Data Protection Commissioner

News Release - 10 June, 2002

Privacy Rights must not be Taken for Granted, says Data Protection Commissioner

Annual Report for 2001 published

"The privacy rights of citizens and consumers cannot be taken for granted", said Data Protection Commissioner, Mr Joe Meade, today at the launch of his 2001 Annual Report. Mr Meade issued a stern note of warning in response to a number of investigations which he carried out in 2001 into some of Ireland's largest companies – including Ryanair, MBNA, and prominent legal firms. "I intend to use my full powers against any organisations which abuse people's trust and which invade their privacy", said Mr Meade at the launch.

CASE STUDIES
The Commissioner's Report gives details of his investigations into complaints made by individuals, who were concerned about the use of computer files. Among the issues tackled by the Data Protection Commissioner were the following:

  • MBNA Bank: A number of individuals were unhappy about receiving unwanted telephone calls at home from this major credit card company. Some individuals continued to receive mailings, despite repeated requests for this to stop. The Data Protection Commissioner tackled this matter with MBNA, which has since improved its practices. [see p30 of Report]
  • Eircom – Arising from the MBNA investigation, the Data Protection Commissioner discovered that direct marketers had been availing of a 'super-database', made up of the electoral register, to which phone numbers had been automatically "teleappended" by Eircom. The Commissioner put a stop to this practice, which was not supported by the informed consent of telephone subscribers. [see p31 of Report]
  • Ryanair – the Data Protection Commissioner investigated a complaint about abuse of credit card details by Ryanair. This complaint was not upheld. The Commissioner also investigated an incident in which Ryanair publicly disclosed details of named passengers of the national airwaves. The Commissioner emphasised that companies "must treat customer details as being confidential". [see p33 of Report]
  • Bank and insurance company – a "cross-marketing" scheme involving the advertising of a bank credit card, under the brand of the insurance company, was criticised by the Data Protection Commissioner as lacking in transparency and openness. The Commissioner said that any such 'cross-marketing' arrangements "should indicate with suitable prominence the real identity of the companies involved." [see p22 of Report]
  • Legal firm – The Commissioner had to use his full legal powers to force a solicitors firm to provide information needed in investigating a complaint. The Commissioner expressed concern that he had to have recourse to his legal powers due to lack of cooperation from a member of the legal profession. [see pp 31-32of Report]
  • Legal firm – the Commissioner's staff conducted an on-site inspection of the computer equipment of a [different] legal firm, in order to search for data about a complainant. The firm in this case was cooperative. While the search revealed the existence of personal data relating to the individual, the complaint against the legal firm was not upheld. [see pp 35-36 of Report]
  • Credit card details – a firm was found to have broken data protection law by holding onto a person's credit card details, and using these details to charge for a later service, which was in dispute. The Commissioner held that "credit card details obtained for a particular transaction cannot be used subsequently for another transactions without express consent" [see p28 of Report]
  • Concern – The charity was found to have broken data protection law – albeit inadvertently – by allowing its donor database to be used for direct marketing by a financial institution. [see p24 of Report]
  • Victim Support – the Data Protection Commissioner clarified that details about victims cannot routinely be transferred by An Garda Síochána to the Victim Support organisation, unless the victim's consent has first been obtained. However, formal written consent was not necessary. [see p34 of Report]

Codes of Practice

The Data Protection Commissioner urged representative bodies – including the medical sector and direct marketers – to devise "codes of practice" to ensure that privacy rights are respected in particular sectors. [p.38 of Report]

The Commissioner made recommendations regarding Codes of Practice for the Health sector. "A code of practice can facilitate, rather than hinder, effective health-care", said the Commissioner, "in line with the principle that patient information should flow in parallel with patient treatment." He emphasised that confidentiality and security of patient data should be coupled with information and consent so that patients can exercise appropriate control over how their details are used. [pp. 41-44 of Report]

Post-September 11th situation

The Data Protection Commissioner emphasised that, in taking measures to combat terrorism, the fundamental human rights of individuals should not be displaced, and that any measures taken should be of a balanced and proportionate nature. The Commissioner said that "privacy is one of the fundamental values that form the basis of democratic societies – the very values and the very societies that terrorists seek to destroy – and accordingly such values should be prized and preserved all the more vigorously, even in such trying times." [page 16 of Report.]

Employee Data

The Annual Report outlines European guidelines on how to strike an appropriate balance between worker privacy, on the one hand, and the rights of employers, on the other hand. The European guidelines make clear that, while legitimate business interests must be protected, "no business interest may ever prevail over the principles of transparency, lawful processing, legitimisation, proportionality, necessity and others contained in data protection laws." [p 15 of Report]


Concerns about the Legal Profession

The Data Protection Commissioner expressed his concern that the number of legal professionals and legal firms registered with his Office is so low. Registration is a legal requirement for any organisation holding sensitive types of computer data, such as data about health, ethnic origin and criminal convictions. "I think it is to be expected, in the modern legal environment, that many legal professionals will have extensive day-to-day involvement with matters of a sensitive nature relating to the health, criminal convictions and ethnic background of their clients; and, indeed, that such matters will be recorded and processed on computer to some degree," the Commissioner said. He therefore found it "difficult to understand" why the registration levels were so low. While he had raised the matter with the Law Society and the Bar Council, he indicated that he will take more proactive steps in the year ahead to ensure that legal professionals are complying with their legal obligations.
Enquiries and Complaints

The Data Protection Commissioner noted that the number of enquiries with his Office dropped slightly from over 3,100 in 2000 to about 2,900 in 2001. He attributed this slight drop to the increased reliance of the official Data Protection website, www.dataprivacy.ie, which recorded approximately 17,000 'hits' during the year. While most queries were of a general nature, the most common specific queries related to the right to access personal data; the credit reference system; and direct marketing. The Commissioner noted that the complexity of enquiries was increasing, as individuals became more concerned with their privacy rights, and as responsible organisations became more conscious of their data protection obligations. [see page 10 of Report]

The number of formal complaints in 2001 rose significantly to 233, compared with 131 in 2000 – an increase of 78%. In 2001, most complaints involved organisations in central and local government (38%); other complaints related to the direct marketing sector (18%); public services (12%); financial services (7%); telecommunications and IT sector (9%); and the health and medical sector (4%); with the balance of 17% being made up of the broad range of commercial and non-commercial data controllers. organisations across the full spectrum of the private sector. telecommunications and IT sectors, financial institutions, direct marketing companies and public services. The Commissioner indicated that 35% of complaints were upheld, 33% were not upheld, and 32% were resolved informally. [see page 11 of Report]

[Note: The Annual Report is available for download in PDF version from the Data Protection Commissioner's]

Media Queries:
Mr Ronnie Downes
Asst Commissioner
Telephone (01) 874 8544
Fax: (01) 874 5405
e-mail: rdownes@dataprivacy.irlgov.ie






» Permanent Link