Data Protection Information Notice for the COVID-19 Passenger Locator Form
From Department of Health
Published on
Last updated on
From Department of Health
Published on
Last updated on
From Sunday 6 March 2022, travellers to Ireland are no longer asked to complete a COVID-19 Passenger Locator Form.
Travel carriers will not ask to check a PLF receipt prior to boarding.
All data previously collected via the COVID-19 Passenger Locator Form will be destroyed 28 days following submission.
The purpose of this privacy information notice is to explain the purpose of the COVID-19 Passenger Locator Form (the “PLF”), what data was collected for passengers arriving in Ireland, who has access to that data, and the purposes for which the data was used. This notice also provides you with information about your data protection rights under data protection law, including under the EU General Data Protection Regulation (EU Regulation 679/2016) (‘the GDPR’).
On 30 January 2020, the World Health Organisation declared that the outbreak of COVID-19 (novel coronavirus) originating in Wuhan, China, meets the criteria for a Public Health Emergency of International Concern (PHEIC) in accordance with the provisions of the International Health Regulations (2005). Since then, the Government of Ireland has implemented measures to limit the spread of COVID-19 to the greatest extent possible having regard to the immediate, exceptional and manifest risk posed to human life and public health by the spread of the disease. This includes several measures relating to international travel.
The PLF was introduced by Regulations made under the Health Act 1947. Under these Regulations passengers arriving in Ireland on or after Wednesday 26 August 2020, other than those who are exempt, had to fill in an electronic PLF before departure.
The electronic PLF had the following functions:
The following passengers were exempt from completing a PLF:
The role of the Department of Health (‘the department’) is to serve the public and support the Minister for Health, Ministers of State and the government. The department’s mission is to improve the health and wellbeing of people in Ireland by:
The Department of Health has responsibility for the development of legislation underpinning the electronic PLF system, the Regulations that give it effect and for determining the purposes and means of the processing of personal data under the Regulations. This arises because the department is responsible for the development of public health policy and public health messaging in the context of the global pandemic caused by COVID-19.
The department was also responsible for ensuring that an appropriate data governance framework was in place in respect of the personal information provided on the electronic PLF, including appropriate data protection agreements between relevant parties. The department, therefore, entered into data processing agreements with the Health Service Executive, the Border Management Unit of the Department of Justice and An Garda Síochána.
As described below, the Department of Health is the data controller for the PLF.
The PLF was underpinned by S.I. No. 45/2021 - Health Act 1947 (Section 31A - Temporary Requirements) (Covid-19 Passenger Locator Form) Regulations 2021. The relevant Regulation is published at http://www.irishstatutebook.ie/eli/2021/si/45/made/en/print.
The basis for the Regulations in primary legislation was section 31A (inserted by section 10 of the Health (Preservation and Protection and other Emergency Measures in the Public Interest) Act 2020 (No. 1 of 2020) of the Health Act 1947. The legislation is published at http://www.irishstatutebook.ie/eli/acts.html.
The Department of Health is designated as the data controller in relation to personal data processed for the purposes of the PLF Regulations and has put in place data processing agreements with relevant persons processing personal data under the Regulations. The Department of Health is therefore responsible for your personal data and has determined its responsibilities for compliance with obligations under data protection laws.
While the processing of personal data collected from the PLF is carried on by other organisations, the department, as the data controller, is the primary contact in respect of exercising your rights under data protection law. Contact details for exercising your rights in respect of data protection law are below.
The Department of Health is committed to adhering to the following principles of data protection:
Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identified or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
When considering what data would be used, purpose limitation and data minimisation principles were applied, and the processes was reviewed on an ongoing basis to assess whether all the collected information is required in order to meet the purposes set down in the Regulations.
The following personal data was collected through the PLF:
Personal data, which may include, but is not limited to the following:
Travel information was also collected:
Exemptions from COVID-19 public health regulations are as above.
Special Categories of Personal Data, which may include, but is not limited to the following:
Proof of vaccination against COVID-19:
Proof of relevant test COVID-19 result:
Proof of recovery from COVID-19:
Exemptions from COVID-19 public health regulations:
The personal data for the PLF was collected directly from individual members of the public who are passengers arriving in Ireland on or after Wednesday 26 August 2020, other than those who are exempt. Each of those passengers are required by the Regulations to complete a form, in electronic format, before arrival.
This personal data captured on the electronic PLF was uploaded to a database maintained by the HSE.
The information you provide may be used to contact you in the 14 days after you arrive in Ireland to verify the details given on the form and to provide you with public health advice. It may also be used for the purposes of contact tracing in relation to confirmed or suspected cases of COVID-19.
Personal data on the form may also be used for enforcement of the Regulations. The Regulations provide for offences which include failure to complete a form, providing false or misleading information, failure to update the information if it changes and failing to give to an officer who requests it, information required to verify the details on the form. An Garda Síochána are tasked with enforcement of the Regulations, and will investigate cases which are referred to them.
The organisations involved in processing the data provided on the PLF as per the data protection governance framework outlined earlier in this document are based in Ireland, and the processing agreements stipulate that personal information from the PLF will be processed within the European Economic Area (EEA) only.
The electronic data collected from the PLF will be anonymised or permanently deleted no later than 28 days after you arrive in Ireland.
However, if a case is referred to An Garda Síochána for enforcement in line with the Regulations, your data will be retained for as long as is necessary.
You have certain rights available to you in relation to personal data held by the department. However not all rights listed are applicable in every circumstance. These rights are outlined below and can be exercised by contacting the Data Protection Officer, as detailed below, indicating which right(s) you wish to exercise.
To obtain a copy of your personal data held by the Department of Health, please complete a Subject Access Request Form. The completed form, along with some photographic identification (passport/driver’s licence) should be returned to the address below:
The information requested will be provided within one month of the date of receipt of the request by the department.
There are a small number of circumstances in which the right to access personal data may be limited. For example, data subjects do not have a right to see communications between the department and its legal advisers where it would be subject to legal privilege in court. The right of access to information relating to other people is also curtailed.
You have the right, if you are unhappy with how we have delivered on our obligations, to make a complaint at any time to the Data Protection Commission. You can contact the Commission at:
This Privacy Statement may change from time to time. If we make any changes, we will post those changes here.