The complainant, during a previous employment, asked the telecommunications company to link her personal mobile phone number to her (then) employer’s account. This enabled the complainant to avail of a discount associated with her (then) employer. While this step resulted in the name on the complainant’s account changing to that of her (then) employer, the complainant’s home address remained associated with the account and the complainant remained responsible for payment of any bills. Following termination of the employment relationship, the complainant contacted the telecommunications company to ask that it (i) restrict her former employer’s access to her mobile phone records; and (ii) separate the account from that of her former employer. Following this request, an account manager took a number of steps in the mistaken belief that this would result in the separation of the complainant’s account from that of her former employer. The complainant, however, became aware that, subsequent to her request, her former employer continued to access her account records. On foot of further inquiries from the complainant, the telecommunications company discovered its error and the complainant’s account was eventually separated from that of her former employer.

The complainant subsequently submitted a complaint to the telecommunications company. Having investigated the complaint, the company informed the complainant that it did not have a record of the original account restriction request. In the circumstances, the complainant referred a complaint to this office.

During our investigation, the telecommunications company acknowledged that the initial action taken by its account manager was insufficient as it did not separate the complainant’s account from that of her former employer and neither did it prevent her former employer from accessing her e-billing records. The company further acknowledged that its records were incomplete when it investigated the complainant’s complaint. It confirmed, in this regard, that it had since located the complainant’s initial restriction/separation request.

The issues for determination, therefore, were whether the telecommunication company, as data controller:

1. implemented appropriate security measures, having regard to Sections 2(1)(d) and 2C(1) of the acts in order to protect the complainant’s personal data against unauthorised access by, and disclosure to, a third party (i .e . the complainant’s former employer); and
2. kept the complainant’s data accurate, complete and up to date, as required by Section 2(1)(b) of the Acts.

This office found that the telecommunications company did not implement appropriate security measures to protect the complainant’s personal data from unauthorised access by, and disclosure to, her former employer. This was self-evident from the fact that the complainant’s former employer continued to access her e-billing records despite the initial actions taken by the telecommunications company.

This office further noted the obligation, set out in Section 2C(2) of the Acts, for a data controller to “… take all reasonable steps to ensure that — (a) persons employed by him or her … are aware of and comply with the relevant security measures aforesaid …”. This office found that the telecommunications company had not complied with its obligations in this regard. Again, this was self-evident from the fact that the account manager who initially actioned the complainant’s request was operating on the mistaken belief that the actions taken were sufficient to achieve separation of the complainant’s account from that of her former employer.

This office also considered the fact that, at the time when the complainant referred her complaint to the telecommunications company, the company could not locate her initial account restriction request . The result of this was that the outcome of the company’s own investigation into the individual’s complaint was incorrect. Accordingly, and notwithstanding the subsequent rectification of the position, this office found that the telecommunications company failed to comply with its obligations under Section 2(1)(b) of the Acts in circumstances where the complainant’s records, at the relevant time, were inaccurate, incomplete and not up to date.