CASE STUDY 8/96
Disclosure of an address list to a charity
A caller from a charity rang to say that a well-wisher was offering them a list of names and addresses on computer, which the charity could use for fund raising. This sounded like a good idea, but the charity sought the advice of my Office before accepting the offer. I advised that a well-intentioned, but ill-informed, gesture such as this could actually lead to a serious contravention of the Act, multiple complaints to my Office, an investigation and a lot of ill will towards the charity.
The data protection principles to be considered were fair obtaining (section 2 (1) (a)) on the part of the charity, and compatible disclosure (section 2 (1) (c) (ii)) on the part of the person offering the list of names and addresses. My Office explained that it is not permissible to disclose personal data for a purpose which was not made clear to the person concerned before the data were collected, without first securing that person’s consent. So the donor of the data would have needed the consent of those on the address list to disclose their details to that particular charity for fund raising. A more general consent for disclosure to any charity for any charitable purpose would of course be sufficient, if it existed.
Alternatively, the donor might judge that the disclosure to the charity for fund raising was compatible with the purpose for which the data were kept. However, the charity would need to be satisfied that it agreed with this judgement, as I would have to examine whether the judgement was well founded if I received a complaint. I tend to take a restrictive view of the meaning of the word compatible, or more precisely the phrase "the data shall not be used in any manner incompatible with that purpose or those purposes" (section 2 (1) (c) (ii)). It seems to me that the strength or weakness of the privacy protection afforded by the Act largely stands or falls on the interpretation of this phrase. In the absence of any statutory guidance on the matter, or interpretation by Irish Courts, I am guided by the interpretation given by a United States court to the word "compatibility" in the US Privacy Act. In Britt v. Naval Investigative Service, the Third Circuit, District of Columbia held that "compatibility" required a "concrete relationship or similarity, some meaningful degree of convergence, between the disclosing agency’s purpose in gathering the information and its disclosure".
This case illustrates a query that is frequently raised: surely the data protection principles can be relaxed in the case of a patently good cause. However, the legislation does not include a general good cause or public interest exemption. On the contrary, section 8 sets out very specific exemptions from the restrictions on disclosure provided for in the Act.
» Permanent Link