Data Protection Commissioner
Data Protection Commissioner

Case Studies 2008

Case study 1: HSE West and a consultant ophthalmic surgeon breach the Acts
 
Case study 2: Disclosure of email addresses by a financial institution 

Case study 3: A marketing campaign sets up personalised website addresses and breaches the Acts 

Case study 4: Interactive Voice Technologies and unsolicited text messages 

Case study 5: Unfounded complaint about unsolicited marketing text messages 

Case study 6: Total Fitness Ireland and legal powers used to ensure compliance with an access request 

Case study 7: Opt-In to subscription service text messages found following investigation 

Case study 8: BuyAsYouFly and a failure to respect opt-outs from direct marketing by email 

Case study 9: An access request and a successful claim of legal privilege by a Data Controller 

Case study 10: An employer attempts to use CCTV for disciplinary purposes 

Case study 11: Marketing telephone calls to numbers on the NDD Opt-Out Register 

Case study 12: Credit unions transmitting personal data via unsecured e-mails 

Case Study 13: Retention of personal data provided online 

Case study 14: Credit union commits several breaches by failing to update a member's address record 

Case study 15: Tesco and the resale of an Apple ipod containing a customer's personal data 

Case study 16: Failure to properly safeguard a staff member's medical certificate 

Case study 17: A web design company is requested to delete a marketing database 

Case study 18: A civil summons is served on the wrong person 

Case study 19: Personal data is disclosed in a letter 

Case study 20: Dell and persistent unsolicited marketing faxes 

Case study 21: Access is wrongly denied in respect of an accident report


Case study 1: HSE West and a consultant ophthalmic surgeon breach the Acts

I received a complaint from a data subject about an alleged disclosure of personal information concerning his medical condition by a data controller.  The data subject was involved in an insurance action with a third party in relation to an eye injury.  The third party's insurance company requested the data subject to attend a consultant ophthalmic surgeon for an assessment at his private surgery in Limerick.  The consultant was also a consultant ophthalmic surgeon at the Mid-Western Regional Hospital in Limerick.  The data subject had previously attended another consultant ophthalmic surgeon at the Mid-Western Regional Hospital as a public patient in relation to his eye injury.

The complaint was two fold.  The first aspect related to the alleged release of the data subject's hospital chart by the Mid-Western Regional Hospital to the consultant ophthalmic surgeon acting on behalf of the insurance company in his private practice.  It was alleged that this took place without the data subject's consent.  The second aspect of the complaint related to the alleged unfair obtaining of the data subject's hospital chart by the consultant ophthalmic surgeon.
 
The first point to be borne in mind in relation to this case was that the personal data in question, being medical records of the data subject, constituted 'sensitive personal data' as defined in the Acts.  The central issue to be considered in this case, from a data protection point of view, was whether the HSE West, Mid-Western Regional Hospital complied in full with its obligations under the Acts.

Section 2 of the Acts deals with the collection, processing, keeping, use and disclosure of personal data.  I was satisfied that no data protection issues arose in relation to sections 2(1)(a),(b), (c)(i), (c)(iii) or (c)(iv) of the Acts in relation to the Mid-Western Regional Hospital's collection, processing, keeping and use of the data subject's sensitive personal data.  However, the disclosure of the data subject's medical chart to the consultant ophthalmic surgeon had to be considered in the context of section 2(1)(c)(ii) of the Act.  This section provides that personal data should not be further processed in a manner incompatible with the purpose for which it was collected.  It was clear from my Office's investigation that the consultant ophthalmic surgeon's secretary at his private rooms contacted his secretary at the Mid-Western Regional Hospital to locate the data subject's medical records relating to his eye condition.  Following this contact, the secretary based at the hospital located the record and disclosed it to the consultant surgeon's private surgery.

