Data Protection Commissioner

[text version]

CASE STUDIES 2007

Case Study 1: Right of Rectification of Personal Data Held by a Data Controller
Case study 2: Data Controller breaches several provisions in its processing of Sensitive Personal Data
Case Study 3: Inappropriate use of CCTV footage by West Wood Club
Case Study 4: NewTel Communications - Ordered to suspend marketing
Case Study 5: Excessive Personal Data on EU Single Payment Scheme Application Forms
Case Study 6: Data Controller breaches data protection law in regard to use of covert CCTV footage
Case Study 7: Aer Lingus - Disclosure of employee information
Case Study 8: Failure to finalise a complaint against Money Corp Limited
Case Study 9: Marketing Calls by Eircom - remedial action - amicable resolution
Case Study 10: Member of staff at Revenue accessing and using personal data of a taxpayer
Case Study 11: Croke Park - Retention of personal data of nearby residents
Case Study 12: Biometrics in the workplace - need for staff consent
Case Study 13: Dairygold - Failure to comply in full with an Access Request
Case Study 14: Ryanair - Remedial action taken for customers to unsubscribe from marketing
Case Study 15: On-line shoppers receive unsolicited marketing from Tesco

Case Study 1: Right of Rectification of Personal Data Held by a Data Controller

I received a complaint regarding a medical report carried out at the request of the complainant's employers. The report was a psychological assessment dealing with the complainant's ability to return to her original workplace after a period of absence on sick leave.

The person concerned had received a copy of the medical report in question from the medical practitioner who carried out the assessment and she considered the contents to be inaccurate. The complainant then requested that the report be rectified to reflect what she considered to be an accurate description of her particular circumstances. However, the data controller, a consultant psychiatrist, reverted to the data subject stating that it was not possible to make the kind of alterations to the independent medical assessment that had been sought.

Under Section 6 of the Data Protection Acts 1998 and 2003, if you discover that information kept about you by a data controller is factually inaccurate or collected unfairly, you have a right to have that information rectified or, in some cases, you may have that information erased. However, this is not an unqualified right and depends on the circumstances of each case. The judgement to be made in such cases is complicated all the more when the matters at issue are medical in nature. If for example, a data controller - in this case, the medical practitioner - considers that data is, in fact, accurate and if the data subject disagrees, then one possible course in the interest of achieving an amicable resolution is for the data controller to annotate the data to the effect that the data subject believes that the data is inaccurate for reasons which should be indicated (this solution is explicitly provided for in Section 6(1)(a) of the Acts).

This course of action was followed in this case and as part of the rectification process, the complainant supplied various annotations to be included in the medical report. Also supplied with each of these annotations was a detailed explanation for such. Having examined the annotations and all the information my Office had to hand, including the medical report in question, my Office was of the opinion that the proposed annotations supplemented the medical report without changing the report materially.

My Office communicated its position to both parties and the medical practitioner concerned helpfully supplemented the medical report in question by inserting the requested annotations. This allowed for the complaint to be resolved to the satisfaction of all parties concerned.

This case clearly indicates the value of the right of an individual to seek the rectification or supplementing of personal information relating to them, in accordance with Section 6 of the Data Protection Acts, 1998 and 2003. In instances such as the case highlighted above, where the personal information is of a subjective nature, the right to rectification is not always appropriate. In this case the individual concerned was satisfied that the annotations she supplied, when recorded with the report, were sufficient to ensure that anyone reading the report had a balanced view of her circumstances.

 

Case study 2: Data Controller breaches several provisions in its processing of Sensitive Personal Data

I received a complaint in May 2006 from a data subject regarding the use by her former employer, Baxter Healthcare S.A., of two medical reports relating to her. The data subject had been involved in an industrial accident at work in April 2002 which subsequently resulted in a prolonged absence from the workplace. During this absence, the data subject pursued a personal injuries claim against Baxter Healthcare. As part of this process, at the request of the solicitor acting on behalf of Baxter Healthcare's insurers, she attended a consultant neurologist on two occasions for medical evaluation in 2003 and 2004. Early in 2005, the data subject became aware that the medical reports compiled as a result of those evaluations were in the possession of Baxter Healthcare. Through her solicitor, the data subject made an access request to Baxter Healthcare for copies of the medical reports. She was advised in writing that, as these reports were obtained in the context of her personal injury proceedings, her access request should be addressed to the solicitors,
P. O'Connor & Son, acting for the insurers. Shortly afterwards, the data subject's contract of employment was terminated. The decision by Baxter Healthcare to terminate the employment was stated to be on the basis of the medical evidence available to the company, including the medical reports compiled in 2003 and 2004 in the context of the data subject's personal injury claim. Following her dismissal, the data subject brought a claim to the Labour Relations Commission against Baxter Healthcare under the Unfair Dismissals Act 1977 to 2001. A hearing in relation to this case took place in April 2006 and the data subject alleged that, in the course of the hearing, copies of the medical reports were furnished by Baxter Healthcare to herself, to the Rights Commissioner and to all present. These medical reports had not been previously provided to her in response to her access request.

My Office conducted a detailed and extensive investigation of this complaint. This focused on 2 primary data protection issues, namely the use of the medical reports obtained to defend an insurance claim to support the dismissal of the data subject and the disclosure of those same medical reports at a labour relations hearing. The company's solicitor stated that the medical reports of the consultant neurologist were obtained for the legitimate purpose of defending personal injury proceedings instituted by the data subject and that the medical reports were also employed and required for the legitimate purpose of defending separate legal proceedings against Baxter Healthcare under the Unfair Dismissals Acts 1977 to 2001. It submitted that Section 2(1)(c)(i) of the Acts specifically envisages that the data may be obtained and used for more than one purpose, provided that both purposes are legitimate. It went on to state that Section 2(1)(c) (ii) of the Acts only prohibits further processing insofar as that processing is incompatible with the original purpose or purposes. It argued that the use of the reports to defend legal proceedings against Baxter Healthcare under the Unfair Dismissals Act could not be said to be incompatible with the original purpose as the original purpose was to defend legal proceedings instituted by the data subject and the subsequent use was to also defend legal proceedings, albeit separate proceedings by the data subject.


