CASE STUDY 8/98
Bank account details - disclosure to a person listed as a "disclosee" in the bankís entry in the Register of Data Controllers - Register entry not conclusive as to compliance with data protection principles
A person complained to me that details of his bank account had been disclosed to a close relative by his bank. The bank account details had been posted to the relative. The bank acknowledged that the complainantís bank account data had in fact been addressed (as a result of an administrative error) to the relative. However, the bank pointed out in its defence that it was a registered data controller and that the list of disclosees in its entry in the Register of Data Controllers included "current/past/potential relatives", and that therefore the disclosure was not incompatible with the Register entry.
My investigation confirmed that the bankís Register entry was as described. However, the question for consideration was not solely whether the disclosure was of a kind listed in the Register entry, but also whether such disclosure was compatible with the purpose for which the data were obtained. Section 2(1)(c) of the Act provides inter alia that personal data ó
(i) shall be kept only for one or more specified and lawful purposes, [and]
(ii) shall not be used or disclosed in any manner incompatible with that purpose or those purposes.
Having examined the case, I noted that the primary purpose for which the bank kept the complainantís data was the administration of his account. When obtaining the data, the bank had informed the complainant that his data would be disclosed to certain bodies which were relevant in the context of the administration of his account. However, the individual was not informed that his data were liable to be disclosed to relatives, and it could not reasonably be maintained that disclosure of the complainantís details to his relatives would be necessary for the administration of the account. Accordingly, I decided that the complainantís data had been disclosed in contravention of section 2 of the Act, and I upheld the complaint.
I would remind data controllers that the inclusion of details in the Register entry is only one aspect of compliance by a data controller with the basic principles of data protection, including the requirement to obtain and use data fairly, and not to disclose such data to other persons inappropriately. The purpose of including details in the Register entry is to describe, in a publicly accessible form, the outer limits of what the data controller may do with personal data, not to provide a Ďback doorí that would allow a data controller to circumvent its basic data protection responsibilities.