In assessing this issue from a data protection perspective, a clear distinction must be drawn between the consultant surgeon's work within the HSE West, Mid-Western Regional Hospital as an employee of that hospital and his work carried out privately on behalf of an insurance company.  The hospital's disclosure of the medical records to the private rooms of the consultant surgeon undoubtedly involved the disclosure of those records from one data controller (the HSE West, Mid-Western Regional Hospital) to another (the consultant surgeon's private surgery).  It could not be regarded as information sharing within a single data controller because the consultant surgeon sought the data subject's medical record from the hospital in his capacity as a separate data controller.  In this instance he was not acting in his capacity as an employee of the HSE.

The medical record at the Mid-Western Regional Hospital in respect of the data subject was compiled in the course of his treatment for an eye condition.  This was a specific, explicit and legitimate purpose.  Any further use or disclosure of that medical record must be necessary for that purpose or compatible with the purpose for which the hospital collected and kept the data.  The consultant surgeon was a separate data controller who sought this data for the purposes of an assessment of the data subject's eye condition on behalf of an insurance company to facilitate their processing of an insurance claim.  The processing of an insurance claim related to the data subject's eye injury represented an entirely different purpose to the treatment of the data subject for an eye condition at the Mid-Western Regional Hospital.

There was also an obligation to meet the conditions set out in Section 2A of the Acts.  These conditions included obtaining the consent of the data subject or deeming that the processing of the data was necessary for one of the following reasons:

· the performance of a contract to which the data subject is a party;
· in order to take steps at the request of the data subject prior to entering into a contract;
· compliance with a legal obligation, other than that imposed by contract;
· to prevent injury or other damage to the health of the data subject;
· to prevent serious loss or damage to property of the data subject;
· to protect the vital interests of the data subject where the seeking of the consent of the data subject is likely to result in those interests being damaged;
· for the administration of justice;
· for the performance of a function conferred on a person by or under an enactment;
· for the performance of a function of the Government or a Minister of the Government;
· for the performance of any other function of a public nature performed in the public interest; or
· for the purpose of the legitimate interests pursued by a data controller except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject. 

In this case, the data subject did not give his consent to the Mid-Western Regional Hospital for the processing of his personal data involving the disclosure of his medical record to the consultant surgeon.  In the absence of consent, the data controller must be able to meet at least one of the eleven conditions set out above.  In this instance, the hospital did not meet any of those conditions. 

To process sensitive personal data, in addition to complying with Sections 2 and 2A of the Acts, at least one of a number of additional special conditions set out in Section 2B(1) of the Acts must be satisfied:
- the data subject must give explicit consent to the processing or
- the processing must be necessary for one of the following reasons:
· for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
· to prevent injury or other damage to the health of the data subject or another person, or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where consent cannot be given or the data controller cannot reasonably be expected to obtain such consent;
· it is carried out by a not-for-profit organisation in respect of its members or other persons in regular contact with the organisation;
· the information being processed has been made public as a result of steps deliberately taken by the data subject;
· for the administration of justice;
· for the performance of a function conferred on a person by or under an enactment;
· for the performance of a function of the Government or a Minister of the Government;
· for the purpose of obtaining legal advice, or in connection with legal proceedings, or for the purposes of establishing, exercising or defending legal rights;
· for medical purposes;
· for the purposes of political parties or candidates for election in the context of an election;
· for the assessment or payment of a tax liability; or
· in relation to the administration of a Social Welfare scheme. 

As stated previously, the consent of the data subject, explicit or otherwise, was not obtained by the data controller for the processing of his personal data involving its disclosure by the Mid-Western Regional Hospital to the consultant surgeon.  There are twelve conditions set out above, at least one of which must be met by a data controller in the absence of explicit consent before sensitive personal data can be processed.  In this instance, the Mid-Western Regional Hospital did not meet any of those conditions.

