data subject may wish to contact the Data Protection Commission in relation to a data protection issue such as a subject access request or a data breach. Applicants may raise a query through the Commission’s website, or write to:

Data Protection Commission
Canal House
Station Road
Co. Laois R32 AP23

057 8684800
0761 104 800

1890 252 231 (Lo Call Number)


If data subjects (e.g applicants for legal services) wish to access their personal data held by the Legal Aid Board they should contact the relevant Section, law centre, mediation office or the Data Protection Officer in the first instance. Law centre staff should check if the data can be released in accordance with the guidance below. There are guidelines in  Part 9 of the Circular on Legal Services in relation to releasing a law centre file to a client or a private solicitor.

If this is not possible data subjects can make a Subject Access Request (SAR).

If data subjects wish to access their personal data relating to family mediation, staff should advise the data subject to request their information under the Data Protection Acts or Freedom of Information Acts as the mediation file is a joint file.

If making a Subject Access Request, the request should clearly state that the data subject is applying under the Data Protection Acts. A subject access request (SAR) form is available on the Legal Aid Board website to assist data subjects in making their request.

To help us answer requests, such requests should be as specific as possible about the information required and should provide as much information as possible to assist us in finding the required data.

We must provide a copy of the information for free. However, if any further copies are requested by the data subject, we may charge a reasonable fee.

Data subjects are legally entitled to a decision regarding requests within 30 days of the Board  receiving the request. However, every effort should be made to deal with any requests as soon as possible.

Procedure 7.7 – Dealing with a person who wishes to make a subject access request under the Data Protection Acts 1988-2018

  1. All Subject Access Requests (SAR) should be forwarded immediately to: Data Protection Officer, First Floor, Montague Court, 7-11 Montague Street, Dublin 2 OR dataprotection@legalaidboard.ie
  2. The Data Protection Officer (DPO) will record the SAR, allocate it a reference number and send an acknowledgement letter/email to the data subject.  They will then liaise with local staff on the matter and confirm the deadline for response.
  3. Data subjects are legally entitled to a decision regarding requests within 30 days of us receiving same. However, every effort will be made to deal with any requests as soon as possible.
  4. Local staff are fully responsible for the compilation of SARs – the DPO can offer advice as to content.
  5. When preparing data for release, a schedule should be prepared of all data being released. This schedule should be retained on the relevant files and a copy also sent with the data being provided. A copy of the schedule should also be provided to the Data Protection team.
  6. Staff should notify the DPO when the information is ready for collection. The DPO will then notify the data subject that their information is ready for collection.
  7. Data subjects will be asked to provide proof of their identities before being issued their personal information. We will allow data subjects collect their information at the most convenient office of their choice. In exceptional circumstances information may be released to a data subject via secure email or registered post where staff have verified the data subjects identity and the validity of the corresponding address.
  8. Staff should notify the DPO when the information has been collected by the data subject.