Case number: OIC-128047-Q5H0N3
2 December 2022
In a request dated 28 April 2022, the applicant sought access a range of information concerning vehicle collisions for the years 2017-2021 under 15 specified data fields. On 24 May 2022, the RSA refused the request under section 15(1)(a) of the Act on the ground that the records sought do not exist.
On 27 May 2022, the applicant sought clarification of which data fields were not available, following which the RSA provided the applicant with a table of the fields that did not exist. It added that it was in the process of reviewing its data sharing policies and procedures and that, under the terms of the General Data Protection Regulation (GDPR), it was not in a position to share the data fields that do currently exist. The Applicant again contacted the RSA and said that the list of fields requested was based off its collisions map that included vehicle type and the number of people with injuries. He asked if there was a reason those fields were no longer available and if that data would be held by another group. He asked if the RSA had a full list of fields that relate to incident level collisions on the basis that such a list would help to ensure the request was asking for available fields only. In response, the RSA said that as part of the review process previously outlined, it had to remove the map of collisions from its website and that this data would not be held by another organisation.
The applicant sought an internal review of the RSA’s decision on 20 June 2022. On 9 August 2022, the RSA affirmed its refusal of the request under section 15(1)(a), as “the micro data requested do not exist as a record”. On 9 September 2022, the applicant applied to this Office for a review of the RSA’s decision. In his application for review, he said collision level data had been viewable publically on the RSA’s website through a collision map as recently as 2020. He argued that the RSA was withholding data that it previously made publicly available, without giving a valid reason under the Act.
I have now completed my review in accordance with section 22(2) of the FOI Act. In carrying out my review, I have had regard to the applicant’s comments in his application for review and to the submissions made by, and correspondence with, the RSA on the matter. I have decided to conclude this review by way of a formal, binding decision.
This review is concerned solely with whether the RSA was justified in its decision to refuse access, under section 15(1)(a) of the Act, to a range of information concerning vehicle collisions for the years 2017-2021 under 15 specified data fields, on the ground that the records sought do not exist.
Before considering the substantive issues arising, I wish to make a preliminary comment. In his correspondence with this Office, the applicant expressed concerns about the RSA’s handling of previous FOI requests. While I have noted the applicant’s concerns, it is important to note that this review has been conducted under section 22(2) of the Act, which is concerned solely with a review of the decision actually taken on this request.
Section 15(1)(a) of the Act provides for the refusal of a request where the records sought do not exist or cannot be found after all reasonable steps to ascertain their whereabouts have been taken. Our role in a case such as this is to review the decision of the FOI body and to decide whether that decision was justified. This means that I must have regard to the evidence available to the decision maker and the reasoning used by the decision maker in arriving at his/her decision and also must assess the adequacy of the searches conducted by the FOI body in looking for relevant records. The evidence in “search” cases generally consists of the steps actually taken to search for the records along with miscellaneous and other information about the record management practices of the FOI body, insofar as those practices relate to the records in question.
It is important to note that the FOI Act does not require FOI bodies to create records if none exist, apart from a specific requirement, under section 17(4), to extract records or existing information held on electronic devices. Section 17(4) provides that where a request relates to data contained in more than one record held on an electronic device by the FOI body concerned, the body must take reasonable steps to search for and extract the records to which the request relates and where these reasonable steps result in the creation of a new record, that record is, for the purposes of considering whether or not such a new record should be disclosed in response to the request, deemed to have been created on the date of receipt of the request. However, if the body does not hold a record containing the information sought and cannot search for and extract the electronically held records by taking reasonable steps, then that is the end of the matter.
In submissions to this Office, the RSA said it receives a subset of data from the PULSE system of An Garda Síochána, pertaining to road traffic collisions of varying degrees of severity that occur on Irish roads. It said that when reviewing the applicant’s request, the research department performed a search of its system and concluded that the specific dataset being requested could not be provided as many of the data points do not exist as a record. It said that in some cases, the records being sought can be derived from existing data points in the system, but that the research department would need to initiate a project to develop such a dataset for the time frame specified. It said a significant amount of processing would be required to create this new record.