I formed the opinion that the HSE West, Mid-Western Regional Hospital contravened Section 2(1)(c)(ii), Section 2A(1) and Section 2B(1)(b) of the Acts by processing the data subject's sensitive personal data in a manner which was incompatible with the purpose for which it was obtained.  This processing occurred when the consultant surgeon's secretary at the Mid-Western Regional Hospital disclosed the data subject's hospital medical file to his private practice secretary.  In response to this incident the HSE West put in place improved controls for ensuring that requests for access to hospital files are justified and fully in line with the purpose for which health data is held.  I welcome this.

I also considered whether the consultant surgeon had breached the requirements of the Acts by obtaining and using the file created in the Mid-Western Regional Hospital.

In light of my previous decision which found a number of contraventions of the Acts by the HSE West, it followed that the consultant surgeon unfairly obtained the data subject's hospital file.  However, it was also clear that this was done unintentionally and in good faith.

I accept that the lines can be blurred in some instances in the health sector between treatment provided by the public system and treatment provided by the private system (especially here in Ireland due to the public/private sector split).  This can give rise to complexity in terms of data protection responsibilities as patient information flows between the public and private systems.  However, no such complexity arises in relation to the transfer of personal data that is not related to the treatment of a patient (in this particular instance carried out on behalf of an insurance company).  Organisations entrusted with personal data, and especially those holding sensitive personal data such as health information, have onerous responsibilities under the Data Protection Acts.  These responsibilities reflect the position of trust afforded to such data controllers when they are given our personal data. 
 

Case study 2: Disclosure of email addresses by a financial institution

In April 2008, I received a complaint from a data subject whose email address had been disclosed by a financial institution.  The disclosure took place when the financial institution issued an email to 114 individuals with the email addresses of each of them visible to all recipients.

The background to this incident was that the data subject received several phishing emails.  Having consulted the relevant financial institution's website, he reported the matter using an email address provided by the financial institution for that purpose.  Generally, phishing emails concerning banking services give the impression that they have been issued by a bank.  They often request the recipient to log-on to their online banking service to confirm their security details by clicking the link in the email.  If a person clicks on that link they are routed to a 'spoof' site which looks like the bank's online service.  The intention of the fraudster is that the recipient will be fooled into disclosing their confidential details to the 'spoof' site.

The matter of the disclosure of the data subject's email address was raised by my Office with the financial institution.  It explained that when an email is received by the team which handles reported instances of phishing a standard response is sent advising the user of additional precautions to take and providing related information.  However, on a particular weekend in April 2008, an unprecedented number of emails were sent to the phishing alert email address.  To respond to each email a business decision was made to send a single response to all customers using the "bcc" (blind copy) option in e-mail, which would have hidden all email addresses from the recipients. This bulk email failed because it was too large.  To make the email more manageable for the mailbox, the user list was broken down into different outgoing emails.  Due to a manual error, one of the emails was sent to 114 people using the "cc" option rather than the "bcc" option.  This resulted in all 114 email addresses being visible to all recipients of the email.

The financial institution subsequently issued an email to the affected users to advise them of the incident and to apologise for the error.  I am satisfied that the financial institution took prompt action to inform the affected parties that their email addresses had been disclosed.  However, it is unfortunate that this disclosure occurred in the context of an email alert system that was established to prevent phishing.

All data controllers should take note of this incident and take steps to ensure that email addresses are not disclosed inadvertently.  In particular, where an email is sent to a number of individuals it should be transmitted using the blind copy ('bcc') option in all situations which warrant it.  It is the duty of data controllers to raise awareness amongst their employees about this issue and to foster a greater degree of care and responsibility in relation to the protection of personal data in the form of email addresses.  However, I have some sympathy for data controllers where genuine mistakes occur in this area.
 

Case study 3: A marketing campaign sets up personalised website addresses and breaches the Acts

During the summer of 2008 I received three complaints from data subjects concerning a marketing postcard campaign launched by 123.ie to promote its home insurance product.  The complainants had no previous business dealings with 123.ie and they expressed surprise at receiving personally addressed marketing mail from this source.  An unusual aspect of this marketing campaign involved the creation of personalised URLs (website addresses).  Each postcard included details of a personalised URL set up in the name of the recipient.  When the recipients logged-on to their personalised website address they were invited to input their email address details and phone numbers.