The data subject sought a decision on her complaint under Section 10(1)(b(ii) of the Acts in June 2007. In my analysis of the data protection issues arising from this complaint, I found that the medical reports in question constitute 'sensitive personal data' within the meaning of the Acts. The medical reports were commissioned on behalf of Baxter Healthcare's insurers, by its solicitors, for the purpose of the defence of the High Court personal injury claim instituted by the data subject. The reports were, however, used for three purposes:

  • They were used for the purpose for which they were generated in the first place, i.e. for the defence by Baxter Healthcare's insurers of the High Court personal injury claim instituted by the data subject.
  • They were used in the decision taken by Baxter Healthcare to terminate the employment of the data subject.
  • They were used to defend legal proceedings taken by the data subject against Baxter Healthcare under the Unfair Dismissals Act at a hearing in April 2006.


No data protection issue arose in relation to the first use of the medical reports by Baxter Healthcare's insurers in the context of its defence of the personal injury claim brought by the data subject.

With regard to the second use by Baxter Healthcare of the medical reports in the decision to terminate the data subject's employment, this was done without the data subject's consent. The general requirements that must be complied with by a data controller under the Acts in relation to the personal data of a data subject include the following: 

  • the data shall have been obtained only for one or more specified, explicit and legitimate purposes
  • the data shall not be further processed in a manner incompatible with that purpose or those purposes
  • the data subject is informed of the purposes or purposes for which the data are intended to be processed


The consent of the data subject is the default position, as it were, for the fair processing and obtaining of personal data. Where it is absent, the data controller may not process personal data unless it can find another basis in the Acts. The Acts provide for the following exemptions which were potentially applicable in the present case: 

  • the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject (Section 2A (1)(d));

and (because sensitive data is involved) 

  • the processing is required for the purpose of obtaining legal advice or for the purposes of, or in connection with, legal proceedings or prospective legal proceedings or is otherwise necessary for the purpose of establishing, exercising or defending legal rights (Section 2B (b)( vii)).

All of these conditions must be met.


In my analysis of this complaint, I considered that the purpose for which the medical reports were originally obtained (the defence by Baxter's insurers of the High Court personal injury claim instituted by the data subject) was not compatible with their further use to support the data controller's decision to dismiss the data subject. I considered that, in the absence of the data subject's consent, this processing of the data subject's sensitive personal data constituted a breach of the Acts.

With regard to the third use by Baxter Healthcare of the medical reports to defend legal proceedings under the Unfair Dismissals Act, the same considerations arose in relation to the further use of the sensitive personal data at a hearing before a Rights Commissioner in April 2006, with the aggravating factor that the sensitive personal data was further disclosed to those involved in the hearing.

However, I had to consider if the processing of personal data in this case might benefit from the exemption in Section 8(f) of the Acts which provides that: "Any restrictions in this Act on the processing of personal data do not apply if the processing is ...required...for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness."

I formed the opinion that this exemption cannot apply to sensitive personal data which has already been improperly processed to support the decision (dismissal) which was the subject matter of the legal process. I concluded that the use of the medical records to defend the Unfair Dismissals claim constituted a further breach of the Acts.

For completeness, my Decision in this case also found that Baxter had failed to comply fully with an access request made by the data subject.

This case demonstrates the care which data controllers must exercise in the processing of all personal data, including sensitive personal data, in its possession. It is unacceptable for a data controller to seek to take advantage of personal data which may be in its possession and to use it for some purpose unrelated to the purpose for which it was originally obtained.

 

Case Study 3: Inappropriate use of CCTV footage by West Wood Club

I received a complaint from a data subject alleging breaches of the Data Protection Acts by inappropriate use of CCTV footage at West Wood Club, Sandymount in Dublin. In her complaint she informed my Office that on 4th March, 2006 she visited the West Wood Club as a member to use the steam/sauna rooms and the swimming pool. A customer service issue arose in relation to the cleanliness of the facilities on the day which were the subject of a phone-call by the complainant from the steam/sauna rooms. The data subject wrote a subsequent letter of complaint about the matter to the Club following which she was asked to meet the manager to discuss the matter. Upon doing so she was presented with CCTV footage which it was claimed supported the club's view of the customer service issues arising and refuting the claim that she had made a phone-call on the issue on the morning in question. In this respect, three CDs of CCTV footage were presented each of which in turn were claimed to be the data subject engaging in leisure activities within the gym on the morning in question. They in fact were not the data subject and were other female members of the gym.

Shortly afterwards the data subject's membership of the gym was revoked.

The data subject informed my Office that she found it acceptable to be shown CCTV footage to assure her that the sauna/steam rooms had been cleaned but she found it unbelievable that West Wood Club kept and viewed footage to discredit members' genuine complaints. She felt strongly that the CCTV footage was shown to her to intimidate her and question her good character and was used to say that she was lying.

My Office commenced an investigation and wrote to the Managing Director of West Wood Club expressing our concern at what appeared to be excessive and disproportionate use by West Wood Club of CCTV footage for the purpose of dealing with the data subject's complaint. A response was received from the solicitors for the Club and an exchange of correspondence subsequently took place between my Office and the solicitors. Among other things, my Office was informed that the only purpose for which CCTV was used in the Club was for security. They also confirmed that members and staff of the Club were aware that their images were being recorded as there were several signs displayed in the Club regarding the operation of CCTV. It was also confirmed to my Office that CCTV footage was automatically erased at the end of each month.

However, the Solicitors contested any suggestions that the Data Protection Acts prohibit data that has been bona fide obtained and temporarily stored for one general purpose from being used in specific circumstances for some other useful purpose that is for the general good. They also stated that the purpose of the CCTV system in operation at West Wood Club was, like most CCTV systems, security and that this included the issues of theft and personal safety and integrity. They contended that this was a health and safety issue, coming under the general heading of security, on the grounds that the data subject made a complaint that the sauna was unhygienic because it had not been cleaned. I disagreed with the data controller's position on this matter. I accepted that the purpose of 'security' may include the issues of theft and personal safety in certain circumstances related to security risk. However, the issues of integrity, health and safety are clearly separate purposes to the purpose of 'security.'


