|
The following is a list of case studies, by year, as featured in Annual Reports published by this Office. These case studies provide an insight into some of the issues that this Office investigates on a day to day basis. For ease of reference, some of the case studies have been indexed by categories below.
Case Studies - By Year
Case Studies - By Category
Right of Access
Case study 6 of 2008 : Total Fitness Ireland and legal powers used to ensure compliance with an access request
Case study 9 of 2008 : An access request and a successful claim of legal privilege by a Data Controller
Case study 21 of 2008 : Access is wrongly denied in respect of an accident report
Case study 2 of 2007 : Data Controller breaches several provisions in is processing of Sensitive Personal Data
Case study 8 of 2007 : Failure to finalise a complaint against Money Corp Limited
Case study 13 of 2007 : Dairygold - failure to comply in full with an access request
Case study 9 of 2006 : An Garda Síochána - Failure to respond to an access request on time
Case study 10 of 2006 : Caredoc - failure to comply with an access request & appeal of an enforcement notice
Case study 11 of 2006 : Barcode / Westwood Club - failure to comply with an access request for CCTV footage
Disclosure
Case Study 1 of 2009: Disclosure of personal data due to inappropriate security measures
Case Study 3 of 2009: Disclosure of personal details by a local authority on its website
Case Study 12 of 2009: Paternity test result sent to wrong address
Case Study 13 of 2009: Use of postcards to communicate with customers regarding overdue account
Case study 1 of 2008 : HSE West and a consultant ophthalmic surgeon breach the Acts
Case study 2 of 2008 : Disclosure of email addresses by a financial institution
Case study 14 of 2008 : Credit Union commits several breaches by failing to update a member's address record
Case study 15 of 2008 : Tesco - resale of an apple Ipod containing a customer's personal data
Case study 19 of 2008 : Personal data is disclosed in a letter
Case study 2 of 2007 : Data Controller breaches several provisions in its processing of sensitive personal data
Case study 7 of 2007 : Aer Lingus - disclosure of employee information
Case study 14 of 2006 : School Archiving Project - disclosure of personal data
Case study 4 of 2005 : Complaint by a school manager about disclosure to parents of his personal data contained in a school inspection report
CCTV
Case study 10 of 2008 : An employer attempts to use CCTV for disciplinary purposes
Case study 3 of 2007 : Inappropriate use of CCTV footage by West Wood Club
Case study 6 of 2007 : Data Controller breaches data protection law in regard to use of covert CCTV footage
Case study 11 of 2006 : Barcode/Westwood Club: Failure to comply with an access request for CCTV footage
Case study 8 of 2005 : CCTV cameras on the Luas line
Fair Obtaining
Case Study 7 of 2009: Recruitment companies sharing CV's
Case Study 14 of 2009: Employer breaches Acts by covert surveillance using a private investigator
Case study 1 of 2008 : HSE West and a consultant ophthalmic surgeon breach the Acts
Case study 10 of 2008 : An employer attempts to use CCTV for disciplinary purposes
Case study 6 of 2007 : Data Controller breaches data protection law in regard to use of covert CCTV footage
Case study 6 of 2006 : News of the World: Limits of the Media Exemption
Case study 2 of 2003 : PMI Ltd mailing list rented in good faith by a bank resulted in minors being marketed for credit cards without proper consent
Case study 1 of 2001 : Bank and insurance company – cross-marketing of a third-party product – incompatible use and disclosure – fair obtaining and processing – small print and transparency
Case study 4 of 2001 : Credit card transaction – use of details from a previous transaction without consent – fair obtaining – transparency - retention period
Case study 2 of 2000 : Department of Education & Science – use of trade union membership subscription data to withhold pay – fair obtaining and processing – specified purpose – compatible use – purpose as described in register entry
Further Processing
Case Study 9 of 2009: Further processing personal data without consent
Case study 1 of 2008 : HSE West and a consultant ophthalmic surgeon breach the Acts
Case study 10 of 2008 : An employer attempts to use CCTV for disciplinary purposes