The establishment of URLs using people's names without obtaining their consent was a concern from a data protection perspective.  In addition, there was no evidence that 123.ie had made any attempt to comply with the 'fair processing' requirements set out in section 2D of the Data Protection Acts.  For that reason, my Office informed 123.ie that the establishment of personalised website addresses (or URLs) in this manner was a breach of the Acts.  Printing the URL on a postcard and distributing it in the postal system was a disclosure of personal information and a further breach of the Acts.  Furthermore, the collection of email addresses and phone numbers when the recipient logged on to the URL failed to meet the requirements of fair processing because no information was provided to those individuals about the purposes of collecting the information.

On receiving the complaints my Office immediately contacted 123.ie requesting that it disable the relevant personalised URLs.  123.ie cooperated with my Office on this matter and reverted without delay confirming that the URLs relating to each complainant had been disabled.

At the request of my Office 123.ie confirmed that:
· it would not undertake such a campaign again;
· that it had not used and would not use any of the information obtained from potential customers as a result of this campaign; and
· that it had disabled all URLs which incorporated individual names relating to this campaign. 

Prior to my Office's receipt of the individual complaints referred to above, 123.ie informed my Office that it had discovered that minors had been targeted in its postcard campaign in error.  123.ie informed us that it worked with a creative agency (New Oceans) and a data agency (Data Ireland) in the execution of its postcard campaign.  Data Ireland is a subsidiary of An Post.  It subsequently emerged that the names and addresses of the minors targeted during this postcard campaign were originally drawn from the An Post Movers file.  My Office is actively communicating with An Post on this matter to ensure that further breaches of the Acts do not occur in relation to the use of databases held by An Post and in particular where those databases contain the details of minors.  My Office views the inappropriate use of the personal data of children as a particularly serious breach of the Data Protection Acts.  .


Case study 4: Interactive Voice Technologies and unsolicited text messages

During the latter half of 2006 a mobile phone service provider informed me of the receipt of a number of unsolicited premium rate text messages by two of its customers relating to adult content subscription services.  The messages were sent by Interactive Voice Technologies (IVT) and one of the recipients was a minor.  Both recipients denied that they were existing or previous customers of IVT and they stated that they did not consent to receiving any of the messages.  

When my Office investigated this matter, it was found that both mobile phone numbers had been recycled (this is the industry term to describe the re-use of a mobile number when it has been out of use for a period of time, usually one year).  The numbers were allocated to the new users when they opened their mobile phone accounts.  It was the new users who received the unsolicited text messages.  We were told by IVT that both mobile numbers had entered its database when the original owners (before recycling) had subscribed to its service.  Due to a technical error its systems did not detect that the numbers were recycled, resulting in both new users receiving content when the numbers were reactivated.

My Office communicated my concerns to IVT that its systems did not appear to be sufficiently robust to prevent adult content material being sent inadvertently to a recycled number.  Furthermore, since neither individual could have legitimately consented to receiving the text messages, I considered that the messages were unsolicited for the purposes of direct marketing and in direct contravention of Regulation 13 of Statutory Instrument 535 of 2003.  IVT argued that it was not its intention to send messages to the new users because, as far as its systems were concerned, it was still providing a service to the original customers.

My Office advised IVT, as the data controller, that it would have to take immediate corrective action to satisfy me that it was taking its data protection responsibilities seriously.  I encouraged IVT to consider settling this matter by way of an amicable resolution.  This was an appropriate solution for a company that has proved compliant with data protection requirements in all other respects.  The company, having considered the matter, agreed to refund the charges incurred by both individuals in respect of the premium rate text messages and to offer their written apologies to both individuals.  As a gesture of goodwill, IVT agreed to purchase two kidney dialysis machines for donation to Temple Street Children's' Hospital at a cost of over €27,000.

