CASE STUDIES 2007
Case Study 1: Right of Rectification of Personal Data Held by a Data Controller
I received a complaint regarding a medical report carried out at the request of the complainant’s employers. The report was a psychological assessment dealing with the complainant’s ability to return to her original workplace after a period of absence on sick leave.
The person concerned had received a copy of the medical report in question from the medical practitioner who carried out the assessment and she considered the contents to be inaccurate. The complainant then requested that the report be rectified to reflect what she considered to be an accurate description of her particular circumstances. However, the data controller, a consultant psychiatrist, reverted to the data subject stating that it was not possible to make the kind of alterations to the independent medical assessment that had been sought.
Under Section 6 of the Data Protection Acts 1998 and 2003, if you discover that information kept about you by a data controller is factually inaccurate or collected unfairly, you have a right to have that information rectified or, in some cases, you may have that information erased. However, this is not an unqualified right and depends on the circumstances of each case. The judgement to be made in such cases is complicated all the more when the matters at issue are medical in nature. If for example, a data controller - in this case, the medical practitioner - considers that data is, in fact, accurate and if the data subject disagrees, then one possible course in the interest of achieving an amicable resolution is for the data controller to annotate the data to the effect that the data subject believes that the data is inaccurate for reasons which should be indicated (this solution is explicitly provided for in Section 6(1)(a) of the Acts).
This course of action was followed in this case and as part of the rectification process, the complainant supplied various annotations to be included in the medical report. Also supplied with each of these annotations was a detailed explanation for such. Having examined the annotations and all the information my Office had to hand, including the medical report in question, my Office was of the opinion that the proposed annotations supplemented the medical report without changing the report materially.
My Office communicated its position to both parties and the medical practitioner concerned helpfully supplemented the medical report in question by inserting the requested annotations. This allowed for the complaint to be resolved to the satisfaction of all parties concerned.
This case clearly indicates the value of the right of an individual to seek the rectification or supplementing of personal information relating to them, in accordance with Section 6 of the Data Protection Acts, 1998 and 2003. In instances such as the case highlighted above, where the personal information is of a subjective nature, the right to rectification is not always appropriate. In this case the individual concerned was satisfied that the annotations she supplied, when recorded with the report, were sufficient to ensure that anyone reading the report had a balanced view of her circumstances.
Case study 2: Data Controller breaches several provisions in its processing of Sensitive Personal Data
I received a complaint in May 2006 from a data subject regarding the use by her former employer, Baxter Healthcare S.A., of two medical reports relating to her. The data subject had been involved in an industrial accident at work in April 2002 which subsequently resulted in a prolonged absence from the workplace. During this absence, the data subject pursued a personal injuries claim against Baxter Healthcare. As part of this process, at the request of the solicitor acting on behalf of Baxter Healthcare’s insurers, she attended a consultant neurologist on two occasions for medical evaluation in 2003 and 2004. Early in 2005, the data subject became aware that the medical reports compiled as a result of those evaluations were in the possession of Baxter Healthcare. Through her solicitor, the data subject made an access request to Baxter Healthcare for copies of the medical reports. She was advised in writing that, as these reports were obtained in the context of her personal injury proceedings, her access request should be addressed to the solicitors,
My Office conducted a detailed and extensive investigation of this complaint. This focused on 2 primary data protection issues, namely the use of the medical reports obtained to defend an insurance claim to support the dismissal of the data subject and the disclosure of those same medical reports at a labour relations hearing. The company’s solicitor stated that the medical reports of the consultant neurologist were obtained for the legitimate purpose of defending personal injury proceedings instituted by the data subject and that the medical reports were also employed and required for the legitimate purpose of defending separate legal proceedings against Baxter Healthcare under the Unfair Dismissals Acts 1977 to 2001. It submitted that Section 2(1)(c)(i) of the Acts specifically envisages that the data may be obtained and used for more than one purpose, provided that both purposes are legitimate. It went on to state that Section 2(1)(c) (ii) of the Acts only prohibits further processing insofar as that processing is incompatible with the original purpose or purposes. It argued that the use of the reports to defend legal proceedings against Baxter Healthcare under the Unfair Dismissals Act could not be said to be incompatible with the original purpose as the original purpose was to defend legal proceedings instituted by the data subject and the subsequent use was to also defend legal proceedings, albeit separate proceedings by the data subject.