Case study 2 of 2007 : Data Controller breaches several provisions in its processing of Sensitive Personal Data
Case study 3 of 2007 : Inappropriate use of CCTV footage by West Wood Club
Case study 4 of 2004 : The Bar Council's In-house Legal Diary and Ashville Media
Case study 5 of 2004 : Political database and a charity request, "spamming" of constituents and non co-operation from a County Councillor
Case study 1 of 2003 : Drogheda Hospital- investigation into a consultant’s practice- patients felt consent was necessary- balance to be struck with concerns for public health issues overall
Minors
Case study 3 of 2008 : A marketing campaign sets up personalised website addresses and breaches the Acts
Case study 4 of 2008 : Interactive Voice Technologies and unsolicited text messages
Case study 6 of 2006 : News of the World - Limits of the Media Exemption
Case study 10 of 2006 : Caredoc - Failure to comply with an access request and appeal of an enforcement notice
Case study 10 of 2004 : Bank of Ireland marketing of 12 and 13 year old school children
Case study 2 of 2003 : PMI Ltd mailing list rented in good faith by a bank resulted in minors being marketed for credit cards without proper consent
Case study 6 of 2002 : Women's Mini- Marathon-unauthorised and incompatible disclosure-Internet photographs-informed consent
Case study 10 of 1998 : School web site - personal data relating to children - issue of fair obtaining
Case study 7 of 1997 : Direct mailing to children – complaint by parent – issues of fair obtaining and keeping data longer than necessary
Medical Data
Case study 1 of 2008 : HSE West and a consultant ophthalmic surgeon breach the Acts
Case study 1 of 2007 : Right of Rectification of Personal Data Held by a Data Controller
Case study 2 of 2007 : Data Controller breaches several provisions in its processing of Sensitive Personal Data
Case study 10 of 2006 : Caredoc: Failure to comply with an access request and appeal of an enforcement notice
Case study 2 of 2005 : Life assurance company and medical reports - access request denied
Case study 9 of 2005 : Disclosure of patient details to the National Treatment Purchase Fund
Case study 1 of 2004 : Employment matters – claim of legal privilege and access to medical data in the workplace
Case study 1 of 2003 : Drogheda Hospital- investigation into a consultant’s practice- patients felt consent was necessary- balance to be struck with concerns for public health issues overall
Case study 4 of 2003 : Access to medical records on a change of general practitioner
Accurate & Up To Date
Case Study 10 of 2009: Mobile network operator fails to suppress customer marketing preferences
Case study 14 of 2008 : Credit union commits several breaches by failing to update a member's address record
Case study 18 of 2008 : A civil summons is served on the wrong person
Case study 1 of 2007 : Right of Rectification of Personal Data Held by a Data Controller
Case study 1 of 2000 : An Garda Síochána – subject access request – time limit for response – accuracy of personal data – excessive and irrelevant personal data – date of birth
Case study 6 of 1999 : Financial institution - inaccurate credit rating - rectification - notification of third parties to whom incorrect data had been released
Case study 2 of 1997 : Data about two people combined in one record kept by a credit referencing agency – issue of accuracy
Case study 11 of 1997 : Direct mail for previous householder – decline direct marketing – inaccurate data – repeated promises
Case study 2 of 1996 : A customer disputed his credit rating by a financial institution – issue of accuracy – the rating as understood by the institution
Case study 8 of 1997 : Credit record indicated that borrower had faced litigation and loan had been partly written off – issue of accuracy – previous concerns about fair obtaining revived
Security Of Data
Case study 12 of 2008 : Credit unions transmitting personal data via unsecured e-mails
Case study 16 of 2008 : Failure to properly safeguard a staff member’s medical certificate
Case study 10 of 2007 : Member of staff at Revenue accessing and using personal data of a taxpayer
Case study 3 of 2003 : Visa application details accidentally put on website of Department of Justice, Equality and Law Reform