Section 2(1)(c)(ii) provides that data shall not be further processed in a manner incompatible with that purpose or those purposes for which it was obtained. It was clear from my Office's correspondences with the data controller's solicitors that West Wood Club processed images which were recorded for 'security' purposes by showing them to the data subject in response to a complaint which she had made concerning the sauna/ steam rooms not being operational on the morning of 4 March, 2006. Her complaint had nothing whatsoever to do with 'security' issues and, therefore, it was entirely inappropriate for the data controller to produce personal data, about other individuals as it transpired, which was obtained for 'security' purposes, to attempt to deal with this matter.

I had no reason to doubt the version of events given to me by the data subject. I concluded that West Wood Club did indeed set out to refute the data subject's complaint through the use of CCTV footage which was recorded for a 'security' purpose.

I was required to make a Decision on this case under Section 10(1)(b)(ii) of the Acts. I formed the opinion that West Wood Club breached Section 2(1)(c)(ii) of the Acts by the further processing of CCTV footage which was obtained for security purposes in a manner incompatible with that purpose. I found it disturbing that the data subject's membership of West Wood Club was invalidated following a breach of the Data Protection Acts by West Wood Club. It is unacceptable that an entity against whom a complaint is made would contravene the Data Protection Acts in dealing with the complaint and thereby infringe on the data protection rights of the complainant or others.

CCTV recordings have become an everyday part of our lives. Their usage, and seeming acceptance, for so many different purposes is troubling. In this case, the use of CCTV in the private areas of a sauna/steam room in a gym is questionable in itself from a data protection perspective. To then use the footage captured (notionally for security purposes) in an attempt to discredit a gym member making a customer service complaint is totally unacceptable. In the circumstances I had no hesitation in finding in favour of the complainant.

 

Case Study 4: NewTel Communications - Ordered to suspend marketing

The marketing activities of the telecommunications company NewTel Communications Ltd came to the attention of my Office in 2006 and again early in 2007. In 2006 an inspection was conducted of its marketing activities and appeared to indicate that it had taken appropriate remedial activity. However, in 2007 we received in a short period a number of complaints regarding marketing calls made by this company. These calls were made to individuals who either had already expressly told the company that they did not wish to be contacted or had exercised their right to have their preference not to be called recorded on the
National Directory Database opt-out register.11

These marketing calls contravened Regulations 13 4(a) and 13 4(b) of SI 535 of 2003 which state that:

"A person shall not use, or cause to be used, any publicly available electronic communications service to make an unsolicited telephone call for the purpose of direct marketing to the line of a subscriber, where ­

(a) the subscriber has notified the person that the subscriber does not consent to the receipt of such a call on his, her or its line, or

(b) subject to paragraph (5), the relevant information referred to in Regulation 14(3) is recorded in respect of the line in the National Directory Database."


My Office investigated the complaints which we had received. After initial investigation, we found out that an external offshore agency employed by NewTel Communications Ltd to make marketing calls was not following the company's "do not call" policy. As a result of this information, NewTel Communications Ltd ceased its relationship with the offshore agency concerned in March 2007. However, my Office continued to receive complaints about further unsolicited calls made by NewTel Communications Ltd. We concluded that, despite assurances from the company, its marketing procedures were not sufficiently robust or watertight to uphold the data protection rights of subscribers who did not wish to receive direct marketing calls. We accordingly requested NewTel Communications to cease all 'cold call' marketing with immediate effect or we would issue a legally binding enforcement notice to that effect. We informed the company that we would not agree to allow this marketing activity to recommence until it had identified and remedied whatever problems in its procedures or systems had led to the unsolicited marketing calls to the complainants to my Office.
NewTel Communications Ltd complied with my Office's request and it initiated an internal investigation. As a result of this investigation, the company established that a second offshore agency was not following the company's "do not call" policy. Recognising the seriousness of the matter, the company suspended this agency from marketing on its behalf. My Office was satisfied with the actions taken by the company to identify the problems and to correct them. Following this remedial action, we agreed that NewTel could recommence its telemarketing activities. Its 'cold calling' marketing campaign had been suspended for a total of twenty days as a result of the actions taken by my Office.
This case demonstrates that my Office will take strong and effective action, such as requiring the suspension of marketing activities, where necessary. Complaints about telemarketing from the general public are an indicator of problems in the procedures or systems in companies which operate in the telemarketing sector. My Office continues to ensure that those companies complained of take immediate steps to identify the problems and then sort them out without delay. If the suspension of a company's marketing activities is necessary to achieve corrective measures, we will not hesitate to require such action, difficult though it may be for the company concerned.

11 Telephone subscribers can have their preference not to be contacted by direct marketers recorded on the National Directory Database (NDD) by contacting their line provider who will supply the relevant details to the NDD.

Case Study 5: Excessive Personal Data on EU Single Payment Scheme Application Forms

I received a complaint that the EU Single Payment Scheme Application Forms, which are issued annually by the Department of Agriculture, Fisheries & Food, contained pre-printed data in respect of the date of birth and PPS number of the farmers to whom the forms are issued. A farmer informed my Office that he, and many other farmers, would usually need to get professional assistance from Teagasc or other qualified agents in the completion of these forms. He pointed out that the pre-printing of this personal data on the forms infringed his privacy as he had no means to restrict his professional adviser from viewing his date of birth and PPS number. He also stated that it would be normal for those professional advisers to retain copies of the completed forms in case the Department of Agriculture & Food raised queries which might need to be referred back to the advisers at a later stage.

In contacting the Department on this matter, we highlighted that both PPS numbers and dates of birth constitute personal data and are, therefore, subject to the protections set down in the Data Protection Acts, 1988 and 2003. We went on to state that in a situation where the Department sends out forms with personal data pre-printed on them and is aware that the recipients may need the assistance of third parties to complete them, the Department must make every effort to ensure that only the very basic personal details - such as name and address - are pre-printed. We pointed out that the problem with pre-printing other personal data is that it gives the recipient only one choice in terms of safeguarding it – that is that he/ she could blacken it out or otherwise delete it prior to showing it to a third party. We expressed some doubt about whether the Department would welcome the return of completed application forms which were somewhat defaced. Finally, we drew attention to the potential risks to the privacy of an individual where their personal data, such as a PPS number, fell into the hands of a third party.