With regard to the second use by Baxter Healthcare of the medical reports in the decision to terminate the data subject’s employment, this was done without the data subject’s consent. The general requirements that must be complied with by a data controller under the Acts in relation to the personal data of a data subject include the following:
and (because sensitive data is involved)
All of these conditions must be met.
With regard to the third use by Baxter Healthcare of the medical reports to defend legal proceedings under the Unfair Dismissals Act, the same considerations arose in relation to the further use of the sensitive personal data at a hearing before a Rights Commissioner in April 2006, with the aggravating factor that the sensitive personal data was further disclosed to those involved in the hearing.
However, I had to consider if the processing of personal data in this case might benefit from the exemption in Section 8(f) of the Acts which provides that: “Any restrictions in this Act on the processing of personal data do not apply if the processing is ...required...for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness.”
I formed the opinion that this exemption cannot apply to sensitive personal data which has already been improperly processed to support the decision (dismissal) which was the subject matter of the legal process. I concluded that the use of the medical records to defend the Unfair Dismissals claim constituted a further breach of the Acts.
For completeness, my Decision in this case also found that Baxter had failed to comply fully with an access request made by the data subject.
This case demonstrates the care which data controllers must exercise in the processing of all personal data, including sensitive personal data, in its possession. It is unacceptable for a data controller to seek to take advantage of personal data which may be in its possession and to use it for some purpose unrelated to the purpose for which it was originally obtained.
I received a complaint from a data subject alleging breaches of the Data Protection Acts by inappropriate use of CCTV footage at West Wood Club, Sandymount in Dublin. In her complaint she informed my Office that on 4th March, 2006 she visited the West Wood Club as a member to use the steam/sauna rooms and the swimming pool. A customer service issue arose in relation to the cleanliness of the facilities on the day which were the subject of a phone-call by the complainant from the steam/sauna rooms. The data subject wrote a subsequent letter of complaint about the matter to the Club following which she was asked to meet the manager to discuss the matter. Upon doing so she was presented with CCTV footage which it was claimed supported the club’s view of the customer service issues arising and refuting the claim that she had made a phone-call on the issue on the morning in question. In this respect, three CDs of CCTV footage were presented each of which in turn were claimed to be the data subject engaging in leisure activities within the gym on the morning in question. They in fact were not the data subject and were other female members of the gym.
Shortly afterwards the data subject’s membership of the gym was revoked.
The data subject informed my Office that she found it acceptable to be shown CCTV footage to assure her that the sauna/steam rooms had been cleaned but she found it unbelievable that West Wood Club kept and viewed footage to discredit members’ genuine complaints. She felt strongly that the CCTV footage was shown to her to intimidate her and question her good character and was used to say that she was lying.
My Office commenced an investigation and wrote to the Managing Director of West Wood Club expressing our concern at what appeared to be excessive and disproportionate use by West Wood Club of CCTV footage for the purpose of dealing with the data subject’s complaint. A response was received from the solicitors for the Club and an exchange of correspondence subsequently took place between my Office and the solicitors. Among other things, my Office was informed that the only purpose for which CCTV was used in the Club was for security. They also confirmed that members and staff of the Club were aware that their images were being recorded as there were several signs displayed in the Club regarding the operation of CCTV. It was also confirmed to my Office that CCTV footage was automatically erased at the end of each month.
However, the Solicitors contested any suggestions that the Data Protection Acts prohibit data that has been bona fide obtained and temporarily stored for one general purpose from being used in specific circumstances for some other useful purpose that is for the general good. They also stated that the purpose of the CCTV system in operation at West Wood Club was, like most CCTV systems, security and that this included the issues of theft and personal safety and integrity. They contended that this was a health and safety issue, coming under the general heading of security, on the grounds that the data subject made a complaint that the sauna was unhygienic because it had not been cleaned. I disagreed with the data controller’s position on this matter. I accepted that the purpose of ‘security’ may include the issues of theft and personal safety in certain circumstances related to security risk. However, the issues of integrity, health and safety are clearly separate purposes to the purpose of ‘security.’
