CASE STUDY 7/01
Ryanair – on-line booking – delayed credit card charge – whether charge activated upon a subsequent transaction – question of disclosure of passenger data
The data protection issue which arose was whether the credit card data, obtained for the second booking, had been ‘obtained and processed fairly’ by Ryanair, as required under section 2(1)(a) of the Act. On the face of it, there was a clear suggestion that the information obtained on the second occasion was used for the purpose of a completely separate transaction.
On investigating the matter, the airline company stated that the delay in processing the payment for the first flight was due to a computer error. A batch file containing data relating to the date of the first flight, including the complainant’s data, had not been sent to the bank for processing. This error was discovered some time after the event, whereupon the processing of the original batch file was reactivated. This processing happened to take place around the same time as the complainant made her second flight booking. Accordingly, the fact that both payments appeared together on the complainant’s credit card bill was simply a coincidence. The airline specifically denied that the data obtained on the second occasion had been used to secure payment for the first flight booking.
In order to confirm this version of events, my Office contacted the bank in question. The bank provided detailed confirmation of the airline’s sequence of events and established that problems had arisen with the processing of the transactions on the date of the complainant’s first booking. Accordingly, I was satisfied that the complainant’s concerns about possible misuse were not well-founded, and that there was no evidence of a contravention of the Data Protection Act by Ryanair in this instance.
Disclosure of Passenger Data
Although I did not receive any formal complaints from individuals, I was concerned that Ryanair’s public reference to named passengers appeared to be incompatible with the requirements of data protection law, and accordingly I raised the matter with the airline. Ryanair responded by noting my concerns, and by assuring me that the airline would not in future refer to any named passenger without their prior consent.
While I was prepared to accept these assurances in good faith, I consider it important to emphasise that any organisation holding personal data about its customers must treat these data as being confidential – and certainly must not allow private details to be broadcast over the national airwaves.