The Department examined the matter and it immediately set about taking into account the concerns which my Office had expressed. In the drafting of the Application Form for 2008, the Department commendably removed completely the data fields concerning the applicant's date of birth and PPS number.

This case demonstrates how common it is for public bodies or other authorities to fall into the practice of processing categories of personal data even where such data is not needed to administer the scheme or application in question. Greater care must be taken by all concerned to ensure that only the minimum amount of personal data necessary is processed in the administration of schemes run by public bodies. In particular, I strongly advise public bodies which are authorised to use PPS numbers to do so sparingly and with extreme care.

Case Study 6: Data Controller breaches data protection law in regard to use of covert CCTV footage

I received a complaint in October 2006 from a data subject regarding the unfair obtaining by her employer of her personal information and its subsequent use as evidence to terminate her employment. The data subject had been employed in a supervisory capacity at the Gresham Hotel in Dublin for a number of years. In January 2005 she was called to a meeting by hotel management, at which she was informed that covert cameras had been installed some time previously in the hotel for the purposes of an investigation. The investigation was initiated on foot of a complaint received by the hotel regarding cash handling at the bar. The data subject was not the subject of the investigation, she was not made aware of the investigation nor was she informed of the covert CCTV recordings. At the meeting, the data subject was confronted with a series of questions and was asked to explain some of her actions which had been recorded by the covert cameras. Later in 2005, she was dismissed from her employment with the hotel. Evidence taken from the covert CCTV recordings was used in the decision to terminate the data subject's employment. No criminal prosecutions took place following the hotel's investigation nor was the data subject interviewed by An Garda Síochána.

As part of the detailed investigation into this complaint, my Office initially sought the observations of The Gresham Hotel regarding this issue, drawing particular attention to the fair obtaining principle of the Data Protection Acts 1988 & 2003. The use of recording mechanisms to obtain data without an individual's knowledge is generally unlawful. Such covert surveillance is normally only permitted on a case by case basis where the data is gathered for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. This provision automatically implies an actual involvement of An Garda Síochána or an intention to involve An Garda Síochána.


In response to our initial queries, the hotel stated that the cameras were installed for a legitimate and specified purpose -the investigation of a complaint regarding cash handling in this area. It stated that it was of the opinion that the processing of this information was necessary for the protection of a legitimate legal interest, the protection of property of the hotel in response to a specific concern it had. The hotel also emphasised in its early correspondence with my Office that at no point were the cameras hidden or covert and it presumed that all employees would have seen them.

During our investigation, the data subject supplied photographs of electrical type data boxes/sockets that were located in the bar area of the hotel as it was her understanding that the covert cameras were hidden within these boxes. My Office forwarded copies of these photographs to the hotel requesting clarification on the matter. In response it indicated that these electrical type data boxes were telephone connections, microphone connections and internet connections and were never used as a means to record images for CCTV footage.

As part of our investigation, my Office visited the Gresham Hotel for the purpose of viewing the CCTV footage in question and to inspect the area in which the CCTV footage had been recorded. During this inspection, as well as viewing the footage, we were shown two electrical type boxes located just below ceiling level in the bar area and these boxes were identified as having been the location for the covert cameras. The location of the boxes also matched the views of the bar area which could be seen in the CCTV footage. The boxes were marked "1" and "2" and they appeared to be the same as the electrical boxes which appeared in the photographs which were previously supplied by the data subject. This clearly conflicted with the earlier information which the hotel had supplied to my Office as part of its investigation. Following this inspection, my Office was satisfied, on the basis of all of the information which had been compiled during our investigation, that the data protection rights of the data subject had been breached. Covert CCTV cameras had been installed to investigate specific incidents. The data subject was not the subject matter of this investigation. The personal data of the persons captured on the footage was obtained for one purpose - the investigation of specific incidents in the hotel. In the case of this data subject, her personal data was further processed in a manner incompatible with the original purpose. Furthermore, the data subject's personal data was not processed in accordance with the requirements of 'fair processing' as she had not been informed by the data controller, at the time when the data controller first processed her data, of the purpose for which it intended to process her personal data.


As the Acts require me to try to arrange, within a reasonable time, for the amicable resolution by the parties concerned of the matter which is the subject of a complaint, my Office asked both parties to consider this approach. Within a few weeks, a settlement was agreed between the parties. I was pleased that my Office was able to close its investigation file on the basis that an amicable resolution had been reached.

Case Study 7: Aer Lingus - Disclosure of employee information

Early in 2007, my Office received a significant number of complaints from employees of Aer Lingus regarding an alleged disclosure of their personal information by Aer Lingus to a third party without their consent. According to the complainants, the Human Resources Division of Aer Lingus had passed on the names, staff numbers and place of employment of its staff to HSA Ireland without the knowledge or consent of the employees concerned. Staff of Aer Lingus had become aware of this matter when they received personally addressed promotional literature from HSA Ireland, a healthcare organisation offering a range of health care plans. In this promotional literature, a copy of which was received in my Office, HSA Ireland informed the Aer Lingus employees that Aer Lingus had agreed to allow it to directly distribute the information to them.

Section 2 of the Data Protection Acts, 1988 and 2003 sets out the position in relation to the collection, processing, keeping, use and disclosure of personal data. It provides that data should be obtained and processed fairly, kept for only one or more specified purposes and it should be used and disclosed only in ways compatible with that purpose or those purposes. It also provides that personal data should not be processed by a data controller unless at least one of a number of conditions is met - one of those conditions being the consent of the data subject to the processing.


In response to initial contact from my Office regarding the alleged disclosure of personal information, Aer Lingus confirmed that it had passed on the personal data of its staff to HSA Ireland and it set out the background to how it had occurred. It explained that the company had previously operated and administered a Staff Welfare Fund to assist employees in certain circumstances in relation to personal and family medical expenses. As this fund had closed, Aer Lingus committed to putting another scheme in place and it negotiated with HSA Ireland to offer a replacement scheme to employees. In order to increase staff awareness of this new scheme, it was decided that it would be in the best interests of staff to write to them directly at their place of employment. Employee names and staff numbers were provided to HSA Ireland by means of a mail merge file. Aer Lingus was of the opinion that this disclosure was legitimate in accordance with what it regarded as a bona fide employment purpose. It also confirmed that consent had not been sought or obtained from its employees prior to the forwarding of the employee details to HSA Ireland.