I had no reason to doubt the version of events given to me by the data subject. I concluded that West Wood Club did indeed set out to refute the data subject’s complaint through the use of CCTV footage which was recorded for a ‘security’ purpose.
I was required to make a Decision on this case under Section 10(1)(b)(ii) of the Acts. I formed the opinion that West Wood Club breached Section 2(1)(c)(ii) of the Acts by the further processing of CCTV footage which was obtained for security purposes in a manner incompatible with that purpose. I found it disturbing that the data subject’s membership of West Wood Club was invalidated following a breach of the Data Protection Acts by West Wood Club. It is unacceptable that an entity against whom a complaint is made would contravene the Data Protection Acts in dealing with the complaint and thereby infringe on the data protection rights of the complainant or others.
CCTV recordings have become an everyday part of our lives. Their usage, and seeming acceptance, for so many different purposes is troubling. In this case, the use of CCTV in the private areas of a sauna/steam room in a gym is questionable in itself from a data protection perspective. To then use the footage captured (notionally for security purposes) in an attempt to discredit a gym member making a customer service complaint is totally unacceptable. In the circumstances I had no hesitation in finding in favour of the complainant.
The marketing activities of the telecommunications company NewTel Communications Ltd came to the attention of my Office in 2006 and again early in 2007. In 2006 an inspection was conducted of its marketing activities and appeared to indicate that it had taken appropriate remedial activity. However, in 2007 we received in a short period a number of complaints regarding marketing calls made by this company. These calls were made to individuals who either had already expressly told the company that they did not wish to be contacted or had exercised their right to have their preference not to be called recorded on the
These marketing calls contravened Regulations 13 4(a) and 13 4(b) of SI 535 of 2003 which state that:
“A person shall not use, or cause to be used, any publicly available electronic communications service to make an unsolicited telephone call for the purpose of direct marketing to the line of a subscriber, where
11 Telephone subscribers can have their preference not to be contacted by direct marketers recorded on the National Directory Database (NDD) by contacting their line provider who will supply the relevant details to the NDD.
In contacting the Department on this matter, we highlighted that both PPS numbers and dates of birth constitute personal data and are, therefore, subject to the protections set down in the Data Protection Acts, 1988 and 2003. We went on to state that in a situation where the Department sends out forms with personal data pre-printed on them and is aware that the recipients may need the assistance of third parties to complete them, the Department must make every effort to ensure that only the very basic personal details - such as name and address - are pre-printed. We pointed out that the problem with pre-printing other personal data is that it gives the recipient only one choice in terms of safeguarding it – that is that he/ she could blacken it out or otherwise delete it prior to showing it to a third party. We expressed some doubt about whether the Department would welcome the return of completed application forms which were somewhat defaced. Finally, we drew attention to the potential risks to the privacy of an individual where their personal data, such as a PPS number, fell into the hands of a third party.
This case demonstrates how common it is for public bodies or other authorities to fall into the practice of processing categories of personal data even where such data is not needed to administer the scheme or application in question. Greater care must be taken by all concerned to ensure that only the minimum amount of personal data necessary is processed in the administration of schemes run by public bodies. In particular, I strongly advise public bodies which are authorised to use PPS numbers to do so sparingly and with extreme care.
As part of the detailed investigation into this complaint, my Office initially sought the observations of The Gresham Hotel regarding this issue, drawing particular attention to the fair obtaining principle of the Data Protection Acts 1988 & 2003. The use of recording mechanisms to obtain data without an individual’s knowledge is generally unlawful. Such covert surveillance is normally only permitted on a case by case basis where the data is gathered for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. This provision automatically implies an actual involvement of An Garda Síochána or an intention to involve An Garda Síochána.
During our investigation, the data subject supplied photographs of electrical type data boxes/sockets that were located in the bar area of the hotel as it was her understanding that the covert cameras were hidden within these boxes. My Office forwarded copies of these photographs to the hotel requesting clarification on the matter. In response it indicated that these electrical type data boxes were telephone connections, microphone connections and internet connections and were never used as a means to record images for CCTV footage.
