Use and further processing of personal information
"the data shall not be further processed in any manner incompatible with that purpose or those purposes"
- section 2(1)(c)(ii) of the Act
If you obtain peronal information for a particular purpose, you may not use the data for any other purpose, and you may not divulge the personal data to a third party, except in ways that are "compatible" with the specified purpose. A key test of compatibility is whether you use and disclose the data in a way in which those who supplied the information would expect it to be used and disclosed.
Note that transfers of personal data to agents of yours, who are carrying out operations upon the data on your behalf and not retaining it for their own purposes, do not constitute "disclosures" of data for the purposes of the Act. (See the definitions section for the formal definition of "disclosure".) Examples of such transfers would include the transfer of staff data to a separate payroll company for payroll administration purposes, and the transfer of personal data from a general practitioner to a clinical laboratory for analysis of tissue samples. You should also note that, even though such transfers would not involve "disclosure" of personal data, the data controller might also have to consider whether the data have been "fairly obtained" for these purposes.
The restriction on processing of personal data (including disclosure to a third party) is lifted in a limited number of circumstances, specified in section 8 of the Data Protection Acts, where the right to privacy must be balanced against other needs of civil society, or where the processing is in the interests of the individual.
|more about disclosures permitted under section 8 of the Act|
You should be able to answer YES to the following questions:-
- Do you use the data only in ways consistent with the purpose or purposes for which they are kept?
- Do you disclose the data only in ways consistent with that purpose or purposes?
Carry out an inventory of all current and proposed disclosures and check each one against the stated purposes.
Some Case Studies relevant to this topic:
The following Case Studies, which have appeared in Annual reports of the Data Protection Commissioner over recent years, may be of some interest. Click on the Case Study details to see the full text.
CASE STUDY 4/05 - Complaint by school manager - disclosure to parents of his personal data contained in a school inspection report
CASE STUDY 5/05 - Form of Authorisation in relation to applications under statutory housing schemes
CASE STUDY 6/05 - Cross marketing of a credit card by a travel agent
CASE STUDY 9/05 - Disclosure of patient details to the National Treatment Purchase Fund
CASE STUDY 4/04 - In-house legal diary - data obtained for a purpose of data processor contract may not be processed subsequently for a different purpose
CASE STUDY 3/04 - Reference and salary details disclosed without permission - issue of consent
CASE STUDY 10/03 - Market research survey carried out by an agent - not a disclosure within the meaning of the Acts
CASE STUDY 7/03 - Aer Lingus - payroll data was not inappropriately disclosed to trade union members
CASE STUDY 6/03 - Recruitment Agency - inappropriate disclosure - clients' CV to current employer
CASE STUDY 8/02 - Department of Defence - incompatible disclosure
CASE STUDY 1/01 - Bank and insurance company - cross- marketing of a third-party product - incompatible use and disclosure - fair obtaining and processing - small print and transparency
CASE STUDY 2/01 - Major charitable organisation - disclosure of donors' details to a financial institution - pro-active investigation - unfair obtaining - consent
CASE STUDY 3/01 - Employee performance ratings disclosed to other staff - inadequate security
CASE STUDY 7/01 - Ryanair - on-line booking - delayed credit card charge - whether charge activated upon a subsequent transaction - question of disclosure of passenger data
CASE STUDY 8/01 - Victim Support - Liason with An Garda Siochana - disclosure of victims' details - issue of consent
CASE STUDY 4/00 - Financial institutions - Irish Credit Bureau-
credit referencing - incompatible disclosure - "close matches"
CASE STUDY 5/00 - Eircom - ex-directory telephone customers- proposed disclosure to other telecommunications companies - limited use of ex-directory customer data - compliance with decision of ODTR
CASE STUDY 6/00 - Financial institution - Laser card - printing of home address on receipts - incompatible disclosure - adequate security
CASE STUDY 3/99 - Vehicle Registration Unit - disclosure of names and addresses to a motor distributor - disclosure required by law
CASE STUDY 7/99 - debt collection service - acting on behalf of hospital - whether data had been "disclosed" for purposes of Data Protection Act - whether debt-collecting agency is entitled to build database of debtors
CASE STUDY 8/99 - telecommunications company - electronic publication of telephone directory on the Internet and CD-ROM - advanced and novel search capabilities - whether compatible with purpose for which data were obtained
CASE STUDY 9/99 - Government Department - issue of request for tenders - inclusion of some personal data - whether data disclosed within meaning of the Act
CASE STUDY 1/98 - employee data - appropriate security measures - disclosure
CASE STUDY 2/98 - use of telemarketing company in the management of customer accounts - transfer of data to agent not disclosure - obligation of data processors to register
CASE STUDY 3/98 - joint bank account - issue of accuracy - disclosure - right of access
CASE STUDY 6/98 - local authority housing loan - disclosure of personal data by a local authority to a financial institution - whether such data are in the public domain - statutory discretion to make personal data publicly available does not take precedence over data protection law
CASE STUDY 8/98 - bank account details - disclosure to a person listed as a "disclosee" in the bank's entry in the Register of Data Controllers - Register entry not conclusive as to compliance with data protection principles
CASE STUDY 9/98 - telephone-based market research - apparent disclosure of unlisted telephone number
CASE STUDY 1/97 - hospital patient's data disclosed for research – data not obtained fairly for this purpose
CASE STUDY 1/96 - disclosure of names on the Internet
CASE STUDY 3/96 - compatibility of use of personal data – disclosure – state-sponsored body acting as agent for Government Department
CASE STUDY 8/96 - disclosure of an address list to a charity
CASE STUDY 11/96 - disclosure to a bank by a credit referencing agency – adequacy of information supplied by the bank when making enquiry – how the credit referencing agency dealt with the enquiry
|MENU||Select Page No.||<- Previous Next ->|
» Permanent Link