My Office reminded Aer Lingus of its obligations under Section 2 of the Data Protection Acts with regard to the processing of personal data and it pointed out that the personal data of its staff should not have been disclosed to a third party without the consent of the employees concerned. In the circumstances, my Office sought and obtained confirmation from Aer Lingus that it had now destroyed the mail merge file containing the names and staff numbers which it had forwarded to HSA Ireland. Confirmation was also received from HSA Ireland that it had not retained records of Aer Lingus employee names, addresses, payroll or payslip numbers on any database.

My Office was satisfied by the steps taken by Aer Lingus and HSA Ireland in terms of corrective action. By way of clarification, we pointed out that the key issue from a data protection perspective was that Aer Lingus had facilitated contact from a third party to its employees concerning the availability of a staff welfare scheme while the same information could have been promulgated to those employees without raising any data protection concerns had Aer Lingus sent it directly to its employees instead.

I fully recognise that employers may, from time to time, wish to communicate details of various schemes to their employees. This can easily be achieved without infringing on the data protection rights of employees if the employer supplies the information directly to its employees or by some other means in conformity with the Data Protection Acts. My Office had only in the weeks before these complaints were received conducted an audit of Aer Lingus which had generally found a high level of compliance with data protection requirements. The occasion of the audit could have been used to seek advice from my Office on this issue.

My Office is always available to give advice to data controllers and the public alike in relation to data protection responsibilities and rights.

 

Case Study 8: Failure to finalise a complaint against Money Corp Limited

I received a complaint from a data subject in February 2007 regarding the failure of Money Corp Limited to respond to an access request made by him in November 2006. The right of access to personal data is one of the key fundamental rights conferred on a data subject by the Data Protection Acts. The Acts provide that access requests must be complied with by a data controller "as soon as may be and in any event not more than 40 days" after receipt of the request. My Office commenced an investigation which lasted for a period of some seven months.

During our investigation, we received correspondence from a firm of Dublin-based solicitors acting for Money Corp Limited stating that its client had responded to the data subject's access request in early May 2007. However, the data subject subsequently informed us that some critical documents had not been included in the response he had received to his access request. Accordingly, our investigation continued on the basis that Money Corp appeared to have failed to comply in full with the data subject's access request. We communicated further with Money Corp's solicitors regarding the matter of the outstanding documents.

At the end of August 2007, my Office received correspondence from these solicitors in which they stated that their client had furnished the data subject with any documentation held by them. They went on to state that their client's instructions were that any further documentation that the data subject considered to be outstanding "must have been mislaid during the process of moving offices as they have moved offices three times in the intervening period." The solicitors concluded their letter by informing my Office that all further correspondence on this matter should be directed to the registered office of Money Corp Limited.

My Office was very concerned at this turn of events and it was particularly cognisant of the fact that the outstanding documents could be of considerable importance to the data subject in relation to proving outstanding financial matters of a very significant nature. Accordingly, in order to investigate the matter further, one of my authorised officers, using the powers conferred by Section 24 of the Data Protection Acts, visited an address in Dun Laoghaire, Co. Dublin at which the company was registered with the Irish Financial Services Regulatory Authority (We had previously found out that the company was not trading at the address at which it was registered with the Companies Registration Office). Despite three separate attempts to gain access to the premises in Dun Laoghaire, the authorised officer failed to gain access or to make contact with any member of staff of Money Corp at the premises. Following this, my Office communicated again with the solicitors for Money Corp to which we subsequently received a reply which stated that "we have been unable to obtain further instructions from our client and we are now closing our file. As a result, we will be no longer representing them in relation to this matter."


By way of a further attempt to communicate with Money Corp Ltd, my Office sent a letter by registered post in early October 2007 to the company's Dun Laoghaire address. This letter was returned by An Post to my Office in November 2007 with an indication from An Post that nobody was available at the address on the delivery date and that it was not subsequently collected at the mail centre.

Unfortunately, despite extensive efforts by my Office to make direct contact with Money Corp Limited, we were unable to do so. As our investigation was effectively stymied, we found ourselves in the unsatisfactory situation of being unable to pursue the complaint to finality, despite the best possible use of the powers available to me. In the circumstances, my Office has communicated with the Financial Regulator in relation to the details of this case.

Case Study 9: Marketing Calls by Eircom - remedial action - amicable resolution.

During the first half of 2007 I received a large number of complaints from members of the public who had received marketing telephone calls from a telecommunications company, Eircom. Many of the complaints came from people who were ex-customers of Eircom and the marketing calls from the company were made in an effort to win back their business. Some of these complainants informed Eircom that they did not wish to receive further marketing calls but the company continued to call them. Others had their phone numbers listed on the National Directory Database (NDD) opt-out register but continued to receive marketing calls from Eircom.

Regulation 13 (4) of Statutory Instrument 535 of 2003 prohibits the making of an unsolicited telephone call for marketing purposes to the line of a subscriber where the subscriber has notified the person or company making the marketing call that he/she does not consent to the receipt of such a call on his/her telephone line or where the subscriber has had his/ her telephone number recorded in the NDD opt-out register. It is an offence to make a marketing call which breaches this Regulation.

My Office investigated the complaints and engaged at length with Eircom on the matter. This involved meetings with the company as well as several exchanges of correspondence which eventually led to the following favourable and positive outcome from my perspective:

  • Eircom assured me that it is fully committed to ensuring compliance with data protection legislation within the organisation.
  • It expressed concern about the complaints received by my Office and it assured me that it takes all such complaints very seriously.
  • Eircom introduced a number of measures to  Eircom conveyed its sincere apologies to the complainants to my Office for any inconvenience caused to them and it entered the complainants' contact details on its suppression list to prohibit further marketing calls from the company to those individuals. In order to demonstrate its commitment to reduce the risk of any reoccurrence of such complaints. These measures involved the completion of a full internal review of the processes which are followed by all customer-facing channels when recording requests to opt-out of direct marketing by Eircom and its related companies. Where any points of weakness within these processes were identified, the process was revised to ensure that it was both robust and compliant with data protection legislation.
  • Eircom briefed all relevant staff on the issues which gave rise to complaints and on the new processes which were put in place. The new processes also became an integral part of the training material for new staff.
  • Eircom established a centralised and dedicated 'suppression' unit with responsibility for processing "do not call" requests received by post, email or fax
  • .
  • A statement was placed on Eircom's Intranet homepage emphasising the importance of ensuring compliance with data protection rules. The statement also explains the process which must be followed to implement a suppression request (i.e. an individual's stated preference not to be called by the company for marketing purposes) and it provides details of the new centralised 'suppression' unit.
  • Eircom conveyed its sincere apologies to the complainants to my Office for any inconvienence caused to them and it entered the complainants' contact details on its suppression list to prohibit further marketing calls from the company to those individuals.
  • In order to demonstrate its commitment to the protection of individuals' data protection rights and its regret for the issues which gave rise to complaints to my Office, Eircom made a donation of €35,000 to a reputable Irish charity.
  • Finally, following agreement with my Office ·  on the content, Eircom published a statement on its website regarding the protection of customer information. In the statement, among other things, Eircom acknowledged that it had communicated with individuals whose preference to decline marketing contact was not recorded due to a problem with its systems and processes and it expressed regret that these people were contacted when they did not want to be. It also stated that it had identified areas for improvement and had implemented those improvements.

Overall, I am very pleased with the investigation of these complaints and the steps taken by Eircom in response to my Office's intervention. The complainants concerned had good reason to complain to my Office about unsolicited marketing telephone calls which have become, in recent years, an all-too-frequent intrusion into the personal lives of individuals in their homes. Eircom identified the failings in its marketing processes and it did what a responsible data controller should do in similar circumstances -it took effective remedial action. In addition, it responded positively to my Office's efforts to amicably resolve the complaints -the Data Protection Acts make provision for the amicable resolution of complaints in the first instance between the parties concerned - by apologising to the complainants and by making a substantial donation to charity. Furthermore, I am happy to report that since Eircom took the remedial steps outlined above I have received no further complaints of substance regarding its marketing activities.

Case Study 10: Member of staff at Revenue accessing and using personal data of a taxpayer

In January 2007, I received a complaint from a data subject who claimed to have been harassed by the receipt of a large number of anonymous text messages on her mobile phone. Among other things, the text messages referred to various details of personal information related to the data subject and personal information of some of her family members. Prior to referring the matter to my Office, the data subject informed me that she had made a complaint to An Garda Síochána about this matter. She claimed that the Gardaí traced the sender's number to a particular person to whom she had once been introduced very briefly. The data subject alleged that the sender, who was employed by the Revenue Commissioners, had obtained her personal information and that of her family members by accessing personal files held by the Revenue Commissioners.

My Office began an investigation of this complaint by contacting the Revenue Commissioners. We asked that the audit trail of the relevant files of the individuals concerned be examined to determine if they had been accessed by any staff member who did not have a legitimate business reason for doing so.

Following a prolonged examination, the Revenue Commissioners confirmed in June 2007 that it had been ascertained that one of its officers had accessed the records of the data subject and members of her family during the period November 2006 to February 2007, that such access was not part of the officer's official duties and that it would appear that information gained from this access was passed to third parties unknown. The Revenue Commissioners stated that the matter was being dealt with by its Personnel Branch under the Civil Service Disciplinary Code. It went on to state that it was seriously concerned about any instances of unauthorised access by its staff to taxpayer data held on its computer systems and that appropriate disciplinary action had been taken and would continue to be taken in individual cases.


Some time later, the Revenue Commissioners issued a letter to the data subject in which it acknowledged that her records and those of her family had been accessed by one of its officers and that the access was not part of the officer's official duties. The letter sincerely apologised to the data subject for the inappropriate accessing of her records and those of members of her family and it expressed deep regret that this occurred.

I regard this case as a very serious matter. A large amount of personal information is entrusted to the Office of the Revenue Commissioners which has a responsibility to ensure that it is kept safe and secure. A minimum standard of security for such information would include, among other things, that access was restricted to authorised staff on a 'need to know' basis. In this case, it emerged that the staff member who accessed the information had no legitimate business in doing so. That staff member abused a position of trust and proceeded to access and use personal information unlawfully. I will await with keen interest the outcome of the disciplinary proceedings which the Revenue Commissioners have commenced under the Civil Service Disciplinary Code in connection with this matter. 

Case Study 11: Croke Park -Retention of personal data of nearby residents

In July 2006 I received a complaint from a data subject regarding the retention, use and security of personal data collected by Páirc an Chrócaigh Teoranta (Croke Park Stadium).

The complaint came about as a result of a letter which the Stadium Director at Croke Park had issued to residents in the area in relation to the setting up of a database through which the residents would be considered for tickets to some of the events held in Croke Park. In this letter, the Stadium Director stated that he was very conscious of the fact that Croke Park was situated in a residential area and was part of the local community. He pointed out that Croke Park had, in recent years, looked at ways of making some tickets available to the community for different events. It had now decided to introduce a new scheme involving the setting up of a database of people living in the area which would help ensure that tickets, when they were available, went to the right people. In order to be considered for tickets, interested residents were required to complete an application form and submit some form of photo identification, such as a passport or driving licence, as well as a utility bill. The data subject had serious concerns in relation to the type of information which was sought, how it was going to be used and the security surrounding the holding of the data.


My Office contacted Croke Park to raise the issues in the complaint and to make it aware of its obligations under section 2 of the Acts which provides, among other things, that data shall be processed fairly, kept for only one or more specified purpose, kept safe and secure and that it shall be adequate, relevant and not excessive. Croke Park responded in detail in relation to the data protection issues my Office raised and stated that the information would not be disclosed to any third parties and would not be used for any purpose other than to notify residents when tickets would be made available to them. It also informed my Office of the security measures it had in place to keep the data safe and secure. In relation to the extent of some of the personal information sought, Croke Park responded by saying that it had a legitimate concern to ensure that identities and home addresses were verified correctly and it stated that an annual audit would ensure that all out-of-date information was deleted.