As part of our investigation, my Office visited the Gresham Hotel for the purpose of viewing the CCTV footage in question and to inspect the area in which the CCTV footage had been recorded. During this inspection, as well as viewing the footage, we were shown two electrical type boxes located just below ceiling level in the bar area and these boxes were identified as having been the location for the covert cameras. The location of the boxes also matched the views of the bar area which could be seen in the CCTV footage. The boxes were marked “1” and “2” and they appeared to be the same as the electrical boxes which appeared in the photographs which were previously supplied by the data subject. This clearly conflicted with the earlier information which the hotel had supplied to my Office as part of its investigation. Following this inspection, my Office was satisfied, on the basis of all of the information which had been compiled during our investigation, that the data protection rights of the data subject had been breached. Covert CCTV cameras had been installed to investigate specific incidents. The data subject was not the subject matter of this investigation. The personal data of the persons captured on the footage was obtained for one purpose - the investigation of specific incidents in the hotel. In the case of this data subject, her personal data was further processed in a manner incompatible with the original purpose. Furthermore, the data subject’s personal data was not processed in accordance with the requirements of ‘fair processing’ as she had not been informed by the data controller, at the time when the data controller first processed her data, of the purpose for which it intended to process her personal data.
Section 2 of the Data Protection Acts, 1988 and 2003 sets out the position in relation to the collection, processing, keeping, use and disclosure of personal data. It provides that data should be obtained and processed fairly, kept for only one or more specified purposes and it should be used and disclosed only in ways compatible with that purpose or those purposes. It also provides that personal data should not be processed by a data controller unless at least one of a number of conditions is met - one of those conditions being the consent of the data subject to the processing.
My Office reminded Aer Lingus of its obligations under Section 2 of the Data Protection Acts with regard to the processing of personal data and it pointed out that the personal data of its staff should not have been disclosed to a third party without the consent of the employees concerned. In the circumstances, my Office sought and obtained confirmation from Aer Lingus that it had now destroyed the mail merge file containing the names and staff numbers which it had forwarded to HSA Ireland. Confirmation was also received from HSA Ireland that it had not retained records of Aer Lingus employee names, addresses, payroll or payslip numbers on any database.
My Office was satisfied by the steps taken by Aer Lingus and HSA Ireland in terms of corrective action. By way of clarification, we pointed out that the key issue from a data protection perspective was that Aer Lingus had facilitated contact from a third party to its employees concerning the availability of a staff welfare scheme while the same information could have been promulgated to those employees without raising any data protection concerns had Aer Lingus sent it directly to its employees instead.
I fully recognise that employers may, from time to time, wish to communicate details of various schemes to their employees. This can easily be achieved without infringing on the data protection rights of employees if the employer supplies the information directly to its employees or by some other means in conformity with the Data Protection Acts. My Office had only in the weeks before these complaints were received conducted an audit of Aer Lingus which had generally found a high level of compliance with data protection requirements. The occasion of the audit could have been used to seek advice from my Office on this issue.
My Office is always available to give advice to data controllers and the public alike in relation to data protection responsibilities and rights.
During our investigation, we received correspondence from a firm of Dublin-based solicitors acting for Money Corp Limited stating that its client had responded to the data subject’s access request in early May 2007. However, the data subject subsequently informed us that some critical documents had not been included in the response he had received to his access request. Accordingly, our investigation continued on the basis that Money Corp appeared to have failed to comply in full with the data subject’s access request. We communicated further with Money Corp’s solicitors regarding the matter of the outstanding documents.
At the end of August 2007, my Office received correspondence from these solicitors in which they stated that their client had furnished the data subject with any documentation held by them. They went on to state that their client’s instructions were that any further documentation that the data subject considered to be outstanding “must have been mislaid during the process of moving offices as they have moved offices three times in the intervening period.” The solicitors concluded their letter by informing my Office that all further correspondence on this matter should be directed to the registered office of Money Corp Limited.
