I received several complaints from persons who had received a "lifestyle" questionnaire through the post. The questionnaire, which appeared to be for purposes of "national research", sought very detailed information regarding the recipient's hobbies, shopping habits and household finances. The complainants were concerned that the questionnaire, which was a commercial information-gathering exercise, sought to mimic the style of official Government surveys and was at the very least a breach of the spirit of data protection legislation.
The complainant was a long-standing customer of a particular life insurance company. One of the company's representatives, who had in the past been dealing with the customer's affairs, left the company to join a different company in the same line of business.
He received a letter from the motor distributor advising him of a technical fault and offering to repair the fault for him. The letter indicated that the distributor was able to contact him directly through the co-operation of the Vehicle Registration Unit (VRU) of the Department of the Environment and Local Government.
The complainant had dealings with a State agency. He made an access request under section 4 of the Data Protection Act to be provided with a copy of all data held by the agency relating to him. The agency responded by providing him with some records.
A small number of voluntary organisations were authorised by a State body to assist in the administration of an official scheme. The scheme was designed to benefit a certain category of individuals, many of whom would be represented by the voluntary organisations. Applications for participation in the scheme were made through the voluntary organisations, and in this context applicants were asked to supply their Revenue and Social Insurance (RSI) number.
The complainants in this case were refused a loan from two financial institutions. They made an access request under the Data Protection Act to a credit bureau to see their credit records. The records indicated that they had in the past taken out three loans with a third financial institution ("Institution A").
The two complaints in this case study arose from the actions of a hospital and a debt collection company. The first complainant, an elderly man, attended the hospital on a number of occasions for medical treatment. The hospital subsequently sent him a bill for the treatment. He paid some of the outstanding amount, but he did not pay the full amount straight away. After a period, he was contacted at home on his unlisted telephone number by a debt collection service. The debt collection service said it was acting to recover the hospital's money.
A telecommunications company transferred the database of its telephone subscribers to a subsidiary company, which was tasked with arranging for publication of a telephone directory. The subsidiary published the directory in paper format and also in electronic format as a CD-ROM and, later, published the electronic directory on the Internet as well. Several individuals complained about the data protection implications of the electronic publication of the telephone directory.
A Government Department issued a request for tenders in connection with the administration of an official scheme. Included with the documentation issued by the Department was an extract from an administration database, giving a list of names of individuals who had benefited from the scheme, the county where each individual lived, and the amounts of money received by each individual. One of the persons who received the documentation was concerned about the data protection implications involved, and brought the matter to my attention for investigation. As this person was not an individual directly affected by the apparent disclosure of personal data by the data controller, I was not obliged to investigate the matter as provided for under section 10(1)(b)(i) of the Data Protection Act.
A number of individuals from a voluntary organisation ("V") contacted my Office to complain that another organisation ("S") was using V's database without authorisation. The database included names, addresses and highly sensitive personal information. The complainants, who were all data subjects on the database in question, requested that I immediately stop the allegedly unauthorised use of the data. ,