CASE STUDY 1/99
mass circulation questionnaire - apparent official nature of the questionnaire - compilation of lifestyle databases - whether data fairly obtained - assistance of United Kingdom data protection authority
I received several complaints from persons who had received a "lifestyle" questionnaire through the post. The questionnaire, which appeared to be for purposes of "national research", sought very detailed information regarding the recipient's hobbies, shopping habits and household finances. The complainants were concerned that the questionnaire, which was a commercial information-gathering exercise, sought to mimic the style of official Government surveys and was at the very least a breach of the spirit of data protection legislation. Concerns were also expressed that the provision for an opt-out from direct marketing was wholly inadequate by virtue of its size and location.
In investigating this complaint, I established that the questionnaire was (a) devised by a United Kingdom direct marketing and market research company which specialised in the compilation of "lifestyle databases", and (b) issued by an Irish company who returned the completed survey forms direct to the UK without "processing" (within the meaning of the Data Protection Act) the information in any way. Such databases, which in the UK contain several millions of records, are built from responses to mass circulation questionnaires. I consulted my United Kingdom counterpart, who advised me that her Office regularly monitors the compilation and use of such large marketing databases. She indicated that discussions are ongoing between her Office and the companies involved, with a view to securing changes in survey forms of this kind so as to make more transparent who is collecting the data, the purposes for which the data will be used and to whom they will be disclosed.
In assessing what action to take in dealing with these complaints, I had regard to section 2(1)(a) of the Data Protection Act, 1988 which provides as follows -
A data controller shall, as respects personal data kept by him, comply with the following provisions: (a) the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly ....
I have consistently expressed the view to data controllers that I consider fair obtaining to be an active duty, and that it is up to a data controller keeping personal data to make sure that such data have been fairly obtained. A booklet titled "Keeping Personal Information on Computer: Your Responsibilities" is distributed widely to data controllers by my Office. In it, I explain that for a data controller to satisfy the requirements of fair obtaining and purpose specification, he or she must ensure that -
(a) At the time of providing personal information, individuals are made fully aware of:
· the identity of the persons who are collecting it (though this may often be implied)
· to what use it will be put,
· the persons or category of persons to whom it will be disclosed.
(b) Secondary or future uses which might not be obvious to individuals should be brought to their attention at the time of obtaining personal data. Individuals should be given the option of saying whether or not they wish their information to be used in these other ways ... .
These are the ways a data controller achieves transparency and informed consent - the touchstones of fairness in data protection.
On examining the questionnaire and the accompanying documentation, I noted that the covering letter identified the promoter of the survey, whose address was given in full. The documentation also stated that the information supplied would be made available to other companies for the purpose of direct marketing, and that individuals could decline to receive additional offers by ticking a box. The complainants' difficulties (with which I sympathised) derived not so much from what was said in the documentation but from the way in which it was presented. On balance, I decided that the appropriate course of action was to -
· write to the Irish distributor of the questionnaire urging him not to circulate any further surveys of this nature without prior discussion with my Office;
· write to the UK data controller about the complainants' concerns regarding (a) the misleading nature of the questionnaire and (b) the inadequacy of the "opt out" clause; and
· pursue further progress on this general matter in consultation with my UK colleague.
This case well illustrates the very real impact a data controller operating from outside the State may have on Irish data subjects and the issues this gives rise to for both the harmonisation of data protection laws and the common interpretation of data protection principles such as "fair obtaining". It also illustrates the issues which arise both for the investigation of complaints and follow-up action where the data subject is in one jurisdiction and the data controller in another. Many of these questions are as yet unresolved though it can be expected that solutions will be found through the workings of the Article 29 Working Party referred to elsewhere in this Report. In the meantime, my advice to data subjects is to simply ignore lifestyle questionnaires of the kind described if they have the slightest doubt as to their provenance or the purposes for which they are really issued.
» Permanent Link