My Office was very concerned at this turn of events and it was particularly cognisant of the fact that the outstanding documents could be of considerable importance to the data subject in relation to proving outstanding financial matters of a very significant nature. Accordingly, in order to investigate the matter further, one of my authorised officers, using the powers conferred by Section 24 of the Data Protection Acts, visited an address in Dun Laoghaire, Co. Dublin at which the company was registered with the Irish Financial Services Regulatory Authority (We had previously found out that the company was not trading at the address at which it was registered with the Companies Registration Office). Despite three separate attempts to gain access to the premises in Dun Laoghaire, the authorised officer failed to gain access or to make contact with any member of staff of Money Corp at the premises. Following this, my Office communicated again with the solicitors for Money Corp to which we subsequently received a reply which stated that “we have been unable to obtain further instructions from our client and we are now closing our file. As a result, we will be no longer representing them in relation to this matter.”
Unfortunately, despite extensive efforts by my Office to make direct contact with Money Corp Limited, we were unable to do so. As our investigation was effectively stymied, we found ourselves in the unsatisfactory situation of being unable to pursue the complaint to finality, despite the best possible use of the powers available to me. In the circumstances, my Office has communicated with the Financial Regulator in relation to the details of this case.
Regulation 13 (4) of Statutory Instrument 535 of 2003 prohibits the making of an unsolicited telephone call for marketing purposes to the line of a subscriber where the subscriber has notified the person or company making the marketing call that he/she does not consent to the receipt of such a call on his/her telephone line or where the subscriber has had his/ her telephone number recorded in the NDD opt-out register. It is an offence to make a marketing call which breaches this Regulation.
My Office investigated the complaints and engaged at length with Eircom on the matter. This involved meetings with the company as well as several exchanges of correspondence which eventually led to the following favourable and positive outcome from my perspective:
Overall, I am very pleased with the investigation of these complaints and the steps taken by Eircom in response to my Office’s intervention. The complainants concerned had good reason to complain to my Office about unsolicited marketing telephone calls which have become, in recent years, an all-too-frequent intrusion into the personal lives of individuals in their homes. Eircom identified the failings in its marketing processes and it did what a responsible data controller should do in similar circumstances -it took effective remedial action. In addition, it responded positively to my Office’s efforts to amicably resolve the complaints -the Data Protection Acts make provision for the amicable resolution of complaints in the first instance between the parties concerned - by apologising to the complainants and by making a substantial donation to charity. Furthermore, I am happy to report that since Eircom took the remedial steps outlined above I have received no further complaints of substance regarding its marketing activities.
My Office began an investigation of this complaint by contacting the Revenue Commissioners. We asked that the audit trail of the relevant files of the individuals concerned be examined to determine if they had been accessed by any staff member who did not have a legitimate business reason for doing so.
Following a prolonged examination, the Revenue Commissioners confirmed in June 2007 that it had been ascertained that one of its officers had accessed the records of the data subject and members of her family during the period November 2006 to February 2007, that such access was not part of the officer’s official duties and that it would appear that information gained from this access was passed to third parties unknown. The Revenue Commissioners stated that the matter was being dealt with by its Personnel Branch under the Civil Service Disciplinary Code. It went on to state that it was seriously concerned about any instances of unauthorised access by its staff to taxpayer data held on its computer systems and that appropriate disciplinary action had been taken and would continue to be taken in individual cases.
I regard this case as a very serious matter. A large amount of personal information is entrusted to the Office of the Revenue Commissioners which has a responsibility to ensure that it is kept safe and secure. A minimum standard of security for such information would include, among other things, that access was restricted to authorised staff on a ‘need to know’ basis. In this case, it emerged that the staff member who accessed the information had no legitimate business in doing so. That staff member abused a position of trust and proceeded to access and use personal information unlawfully. I will await with keen interest the outcome of the disciplinary proceedings which the Revenue Commissioners have commenced under the Civil Service Disciplinary Code in connection with this matter.
The complaint came about as a result of a letter which the Stadium Director at Croke Park had issued to residents in the area in relation to the setting up of a database through which the residents would be considered for tickets to some of the events held in Croke Park. In this letter, the Stadium Director stated that he was very conscious of the fact that Croke Park was situated in a residential area and was part of the local community. He pointed out that Croke Park had, in recent years, looked at ways of making some tickets available to the community for different events. It had now decided to introduce a new scheme involving the setting up of a database of people living in the area which would help ensure that tickets, when they were available, went to the right people. In order to be considered for tickets, interested residents were required to complete an application form and submit some form of photo identification, such as a passport or driving licence, as well as a utility bill. The data subject had serious concerns in relation to the type of information which was sought, how it was going to be used and the security surrounding the holding of the data.