Given the issues surrounding the sending of adult content messages to recycled mobile phone numbers (including to the phone number of a minor) we referred these to the Communications Regulator(ComReg) for examination.  I was subsequently advised by ComReg that it had been decided to extend the quarantine period for recycled numbers from six months to twelve months.  Comreg also decided to request mobile network operators to advise service providers using their networks when a mobile phone number was placed in quarantine.

This case demonstrates the high risk associated with sending of marketing messages or premium rate services to mobile phone numbers which have been recycled.  It is unacceptable that extra steps were not taken to ensure that adult content was not being sent to the mobile phone of a minor.  Those engaged in the sending and promotion of adult content to mobile phones should take note of this case and ensure they take appropriate measures to comply, not only with their data protection obligations, but also with their obligations under other legislation.  On an overall basis, I welcome the constructive approach to this issue and the amicable resolution.  This is a good indicator of how seriously IVT took this issue.
 
Case study 5: Unfounded complaint about unsolicited marketing text messages

My Office received a complaint from a data subject about text messages that she had received to her mobile broadband modem.  The data subject first found out about the text messages when she received her mobile broadband bill.  Over a two month period she had incurred charges amounting to hundreds of euro for premium rate text messages.

My Office investigated the complaint on the basis of the data subject's allegation that the messages were unsolicited.  On investigating the complaint, my Office found that the data subject's broadband bill showed that she had been charged for premium rate text messages by four separate data controllers.  It was then established with the data subject's mobile network provider that her mobile broadband modem was capable of sending and receiving text messages.  It confirmed that this was technically possible and that mobile broadband modems have SIM cards with mobile phone numbers assigned to them.

My Office then contacted the relevant data controllers to find out where they had sourced the data subject's mobile number and whether they had obtained appropriate consent to send her the text messages.  Each of the data controllers responded promptly with full details of all messages sent to, and received from, the data subject's mobile number.  These responses indicated that the communications had been initiated from the data subject's mobile number.  My Office then compared these details with the data subject's broadband bill which confirmed the data controllers' version of events.  Following a detailed examination of the case and taking account of the material submitted by all four data controllers, I was satisfied that the text messages were not unsolicited and that no contraventions of SI 535 of 2003 had occurred.  It became apparent that a member of the data subject's household had subscribed to the relevant services using the data subject's mobile broadband modem without her knowledge.  This was not the fault of the data controllers.

Similar situations arise quite often in regard to complaints to my Office about subscriptions to phone services.  It is not uncommon to find that another member of the complainant's household, such as a child or spouse, has used the mobile phone of the complainant without their knowledge to subscribe to various services. 
 
Case study 6: Total Fitness Ireland and legal powers used to ensure compliance with an access request

In December 2007 I received a complaint from a data subject regarding a refusal by Total Fitness Ireland to comply with his access request.  One day after the submission of his access request, Total Fitness Ireland informed the data subject in an email that it was not prepared to give him access to  records related to his membership. .  However, it did not claim any of the limited exemptions to the right of access under the Data Protection Acts.  Where a data controller refuses to comply with an access request it must notify the data subject and explain the reasons for refusal in accordance with the exemptions in the Acts.  The data controller must also inform the data subject that they may complain to the Data Protection Commissioner about the refusal.

My Office commenced an investigation of the complaint by writing to Total Fitness Ireland.  However, Total Fitness Ireland failed to respond to any of our letters, emails or phone calls.  In effect, it failed to cooperate with my statutory investigation.  For this reason I served an Enforcement Notice on Total Fitness Ireland in March 2008 pursuant to section 10 of the Acts.  The Enforcement Notice was served on the basis that I believed that Total Fitness Ireland had not complied with an access request and was therefore in contravention of Section 4 (1) of the Acts.  An Enforcement Notice is a legal notice that must either be complied with within twenty one days or be appealed to the Circuit Court.  Failure to comply with an Enforcement Notice is an offence liable to a fine on summary conviction in the District Court of €3,000.  Total Fitness Ireland was required to comply with the terms of the Enforcement Notice by providing the data subject with a copy of all of the personal data that he sought, subject to any exemptions which it could legitimately claim under the Acts.