My Office remained concerned that the residents were not made aware of how their data would be used by Croke Park and we suggested that this could be done through the inclusion of a data protection notice in the renewal letter which issues to all residents annually. We also had concerns regarding the retention of identity documents and we informed Croke Park that data controllers should not retain copies of personal data such as passports, driving licences and utility bills unless they had a statutory basis for doing so. My Office recommended that the residents be allowed to present their identification in person to Croke Park or alternatively, in relation to documents submitted by post, that Croke Park undertake to return the identification documents uncopied to the residents once verified. Croke Park took my Office's recommendations on board and agreed to amend all future application forms to include a data protection notice. It also agreed to return all copies of identification and utility bills to those residents who had already submitted application forms to Croke Park.

I was satisfied that Croke Park took its responsibilities as a data controller seriously and I was encouraged by the prompt manner in which it addressed the issues raised by my Office by revising its procedures to take into account the data protection rights of the individuals involved.

Increasingly my Office is being informed of circumstances where data controllers retain copies of personal information used for identification purposes. Without a statutory basis for retaining copies of such documents, a data controller has no entitlement to keep a copy on file. There is no impediment to requesting sight of identification documents in order for a data controller to satisfy itself of a data subject's identity and a system for doing this can be put in place without too much effort.

 

Case Study 12: Biometrics in the workplace - need for staff consent

I received a number of complaints from staff employed at a logistics company in relation to the proposed introduction of a biometric system at that company for the purpose of time and attendance. These staff considered that their data protection rights would be infringed by being required to provide their employer with a fingerprint. The use of a biometric system impacts on several data protection principles including proportionality, fair obtaining, accuracy and security of personal data.

My Office commenced its investigation by contacting the company and referring it to the extensive guidelines on our website in relation to biometrics in the workplace. During our investigation, a meeting was held with a representative of the company to discuss the matter. In a privacy impact assessment, the company outlined its reasons for the introduction of the biometric system as health and safety, security, administration and cost effectiveness. It also provided details of the type of biometric system it intended to use - a touch verification system. The system requires a fingertip to be inserted into a reader which converts the fingertip into an encrypted algorithm and then the employee enters their unique pin number onto a pad. The system then stores a numeric sequence on a central database. It was claimed that the numeric sequence cannot be reversed or used for any other purpose except for verification and it is also encrypted.

The company also stated that it had looked into other forms of recording time and attendance and found that the biometric system would be the most efficient and cost effective. It also said that other systems could possibly be open to abuse. It stated that it had, in the past, experienced problems regarding abuse in relation to recording attendance. It also assured my Office that all employees, except for the staff who complained to my Office, had consented to the use of the touch verification system. The company said that it had held information sessions in each of its company branches and that written documentation and training had been given to all employees. Any employees who had objections to the system or wanted more information were also invited to address these with management. It also confirmed that the staff who complained to my Office had not been required to start using the system.

The approach of my Office is to try to understand the circumstances that lead a particular data controller to introduce a biometric system using the personal data of its employees, bearing in mind that the scan of a fingerprint is personal data even if converted into an algorithm. My Office reviewed the privacy impact assessment submitted in this case and the company's responses to our queries. Taking into account the company's cooperation in the matter, it was agreed that the staff concerned should use a pin code system rather than the biometric system for recording time and attendance. This would not give rise to any issues under the Data Protection Acts. Furthermore, these staff would not be required to use the biometric system in the future, without the company first taking the matter up with my Office. On that basis, I was happy to conclude the matter given that the issues raised by the individuals who made the complaints to my Office had been addressed. I was satisfied that the company had not breached the data protection rights of those staff as it had not required them to use the biometric system against their wishes.

 

Case Study 13: Dairygold - Failure to comply in full with an Access Request

In June 2006, I received a complaint from a firm of solicitors acting on behalf of a client regarding alleged non-compliance with a subject access request. The data subject had made an access request to her employer, Dairygold Co-Operative Society Limited/ REOX, in March 2006 but it had not been complied with within the statutory forty day period.

My Office wrote to the data controller and we subsequently received a reply to the effect that the material sought in the access request had now been supplied. However, following examination of the documents received, the solicitor for the data subject communicated further with my Office and identified certain documents omitted by the data controller. Particular reference was made to documents in relation to a workplace accident in which the data subject was involved in October 2004. My Office contacted Dairygold/Reox seeking an explanation for the missing documents. While it responded by providing observations on a number of the missing documents, it also stated that it was obtaining legal advice regarding the release of the documents relating to the workplace accident.

After the exchange of detailed correspondence between my Office, Dairygold/Reox and its legal representatives, an index of all of the personal information which had been released was provided to my Office. In relation to the documents concerning the workplace accident, the solicitors for the data controller confirmed that their client was in possession of both an Internal Accident Report and a Consulting Engineer's Report. It stated that both documents were prepared in contemplation of a personal injury claim and were therefore privileged.


To satisfy ourselves that there was a sound basis for the legal privilege claim in relation to these documents, my Office sought information from the data controller regarding the dates on which the two reports were created. It was confirmed that the Internal Accident Report Form was created in the days immediately following the workplace accident and the Consulting Engineers Report was created some nineteen months later in May 2006. My Office pointed out to the data controller's solicitor that the claim of legal privilege related only to communications between a client and his professional legal advisers or between those advisers and that this provision could not be applied to the internal accident report created shortly after the incident. In light of the information available to my Office, we accepted that the claim of legal privilege could be applied to the Consulting Engineer's Report. The data controller continued, however, to claim legal privilege on both documents. In an attempt to bring closure to this matter, my Office requested a confidential sighting of the Internal Accident Report. Regrettably, the data controller refused to comply with this request and I had no option but to serve an Information Notice requiring that a copy of the Internal Accident Report be furnished to me. The Internal Accident Report was supplied to me in response to the Information Notice. On examining the Report I was satisfied that it contained personal data of the data subject and I was further satisfied that the limited exemptions to the right of access set down in the Acts did not apply to this document. The document also contained some limited personal data of third parties and non personal information which we advised the data controller to redact with the balance to be released voluntarily to the data subject. The Report was subsequently released in accordance with our advice.