On the matter of the collision map referenced by the applicant, the RSA said it previously published high-level, summary data of road traffic collisions on its website in the form of a map. It said the map did not contain all of the data points requested by the applicant. It added that the map only referred to an earlier time period up to 2016 and although the map was in existence until the third quarter of 2022, it referred only to data up until 2016. It said the data requested by the applicant, from 2017 up to 2021, has never been published in map format. It further added that the map was decommissioned in the third quarter of 2022 because of advice received in relation to the sharing of personal data in the context of the GDPR, and the risk that individuals could potentially be identified from the published data. It said this forms part of a wider process in which the RSA is reviewing its data sharing policies and practices in relation to this data in light of the GDPR.
Following receipt of the RSA’s submissions, this Office sought to clarify if any of the information sought by the applicant was held by the RSA and could be extracted without further processing. In response, the RSA confirmed that certain of the fields identified by the applicant do, in fact, exist and can be extracted without the need for further processing. It argued, however, that those fields could be “personal data” as there is potential for them to be linked or matched indirectly to an identifiable person. The RSA also provided an indicative sample of records extracted from the road traffic collision database which contained relevant information, including coordinates, date of occurrence, incident type, collision type, county, the speed limit in the area and if the driver was insured. However, the RSA went on to say it considered the dataset to contain sensitive personal information that it was not in a position to release and that it had, in fact, considered relying on section 37 of the Act, which is concerned with the protection of third party personal information, to refuse the request.
The fact that the RSA has acknowledged that it holds at least some of the information sought is, of itself, sufficient for me to find that it was not justified in refusing the request under section 15(1)(a) as it is apparent that some relevant records do, indeed, exist.
However, having regard to RSA’s concerns about the release of that information, I do not consider it appropriate to simply direct the release of the information. Neither do I propose to consider any other arguments the RSA might wish to raise in support of withholding the information at this stage. It is not a matter for this Office to act as a first instance decision maker in respect of the applicability of section 37 to the records at issue. Accordingly, I consider that the most appropriate course of action is to remit the matter back to the RSA to consider afresh the applicant’s request. If the applicant is dissatisfied with the RSA’s fresh decision on those records, he will have a right to apply for an internal review of that decision and ultimately, to apply to this Office for a fresh review if necessary. I appreciate that this results in further delays for the applicant but I am simply not in a position to direct the release of the records without having regard to the arguments concerning the privacy rights of third parties. If the applicant deems it necessary to apply of this Office for a further review following the RSA’s fresh consideration of the request, the review will be prioritised.
Finally, while I make no finding on the applicability of section 37 to the records sought, I would, however, draw the attention of the RSA to this Office’s position on the interplay between the FOI Act and data protection legislation, a position which has been set out in many previous decisions made by this Office.
Article 86 of the General Data Protection Regulation provides that personal data in official documents held by a public authority or a public body or a private body for the performance of a task carried out in the public interest may be disclosed by the authority or body in accordance with Union or Member State law to which the public authority or body is subject in order to reconcile public access to official documents with the right to the protection of personal data pursuant to the Regulation.
Section 44 of the Data Protection Act 2018 provides that, for the purposes of Article 86, personal data contained in a record may be disclosed where a request for access to a record is granted under and in accordance with the FOI Act 2014 pursuant to an FOI request.
Data protection legislation does not prohibit public bodies from processing FOI requests where the records sought contain personal information relating to individuals other than the requester. The FOI Act is entirely independent of data protection legislation and FOI requests for access to records must be processed in accordance with the provisions of the FOI Act. Indeed, the FOI Act provides for the release of personal information of third parties in certain circumstances, including where the public interest in granting the request outweighs, on balance, the public interest in protecting the privacy rights of the individuals concerned. Any concerns a public body has about the release of personal information relating to individuals other than the requester can and should be addressed by considering the applicability of the exemption contained in section 37 to the records at issue.
Having carried out a review under section 22(2) of the FOI Act, I hereby annul the RSA’s decision to refuse access, under section 15(1)(a) of the FOI Act, to a range of information concerning vehicle collisions for the years 2017-2021 under 15 specified data fields, on the ground that the records sought do not exist. I direct the RSA to conduct a fresh decision-making process on the request.
Section 24 of the FOI Act sets out detailed provisions for an appeal to the High Court by a party to a review, or any other person affected by the decision. In summary, such an appeal, normally on a point of law, must be initiated not later than four weeks after notice of the decision was given to the person bringing the appeal.