Total Fitness Ireland responded to the Enforcement Notice by informing my Office that the file records which it held in regard to the data subject related only to his health club membership.  Copies of these records were given to him on the date he commenced his membership and when he subsequently renewed it.  In response, my Office told Total Fitness Ireland that we were aware, on the basis of information supplied to us by the data subject, that it held other information relating to the data subject in respect of comments and complaints made by him.  My Office also pointed out to Total Fitness Ireland that the issue of whether the data subject was already in possession of copies of his health club membership records was not relevant to their compliance with the access request.  We clarified that copies would have to be provided to him in response to his access request.

My Office subsequently received a letter from Total Fitness Ireland concerning the Enforcement Notice.  In this letter, Total Fitness Ireland challenged the statement in the Enforcement Notice that it was in breach of section 4(1) of the Data Protection Acts.  Among other things, Total Fitness Ireland stated that there was no valid access request from the data subject because it claimed that the data subject had made his request verbally and not in writing as required by the Acts.  Total Fitness Ireland also claimed that a copy of the data subject's file was made available to him in response to his verbal request.  The file contained a copy of the data subject's agreement with Total Fitness Ireland and correspondence related to the renewal of his membership.  This was all the personal data it held relating to the data subject.  On this basis, Total Fitness Ireland sought the cancellation of the Enforcement Notice.

My Office contacted the data subject who confirmed that he had submitted his access request in writing by registered post to Total Fitness Ireland.  The data subject had also received from Total Fitness Ireland a scanned copy of his access request as an attachment to the initial email which it had sent to him refusing him access to his data.  In view of this my Office told Total Fitness Ireland that I would not cancel the Enforcement Notice.

I considered that the situation that had arisen was unacceptable.  I instructed two of my authorised officers, using the powers conferred on them by Section 24 of the Data Protection Acts, to visit the premises of Total Fitness Ireland in Castleknock.  Total Fitness Ireland cooperated with the inspection.  My authorised officers found a copy of the data subject's written access request as well as a significant amount of personal data relating to the data subject.  None of this data had been supplied to him.

On the basis of the inspection, my Office informed Total Fitness Ireland's solicitors that we were completely satisfied that their client had breached both sections 4(1) and 4(7) of the Acts concerning the data subject's access request.  Their client had also committed an offence by failing to comply with an Enforcement Notice.  The Acts mandate me, in certain circumstances, to try to reach an amicable resolution to a complaint.  Soon afterwards, an amicable resolution was achieved.  Total Fitness Ireland provided the data subject with copies of all the personal data it held relating to him.  The company apologised to the data subject for failing to provide the personal data on time and for the inconvenience caused to him as a result.  As a gesture of goodwill, Total Fitness Ireland donated a sum of €300 to a charity of the data subject's choice.

I was satisfied with the overall outcome of this complaint.  However, it is unacceptable that a data controller would ignore correspondence and phone calls from my Office in the course of the investigation of a complaint.  I use my legal powers sparingly but, in this case, I felt it necessary to use two separate legal powers in an effort to uphold the rights of the data subject.  Had this access request been handled correctly by the data controller, the matter could have been resolved within a short time.  In the course of their inspection my authorised officers found that the personal data was readily available on the computer of the data controller.  It could easily have been copied and prepared for issue to the data subject with less than one hour's work.  Instead, for reasons that I believe related to unhappiness about a customer service complaint, the data controller chose to refuse the request and to show disregard for my Office's investigation.  I will not accept this attitude from any data controller.  Thankfully, I do not encounter such attitudes on a regular basis.  However, as this case demonstrates, I will use my legal powers without hesitation if it is necessary for the investigation of a valid complaint to my Office.
 