My Office remained concerned that the residents were not made aware of how their data would be used by Croke Park and we suggested that this could be done through the inclusion of a data protection notice in the renewal letter which issues to all residents annually. We also had concerns regarding the retention of identity documents and we informed Croke Park that data controllers should not retain copies of personal data such as passports, driving licences and utility bills unless they had a statutory basis for doing so. My Office recommended that the residents be allowed to present their identification in person to Croke Park or alternatively, in relation to documents submitted by post, that Croke Park undertake to return the identification documents uncopied to the residents once verified. Croke Park took my Office’s recommendations on board and agreed to amend all future application forms to include a data protection notice. It also agreed to return all copies of identification and utility bills to those residents who had already submitted application forms to Croke Park.
I was satisfied that Croke Park took its responsibilities as a data controller seriously and I was encouraged by the prompt manner in which it addressed the issues raised by my Office by revising its procedures to take into account the data protection rights of the individuals involved.
Increasingly my Office is being informed of circumstances where data controllers retain copies of personal information used for identification purposes. Without a statutory basis for retaining copies of such documents, a data controller has no entitlement to keep a copy on file. There is no impediment to requesting sight of identification documents in order for a data controller to satisfy itself of a data subject’s identity and a system for doing this can be put in place without too much effort.
My Office commenced its investigation by contacting the company and referring it to the extensive guidelines on our website in relation to biometrics in the workplace. During our investigation, a meeting was held with a representative of the company to discuss the matter. In a privacy impact assessment, the company outlined its reasons for the introduction of the biometric system as health and safety, security, administration and cost effectiveness. It also provided details of the type of biometric system it intended to use - a touch verification system. The system requires a fingertip to be inserted into a reader which converts the fingertip into an encrypted algorithm and then the employee enters their unique pin number onto a pad. The system then stores a numeric sequence on a central database. It was claimed that the numeric sequence cannot be reversed or used for any other purpose except for verification and it is also encrypted.
The company also stated that it had looked into other forms of recording time and attendance and found that the biometric system would be the most efficient and cost effective. It also said that other systems could possibly be open to abuse. It stated that it had, in the past, experienced problems regarding abuse in relation to recording attendance. It also assured my Office that all employees, except for the staff who complained to my Office, had consented to the use of the touch verification system. The company said that it had held information sessions in each of its company branches and that written documentation and training had been given to all employees. Any employees who had objections to the system or wanted more information were also invited to address these with management. It also confirmed that the staff who complained to my Office had not been required to start using the system.
The approach of my Office is to try to understand the circumstances that lead a particular data controller to introduce a biometric system using the personal data of its employees, bearing in mind that the scan of a fingerprint is personal data even if converted into an algorithm. My Office reviewed the privacy impact assessment submitted in this case and the company’s responses to our queries. Taking into account the company’s cooperation in the matter, it was agreed that the staff concerned should use a pin code system rather than the biometric system for recording time and attendance. This would not give rise to any issues under the Data Protection Acts. Furthermore, these staff would not be required to use the biometric system in the future, without the company first taking the matter up with my Office. On that basis, I was happy to conclude the matter given that the issues raised by the individuals who made the complaints to my Office had been addressed. I was satisfied that the company had not breached the data protection rights of those staff as it had not required them to use the biometric system against their wishes.
My Office wrote to the data controller and we subsequently received a reply to the effect that the material sought in the access request had now been supplied. However, following examination of the documents received, the solicitor for the data subject communicated further with my Office and identified certain documents omitted by the data controller. Particular reference was made to documents in relation to a workplace accident in which the data subject was involved in October 2004. My Office contacted Dairygold/Reox seeking an explanation for the missing documents. While it responded by providing observations on a number of the missing documents, it also stated that it was obtaining legal advice regarding the release of the documents relating to the workplace accident.