There is a tendency for data controllers in some cases to claim non-relevant exemptions under Sections 4 or 5 of the Acts to restrict the right of access. With increased frequency, accident reports in relation to workplace incidents are being withheld with data controllers claiming legal privilege on such reports. I do not accept that legal privilege applies to such reports. It is standard procedure for an accident report to be compiled by an employer in the aftermath of a workplace accident and such reports clearly do not fall into the category of personal data in respect of which a claim of legal privilege could be maintained in a court in relation to communications between a client and his professional legal advisers or between those advisers. Any data controller who is reported to me as having restricted a data subject's right of access to reports of this nature will face an investigation by my Office involving a close scrutiny of the grounds for applying the restriction. I will have no hesitation in using my full enforcement powers to ensure the rights of the data subject are upheld in relation to such cases.

 

Case Study 14: Ryanair - Remedial action taken for customers to unsubscribe from marketing

I received a complaint in September 2007 from a data subject who was finding it difficult to unsubscribe from the receipt of marketing material from Ryanair. She had booked a flight with the airline previously and had opted-in to the receipt of marketing material but she had now changed her mind and wanted to opt-out from Ryanair's marketing database. The data subject sent me copies of some of the marketing material which she had received by email from the company as well as copies of her attempts to unsubscribe by email to Ryanair.

On examining the matter closely, my Office found that Ryanair had provided an opt-out facility at the end of its marketing email messages, as marketers are required to do under Regulation 13(7) of SI 535 of 2003. It invited recipients who wished to unsubscribe to send a blank email to an email address which began with the word 'leave' and which consisted of a string of over seventy characters comprising a varied mix of letters and digits. The data subject, in this case, had failed to unsubscribe as she had not realised that the word 'leave' formed part of the email address. In my view, this was a mistake which could easily be made as the text used in the unsubscribe section of Ryanair's email was not entirely clear and it provided no advice to customers.

Regulation 13(7) of SI 535 also requires marketers to provide customers with an opportunity to object to the receipt of further marketing in an easy manner. My Office asked Ryanair to explain how the provision of such a complex email address could be regarded as an easy manner of unsubscribing from its marketing database. The company, in reply, indicated that normally people 'copy and paste' the email address into a replying email. It also informed my Office that when a customer successfully submits an unsubscribe request, Ryanair sends back an email to the customer asking them to confirm by return email that they wished to unsubscribe. In effect, the company required customers to send two emails in order to unsubscribe. My Office noted that customers were not given any advice to the effect that they should copy and paste the email address in order to successfully submit the original unsubscribe email to the company nor were they advised that they would be required to submit a follow-up confirmation email. In the circumstances, we considered that customers had not been given an opportunity to opt-out in an easy manner and we asked Ryanair to take immediate steps to introduce a more user-friendly and easy unsubscribe facility for all recipients of its email marketing communications.

I am happy to report that Ryanair cooperated fully with my Office's investigation of this complaint and it promptly took on board our concerns regarding the opt-out facility. We subsequently received confirmation from the company that it had simplified the unsubscribe process by providing a link in the marketing email which the customer could simply click on to unsubscribe without the need to enter the long email address. It also removed the requirement for a customer to submit a follow-up email to confirm their wish to unsubscribe. These changes significantly eased the process of unsubscribing from Ryanair's marketing database and I welcome them.


The legitimate marketing of customers through the use of email is a common practice, if somewhat devalued by the sheer volume of such material which individuals receive. It is critical that marketers who use this tool comply fully with the requirements of SI 535 of 2003. This case shows the need for marketers to provide an opt-out facility on each marketing message which is simple and easy to use. It is my firm position that customers should not be required to send more than one email to a marketer in order to unsubscribe from that marketer's database. Any additional requirements placed on customers are unacceptable and contravene Regulation 13(7) of SI 535.

Case Study 15: On-line shoppers receive unsolicited marketing from Tesco

I received complaints from individuals regarding direct marketing emails which they had received from Tesco. In all cases, the complainants had registered for on­line shopping with Tesco. Soon afterwards they began receiving direct marketing emails. Before complaining to my Office the individuals had tried to unsubscribe from Tesco's marketing list by using the 'unsubscribe' facility provided in the marketing email. Despite their attempts to unsubscribe they continued to receive further marketing emails.

The legal requirements concerning the use of electronic mail for directing marketing purposes is set out in SI 535 of 2003. Marketers may send email for direct marketing purposes to an individual subscriber where:

  • a) they have obtained that subscriber's contact details in the course of a sale of a product or service to him/her;
  • b) the direct marketing material they are sending is in respect of their similar products and services;
  • and

  • c) during every communication, the subscriber is given a simple, cost-free means of refusing the use of his/her contact details for marketing purposes.

The 'unsubscribe' facility provided by Tesco to its customers failed in this instance and the individuals concerned continued to receive unwanted marketing material in contravention of the legal requirement.


My Office investigated the matter with Tesco and we sought immediately to have the email addresses of the complainants removed from the company's marketing database. We also asked for an explanation for the failure of the 'unsubscribe' facility. Tesco initially responded by advising that the email addresses of the complainants had been removed from the marketing lists at our request. Despite this assurance, the complainants continued to receive further direct marketing emails from the company. My Office informed Tesco of our disappointment with this turn of events and we stated that these latest breaches demonstrated a serious deficiency in the capacity of the company's marketing system to respect out-out preferences. We asked Tesco to seriously consider steps to amicably resolve the complaints. 

Tesco further investigated the matter and found an issue with one of the methods that customers use to unsubscribe from its marketing emails. It immediately set about fixing the issue and while this was being done it directed customers to visit the website directly to unsubscribe. With regard to the previous assurance given that the individual complainants had been unsubscribed at the request of my Office, Tesco found that an error had been made in the manual process involved in unsubscribing them from the database. It corrected this error immediately. In light of the inconvenience caused, Tesco apologised to the individuals concerned and offered each of them gift vouchers as a goodwill gesture. This was accepted as an amicable resolution of their complaints. I was satisfied with the steps taken by Tesco to resolve this matter to the satisfaction of all concerned.
Marketers have a responsibility to ensure that their systems are continuously capable of unsubscribing those customers who wish to record such a preference in response to the receipt of a marketing email or text message. In that regard, I recommend that regular testing be carried out to ensure that the opt-out facility is functioning without fault. Ideally, such testing should be incorporated as a standard procedure in advance of scheduled marketing campaigns.

 






» Permanent Link