Case study 9 of 2002 : Details of other bank account holders of the same name, supplied in response to access request-inadequate response to customer-security procedures-lack of awareness at branch level of data protection
Case study 3 of 2001 : Employee performance ratings disclosed to other staff – inadequate security
Case study 6 of 2000 : Financial institution – Laser card – printing of home address on receipts – incompatible disclosure – adequate security
Case study 2 of 1999 : Life insurance company - retention by ex-employee of customer data - unauthorised access - obligation to take appropriate security measures
Case study 1 of 1998 : Employee data - appropriate security measures - disclosure
Direct Marketing - Email
Case study 6 of 2009: Email marketing error causes data protection breach
Case study 8 of 2008 : BuyAsYouFly and a failure to respect opt-outs from direct marketing by email
Case study 17 of 2008 : A web design company is requested to delete a marketing database
Case study 14 of 2007 : Ryanair - Remedial action taken for customers to unsubscribe from marketing
Case study 15 of 2007 : On-line shoppers receive unsolicited marketing from Tesco
Case study 5 of 2004 : Political database and a charity request, "spamming" of constituents and non co-operation from a County Councillor
Direct Marketing - Postal
Case study 3 of 2008 : A marketing campaign sets up personalised website addresses and breaches the Acts
Case study 3 of 2006 : Dell - Persistent direct marketing
Case study 4 of 2006 : Sky Ireland - Direct marketing by email
Case study 6 of 2005 : Cross marketing of a credit card by a travel agent
Case study 2 of 2003 : PMI Ltd - mailing list rented in good faith by a bank resulted in minors being marketed for credit cards without proper consent
Case study 7 of 1998 : Unsolicited direct mail from abroad - mutual assistance between parties to the 1981 Council of Europe Convention on Data Protection
Direct Marketing - SMS
Case Study 2 of 2009: Prosecution of Jackie Skelly Fitness for unsolicited marketing text messages
Case Study 5 of 2009: Harvesting of mobile numbers from a website for the sending of marketing text messages
Case Study 11 of 2009: Car dealership breaks the law by s3nding direct marketing text messages
Case study 4 of 2008 : Interactive Voice Technologies and unsolicted text messages
Case study 5 of 2008 : Unfounded complaint about unsolicted marketing text messages
Case study 7 of 2008 : Opt-In to subscription service text messages found following investigation
Case study 5 of 2006 : Opera Telecom - forced to delete database
Case study 12 of 2005 : Night club - collection of mobile numbers for marketing purposes
Case study 5 of 2003 : Realm Communications - Unsolicited SMS texting and direct marketing
Direct Marketing - Telephone
Case study 11 of 2008 : Marketing telephone calls to numbers on the NDD Opt -Out Register
Case study 4 of 2007 : NewTel Communications Communications - Ordered to suspend marketing
Case study 9 of 2007 : Marketing calls by Eircom - remedial action - amicable resolution
Case study 1 of 2006 : Talk Talk - Unsolicited direct marketing calls
Case study 2 of 2006 : Gaelic Telecom / Global Windows - Cold calling
Case study 10 of 2005 : Optic Communications - persistent unsolicited marketing phone calls
Case study 11 of 2005 : Prosecution of 4's A Fortune Ltd - unsolicited marketing communications
Case study 6 of 1997 : Ex-directory phone number obtained by insurance broker - Information Notice used to establish circumstances
Direct Marketing - Fax
Case Study 15 of 2009: Prosecution for sending unsolicited marketing faxes
Case study 20 of 2008 : Dell and persistent unsolicited marketing faxes
Enforcement
Case Study 2 of 2009: Prosecution of Jackie Skelly Fitness for unsolicited marketing text messages
Case Study 15 of 2009: Prosecution for sending unsolicited marketing faxes
Case Study 16 of 2009: Prosecution of Brasserie Sixty6 for the sending of unsolicited direct marketing text messages
Case study 6 of 2008 : Total Fitness Ireland and legal powers used to ensure compliance with an access request
Case study 13 of 2007 : Dairygold - Failure to comply in full with an Access Request
Case study 5 of 2006 : Opera Telecom - Forced to delete database
Case study 10 of 2006 : Caredoc - Failure to comply with an access request and appeal of an enforcement notice
Case study 12 of 2006 : Ashbury Taverns - Failure to comply with an access request