Case study 7: Opt-In to subscription service text messages found following investigation

In April 2008 I received a complaint from a data subject that she had received and had incurred charges related to subscription service text messages.  The data subject received two text messages from a company on different dates early in April 2008.  In her complaint to my Office, the data subject claimed to have no knowledge of opting-in to the receipt of text messages from the company.

Under Regulation 13(1)(b) of SI 535 of 2003 a person is prohibited from sending direct marketing text messages to a subscriber unless the subscriber has consented to the receipt of such communications.  On the basis of the complainant's allegation that the text messages were unsolicited, I commenced an investigation of the complaint.

During the investigation my Office established that the company had obtained the data subject's mobile phone number when it was entered into one of its websites for a chance to win free flights.  After the number was input into the website, a text message was sent to the mobile phone number that included a pin number.  That pin number was then entered into the website to verify the subscription.  Information published on the website indicated that the service was a subscription service and it outlined the cost and frequency of the subscription element.  It also gave clear instructions on how to unsubscribe from the service. 

I was satisfied that the company had clearly indicated on its website that the service was a subscription service for which charges would be incurred.  It provided sufficient information to my Office to verify that the mobile phone number had been opted-in to receive subscription service messages.  I was satisfied that the data subject had not received unsolicited marketing text messages but that she had legitimately received subscription service text messages on foot of opting-in to a service via a website.  I was also satisfied that the company had put in place appropriate procedures to ensure that numbers entered on the website were validly entered.  I do not accept claims of valid consent based solely on the fact that a number was collected after it was typed on a website.  That does not constitute a valid consent.  In this case, the individual receives a subsequent text message to which they must respond and actively opt-in, thus removing any doubt about the validity of the consent.

This case study is a clear reminder that data subjects need to pay greater attention to information that is made available to them in relation to entering services, competitions, etc., particularly on websites.  In this case the data controller provided comprehensive information on its website in relation to the service that the data subject chose to enter.  Yet, when the data subject began to receive text messages in respect of the service over the following few days, she claimed to have no knowledge of opting-in to the service.  In light of our investigation, there were no grounds for upholding her complaint against the data controller.


Case study 8: BuyAsYouFly and a failure to respect opt-outs from direct marketing by email

I received a complaint from a data subject regarding direct marketing emails she had received from BuyAsYouFly.com.  The complainant provided my Office with copies of several of the marketing emails that she had received from the company as well as copies of her attempts to unsubscribe.  It was clear from an initial examination of this material that she had followed the 'opt out' instructions contained in the emails but, in spite of that, she continued to receive the unwanted emails.  I was  particularly concerned about the number and frequency of emails that she continued to receive after her efforts to unsubscribe.  On examination of the complaint, it appeared that the company was committing offences by failing to record the opt-out preference of the complainant and by continuing to send the complainant direct marketing emails, contrary to the provisions of S.I. 535 of 2003.

My Office commenced an investigation of this matter.  We requested that BuyAsYouFly immediately delete the complainant's email address from its marketing database.  We also sought an explanation as to why her unsubscribe requests were not respected by the company.

BuyAsYouFly responded by advising that it had suffered a serious systems error which resulted in loss of data.  As a result the company unintentionally continued to use an older version of its database.  The company removed the complainant's email address from its database and it agreed to suspend outbound emails until its unsubscribe lists were fully reconciled with the database.  It conveyed an apology to the complainant and, as a gesture of goodwill, it offered the complainant a gift to the value of €100 from its online shop.  This was accepted by the complainant as an amicable resolution of her complaint.

I was satisfied with the corrective measures taken by BuyAsYouFly to resolve this complaint and to prevent any recurrence.  This case highlights the obligations imposed on marketers to ensure that they respect the preferences of the general public who do not wish to receive marketing communications.  This is even more important when the person makes efforts to refuse the receipt of further communications.


