Data Protection Commissioner

[text version]
Data Protection Rule 3

Use and further processing of personal information

"the data shall not be further processed in any manner incompatible with that purpose or those purposes"
- section 2(1)(c)(ii) of the Act

If you obtain peronal information for a particular purpose, you may not use the data for any other purpose, and you may not divulge the personal data to a third party, except in ways that are "compatible" with the specified purpose. A key test of compatibility is whether you use and disclose the data in a way in which those who supplied the information would expect it to be used and disclosed.

Note that transfers of personal data to agents of yours, who are carrying out operations upon the data on your behalf and not retaining it for their own purposes, do not constitute "disclosures" of data for the purposes of the Act. (See the definitions section for the formal definition of "disclosure".) Examples of such transfers would include the transfer of staff data to a separate payroll company for payroll administration purposes, and the transfer of personal data from a general practitioner to a clinical laboratory for analysis of tissue samples. You should also note that, even though such transfers would not involve "disclosure" of personal data, the data controller might also have to consider whether the data have been "fairly obtained" for these purposes.

The restriction on processing of personal data (including disclosure to a third party) is lifted in a limited number of circumstances, specified in section 8 of the Data Protection Acts, where the right to privacy must be balanced against other needs of civil society, or where the processing is in the interests of the individual.

LINK» more about disclosures permitted under section 8 of the Act

Use and Disclosure: Test Yourself

You should be able to answer YES to the following questions:-

  • Do you use the data only in ways consistent with the purpose or purposes for which they are kept?
  • Do you disclose the data only in ways consistent with that purpose or purposes?

Practical steps

Carry out an inventory of all current and proposed disclosures and check each one against the stated purposes.

Some Case Studies relevant to this topic:

The following Case Studies, which have appeared in Annual reports of the Data Protection Commissioner over recent years, may be of some interest. Click on the Case Study details to see the full text.

CASE STUDY 4/05 - Complaint by school manager - disclosure to parents of his personal data contained in a school inspection report

CASE STUDY 5/05 - Form of Authorisation in relation to applications under statutory housing schemes

CASE STUDY 6/05 - Cross marketing of a credit card by a travel agent

CASE STUDY 9/05 - Disclosure of patient details to the National Treatment Purchase Fund

CASE STUDY 4/04 - In-house legal diary - data obtained for a purpose of data processor contract may not be processed subsequently for a different purpose

CASE STUDY 3/04 - Reference and salary details disclosed without permission - issue of consent

CASE STUDY 10/03 - Market research survey carried out by an agent - not a disclosure within the meaning of the Acts

CASE STUDY 7/03 - Aer Lingus - payroll data was not inappropriately disclosed to trade union members

CASE STUDY 6/03 - Recruitment Agency - inappropriate disclosure - clients' CV to current employer

CASE STUDY 8/02 - Department of Defence - incompatible disclosure

CASE STUDY 1/01 - Bank and insurance company - cross- marketing of a third-party product - incompatible use and disclosure - fair obtaining and processing - small print and transparency

CASE STUDY 2/01 - Major charitable organisation - disclosure of donors' details to a financial institution - pro-active investigation - unfair obtaining - consent

CASE STUDY 3/01 - Employee performance ratings disclosed to other staff - inadequate security

CASE STUDY 7/01 - Ryanair - on-line booking - delayed credit card charge - whether charge activated upon a subsequent transaction - question of disclosure of passenger data

CASE STUDY 8/01 - Victim Support - Liason with An Garda Siochana - disclosure of victims' details - issue of consent

CASE STUDY 4/00 - Financial institutions - Irish Credit Bureau-
credit referencing - incompatible disclosure - "close matches"

CASE STUDY 5/00 - Eircom - ex-directory telephone customers- proposed disclosure to other telecommunications companies - limited use of ex-directory customer data - compliance with decision of ODTR

CASE STUDY 6/00 - Financial institution - Laser card - printing of home address on receipts - incompatible disclosure - adequate security

CASE STUDY 3/99 - Vehicle Registration Unit - disclosure of names and addresses to a motor distributor - disclosure required by law

CASE STUDY 7/99 - debt collection service - acting on behalf of hospital - whether data had been "disclosed" for purposes of Data Protection Act - whether debt-collecting agency is entitled to build database of debtors

CASE STUDY 8/99 - telecommunications company - electronic publication of telephone directory on the Internet and CD-ROM - advanced and novel search capabilities - whether compatible with purpose for which data were obtained

CASE STUDY 9/99 - Government Department - issue of request for tenders - inclusion of some personal data - whether data disclosed within meaning of the Act

CASE STUDY 1/98 - employee data - appropriate security measures - disclosure

CASE STUDY 2/98 - use of telemarketing company in the management of customer accounts - transfer of data to agent not disclosure - obligation of data processors to register

CASE STUDY 3/98 - joint bank account - issue of accuracy - disclosure - right of access

CASE STUDY 6/98 - local authority housing loan - disclosure of personal data by a local authority to a financial institution - whether such data are in the public domain - statutory discretion to make personal data publicly available does not take precedence over data protection law

CASE STUDY 8/98 - bank account details - disclosure to a person listed as a "disclosee" in the bank's entry in the Register of Data Controllers - Register entry not conclusive as to compliance with data protection principles

CASE STUDY 9/98 - telephone-based market research - apparent disclosure of unlisted telephone number

CASE STUDY 1/97 - hospital patient's data disclosed for research – data not obtained fairly for this purpose

CASE STUDY 1/96 - disclosure of names on the Internet

CASE STUDY 3/96 - compatibility of use of personal data – disclosure – state-sponsored body acting as agent for Government Department

CASE STUDY 8/96 - disclosure of an address list to a charity

CASE STUDY 11/96 - disclosure to a bank by a credit referencing agency – adequacy of information supplied by the bank when making enquiry – how the credit referencing agency dealt with the enquiry

MENU Select Page No.
<- Previous    Next ->

» Permanent Link