After the exchange of detailed correspondence between my Office, Dairygold/Reox and its legal representatives, an index of all of the personal information which had been released was provided to my Office. In relation to the documents concerning the workplace accident, the solicitors for the data controller confirmed that their client was in possession of both an Internal Accident Report and a Consulting Engineer’s Report. It stated that both documents were prepared in contemplation of a personal injury claim and were therefore privileged.
There is a tendency for data controllers in some cases to claim non-relevant exemptions under Sections 4 or 5 of the Acts to restrict the right of access. With increased frequency, accident reports in relation to workplace incidents are being withheld with data controllers claiming legal privilege on such reports. I do not accept that legal privilege applies to such reports. It is standard procedure for an accident report to be compiled by an employer in the aftermath of a workplace accident and such reports clearly do not fall into the category of personal data in respect of which a claim of legal privilege could be maintained in a court in relation to communications between a client and his professional legal advisers or between those advisers. Any data controller who is reported to me as having restricted a data subject’s right of access to reports of this nature will face an investigation by my Office involving a close scrutiny of the grounds for applying the restriction. I will have no hesitation in using my full enforcement powers to ensure the rights of the data subject are upheld in relation to such cases.
On examining the matter closely, my Office found that Ryanair had provided an opt-out facility at the end of its marketing email messages, as marketers are required to do under Regulation 13(7) of SI 535 of 2003. It invited recipients who wished to unsubscribe to send a blank email to an email address which began with the word ‘leave’ and which consisted of a string of over seventy characters comprising a varied mix of letters and digits. The data subject, in this case, had failed to unsubscribe as she had not realised that the word ‘leave’ formed part of the email address. In my view, this was a mistake which could easily be made as the text used in the unsubscribe section of Ryanair’s email was not entirely clear and it provided no advice to customers.
Regulation 13(7) of SI 535 also requires marketers to provide customers with an opportunity to object to the receipt of further marketing in an easy manner. My Office asked Ryanair to explain how the provision of such a complex email address could be regarded as an easy manner of unsubscribing from its marketing database. The company, in reply, indicated that normally people ‘copy and paste’ the email address into a replying email. It also informed my Office that when a customer successfully submits an unsubscribe request, Ryanair sends back an email to the customer asking them to confirm by return email that they wished to unsubscribe. In effect, the company required customers to send two emails in order to unsubscribe. My Office noted that customers were not given any advice to the effect that they should copy and paste the email address in order to successfully submit the original unsubscribe email to the company nor were they advised that they would be required to submit a follow-up confirmation email. In the circumstances, we considered that customers had not been given an opportunity to opt-out in an easy manner and we asked Ryanair to take immediate steps to introduce a more user-friendly and easy unsubscribe facility for all recipients of its email marketing communications.
I am happy to report that Ryanair cooperated fully with my Office’s investigation of this complaint and it promptly took on board our concerns regarding the opt-out facility. We subsequently received confirmation from the company that it had simplified the unsubscribe process by providing a link in the marketing email which the customer could simply click on to unsubscribe without the need to enter the long email address. It also removed the requirement for a customer to submit a follow-up email to confirm their wish to unsubscribe. These changes significantly eased the process of unsubscribing from Ryanair’s marketing database and I welcome them.
The legal requirements concerning the use of electronic mail for directing marketing purposes is set out in SI 535 of 2003. Marketers may send email for direct marketing purposes to an individual subscriber where:
The ‘unsubscribe’ facility provided by Tesco to its customers failed in this instance and the individuals concerned continued to receive unwanted marketing material in contravention of the legal requirement.
Tesco further investigated the matter and found an issue with one of the methods that customers use to unsubscribe from its marketing emails. It immediately set about fixing the issue and while this was being done it directed customers to visit the website directly to unsubscribe. With regard to the previous assurance given that the individual complainants had been unsubscribed at the request of my Office, Tesco found that an error had been made in the manual process involved in unsubscribing them from the database. It corrected this error immediately. In light of the inconvenience caused, Tesco apologised to the individuals concerned and offered each of them gift vouchers as a goodwill gesture. This was accepted as an amicable resolution of their complaints. I was satisfied with the steps taken by Tesco to resolve this matter to the satisfaction of all concerned.