The Data Protection Commission (the DPC) has recently launched an investigation into the decision by several public and private Irish companies to refuse a request for rectification submitted by an Irish television producer.
The complainant, Ciarán Ó Cofaigh, has filed a complaint with the DPC against the Health Service Executive (the HSE), after being informed that the ‘síneadh fada’ in his name could not be input into the software of a hospital under the administration of the HSE.
Similar complaints have been filed with other Irish private companies and banks.
The complaint has been made pursuant to article 16 of the EU General Data Protection Regulation (the GDPR) which provides data subjects with a right to rectify information about them which they believe is inaccurate or incomplete without undue delay (the right to rectification).
The ‘síneadh fada’ is an acute accent used in the Irish language to elongate a vowel and is not dissimilar to the acute accent “é” in French which shares the same symbol and achieves a similar objective (namely an “ay” rather than “ee” sound). Its inclusion and/or omission can materially affect the pronunciation and the meaning of a word e.g. Seán (name) and sean (the Irish word for old).
The argument advanced by Mr Ó Cofaigh, is that the síneadh fada is not an optional extra rather a central and functional element of his personal data (namely his name and address) and that his name without the ‘síneadh fada’ is not his name.
Accordingly, Mr Ó Cofaigh has argued that failure to spell his name with the ‘síneadh fada’ constitutes an inaccurate recording of data.
Graham Doyle, a spokesperson for the DPC, has confirmed that the office intends to consult with other European regulators and the Irish Language Commissioner to ascertain the status of the ‘síneadh fada’ under Irish law.
This issue was recently brought into focus when the National Transport Authority was criticised for failing to spell the names of Leap Card users with the ‘síneadh fada’ due to technical limitations of the software.
A decision is yet to be reached by the DPC on this matter, however, if the complaint is upheld, this could have significant implications for both public and private companies that process large amounts or personal data in the Irish language and indeed in foreign languages that use accents (e.g. circumflexes, accent graves and umlauts). It is possible that these organisations may be requested to update their software to ensure accents such as the ‘síneadh fada’ can be inputted and that names that are not in the English language are capable of being accurately recorded. However, the costs and time involved in upgrading the software would likely be significant.
This complaint raises interesting questions regarding the scope and application of the right to rectification, which in practice is not exercised as frequently as other data subject rights (e.g. access and erasure) but is an important right to which companies should have regard. While it is possible to update systems and put in place security measures to protect against personal data breaches and to facilitate data subject request compliance, this serves as a reminder that it is critical at the point of collection (whether automated or manual) to ensure, to the greatest extent possible, accurate and complete recording of personal data.
Consideration should also be given, in the procurement process, as to whether new systems could potentially place an organisation in breach of the principle of ‘accuracy’ under article 5 (1) (f) of the GDPR.
In any event, in the context of a name, which is fundamental to an individual’s personal identity and individuality, every effort should be made to record all characteristics which may influence the name’s pronunciation and meaning.
To visit William Fry’s dedicated webpage to GDPR as Gaeilge, click here.
Contributed by: Anna Ní Uiginn
Follow us @WilliamFryLaw