Case study 5 of 2004 : Political database and a charity request, "spamming" of constituents and non co-operation from a County Councillor
Case study 5 of 2002 : Telephone company - alleged disclosure of customer call relate information at the request of the Gardai - Information Notice issued
Case study 6 of 2001 : Legal firm - identification of source of personal data - lack of co-operation - issue of enforcement notice
Case study 6 of 1997 : Ex-directory phone number obtained by insurance broker - Information Notice used to establish circumstances
Registration
Case study 9 of 2001 : Legal firm - registration under Section 16 of the Act - on-site examination of computer files
Case study 2 of 2000 : Department of Education & Science - use of trade union membership subscription data to withhold pay - fair obtaining and processing - specified purpose - compatible use - purpose as described in register entry
Case Study 5 of 1999: voluntary organisation - role in administration of an official scheme - collection and use of RSI numbers - failure to register as a data controller
Case Study 2 of 1998: Use of telemarketing company in the management of customer accounts - transfer of data to agent not disclosure - obligation of data processors to register
Case Study 8 of 1998: Bank account details - disclosure to a person listed as a "disclosee" in the bank’s entry in the Register of Data Controllers - Register entry not conclusive as to compliance with data protection principles
Retention
Case study 13 of 2008 : Retention of personal data provided online
Case study 11 of 2007 : Croke Park - Retention of personal data of nearby residents
Case study 4 of 2001 : Credit Card transaction - use of details from a previous transaction without consent - fair obtaining - transparency - retention period
Case study 7 of 1999 : Debt collection service - acting on behalf of hospital - whether data had been "disclosed" for purposes of Data Protection Act - whether debt-collecting agency is entitled to build a database of debtors
Case study 2 of 1999 : Life insurance company - retention by ex-employee of customer data - unauthorised access - obligation to take appropriate security measures
Case study 13 of 1996 : Criminal conviction struck out but details remain on Garda records - accuracy and retention of data - policy issues arising
Right of Rectification / Deletion
Case study 1 of 2007 : Right of rectification of personal data held by a Data Controller
Case study 13 of 2006 : Irish Insurance Federation - complaint about information on central registry
Case study 8 of 2003 : Catholic Church baptismal records deletion request not upheld
Case study 6 of 1999 : Financial institution - inaccurate credt rating - rectificaton - notification of third parties to whom incorrect data had been released
Case study 2 of 1996 : A customer disputed his credit rating by a financial institution - issue of accuracy - the rating as understood by the institution
PPSN
Case study 5 of 2007 : Excessive Personal Data on EU Single Payment Scheme application forms
Case study 7 of 2006 : Local Authority - Use of PPS Numbers
Case study 10 of 2002 : Aer Rianta - Inappropriate use of the Personal Public Service Number (PPSN)
Case study 5 of 1999 : Voluntary organisation - role in administration of an official scheme - collection and use of RSI numbers - failure to register as a data controller
Legal Privilege Exemption
Case study 9 of 2008 : An access request and a successful claim of legal privilege by a Data Controller
Case study 21 of 2008 : Access is wrongly denied in respect of an accident report
Case study 13 of 2007 : Dairygold - Failure to comply in full with an Access Request
Case study 2 of 2005 : Life assurance company and medical reports - access request denied
Case study 1 of 2004 : Employment matters - claim of legal privilege and access to medical data in the workplace
Excessive Information
Case Study 8 of 2009: Excessive data sought on penalty points
Case Study 5 of 2007: Excessive Personal Data on EU Single Payment Scheme Application Forms
Case Study 15 of 2006: Ulster Bank: Excessive information sought from new customers
Case Study 7 of 2005: Complaint against AIB - excessive information sought regarding Savings Account
Case study 1 of 2001 : Motor Insurance - excessive information - marital status not necessary
» Permanent Link
|
