Office of the Data Protection Commissioner concludes its investigation of the data protection issues arising from the sale of Dublin City Council's waste management business to Greyhound Recycling and RecoveryThe Office of the Data Protection Commissioner has concluded its investigation of the data protection issues arising from the sale of Dublin City Council's waste management business to Greyhound Recycling and Recovery (Greyhound).
The investigation focused on: (i) the transfer of customer data from Dublin City Council (DCC) to Greyhound, and (ii) the collection of Dublin City Council customer debts by Greyhound.
(i) The transfer of customer data from DCC to Greyhound.
It is concluded that the core elements of the sale of the business did not breach the Data Protection Acts.
We noted that a notification letter regarding the new service provider was sent to customers of DCC in the first half of January 2012. The notification letter to customers should have taken place at a much earlier stage. By notifying customers of their new service provider simultaneous to the completion of the sale but after the data transfer had occurred, it is not possible for this Office to come to the view that the "fair processing" requirements of the Data Protection Acts, 1988 & 2003 were fully met by DCC in this instance.
DCC have agreed, in light of this experience, that in the event that any similar situation arises in the future, it will seek to comply with all relevant published Office of the Data Protection Commissioner guidance in relation to such matters in being at that time unless it obtains confirmation from this Office that compliance does not arise in a particular circumstance.
(ii) The collection of Dublin City Council customer debts by Greyhound.
No transfer of personal data from DCC to Greyhound in respect of the collection of DCC customer debts has taken place. This was confirmed by this Office by way of an unannounced inspection at the premises of Greyhound and its agents on 26 January 2012. This inspection confirmed that only name, address and whether a household was entitled to a waiver was transferred to Greyhound.
We have agreed with DCC and Greyhound that the customers of DCC and the customers of Greyhound must be assured that robust controls are in place at Greyhound to guard against any possibility of the cross pollination of debt collection information handled on behalf of DCC with personal data handled by Greyhound in the normal course of its waste collection activities. Accordingly, the following undertakings are agreed before any debt collection data is transferred from DCC:
- Staff at Greyhound or its agents who handle personal data in the context of debt collection for DCC will not have access to any personal data held in the context of Greyhound's waste collection business, and vice versa.
- The debt collection database held on behalf of DCC by Greyhound and/or its agent to be separate and distinct from all other aspects of Greyhound's waste collection business. All access and use of the personal data held on behalf of DCC to be auditable and verifiable via specific usernames and passwords.
- An audit procedure to be put in place by DCC to ensure that Greyhound, as a data processor on behalf of DCC, is fully compliant with all aspects of its data protection responsibilities as a data processor. An initial audit will take place within six months of the commencement of the debt collection function. The terms of the audit to be agreed with this Office. This audit will be conducted by a competent third party auditor to be agreed with this Office. Further audits will be scheduled on an annual basis (for so long as Greyhound are acting as a data processor on behalf of DCC in relation to customer debt collection in respect of outstanding waste collection charges). This Office will be supplied with a copy of each audit report.