Case study 9: An access request and a successful claim of legal privilege by a Data Controller

In May 2007 I received a complaint from a solicitor acting on behalf of a client regarding the alleged failure of a data controller to respond to an access request.  The solicitor had submitted an access request on behalf of his client to her former employer in February 2007.  The data controller failed to respond to the access request within the statutory forty-day period.

My Office commenced an investigation by writing to the data controller about the complaint.  We received a reply from the data controller's solicitor confirming that a response had issued to the access request.  The reply included a number of documents containing personal data.  However, the data controller's solicitor informed my Office that their client was claiming privilege in respect of two specific documents and was therefore not releasing them.  These documents were a handwritten account by the store manager of the data subject's period of employment with the data controller and a handwritten account by the store manager relating to the data subject's alleged personal injuries suffered as a result of a workplace accident in July 2006.  The solicitors for the data controller informed my Office that both documents were created by their client for the benefit of legal advisers and in anticipation of litigation following receipt of two solicitor's letters on behalf of the data subject.

There are some very limited exemptions within the Data Protection Acts to a data subject's right of access.  These are set out in Sections 4 and 5 of the Acts.  One of the restrictions to the right of access is set out in Section 5(1)(g).  This states:-

Section 4 of this Act does not apply to personal data in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers.

The data subject's solicitor subsequently informed my Office of his dissatisfaction with the data controller's claim of privilege.  It was necessary for my Office to be satisfied that the data controller's claim of privilege in relation to these documents was properly founded.  For that purpose I requested the data controller to confirm to my Office the date(s) on which the documents were created and the purpose or purposes for which the documents were created.  In response, we were informed that the relevant documents were created on two separate dates in the second half of February 2007 after the data controller received letters dated 6 February, 2007 from solicitors for the data subject.  The data controller's solicitors informed my Office that the letters from the data subject's solicitors had intimated personal injuries and employment claims on behalf of the data subject.

The claim of legal privilege under the Acts relates only to communications between a client and his professional legal advisers or between those advisers.  The date of creation of the documents, on which the data controller was claiming privilege, when compared with the dates of its receipt of communications from the data subject's solicitors, satisfied my Office about the purpose of these documents.  We accepted that the claim of legal privilege could be applied to both documents as it fell into the category of a communication between a client and his professional legal advisers.

There are limited exemptions under the Acts to a data subject's right of access. When a data controller claims an exemption, my Office may request additional information from the data controller to be satisfied that the withholding of the documentation is properly founded.  Such matters are dealt with by my Office on a case by case basis.
 

Case study 10: An employer attempts to use CCTV for disciplinary purposes

In February 2008 I received complaints from two employees of the same company regarding their employer's intention to use CCTV recordings for disciplinary purposes. 

In this case, the employer had used CCTV images to compile a log that recorded the employees' pattern of entry and exit from their place of work.  The employer then notified a trade union representative that this log would be used at a disciplinary meeting.  It also supplied a copy of the log to the union representative.  The employer sent letters to each employee requesting that they attend a disciplinary meeting to discuss potential irregularities in their attendance.  The letters indicated that this was a very serious matter of potential gross misconduct and that it could result in disciplinary action, up to and including dismissal.

The employees immediately lodged complaints with my Office.  They stated that they had never been informed of the purpose of the CCTV cameras on the campus where they were employed.  They pointed out that there were no signs visible about the operation of CCTV.  On receipt of the complaints, my Office contacted the employer and we outlined the data protection implications of using CCTV footage without having an appropriate basis for doing so.  We informed the company that, to satisfy the fair obtaining principle of the Data Protection Acts with regard to the use of CCTV cameras, those people whose images are captured on camera must be informed about the identity of the data controller and the purpose(s) of processing the data.  This can be achieved by placing easily read signs in prominent positions.  A sign at all entrances will normally suffice.  If an employer intends to use cameras to identify disciplinary (or other) issues relating to staff, as in this instance, staff must be informed of this before the cameras are used for these purposes.
 
The employer accepted the views of my Office.  It informed the two employees that it was not in a position to pursue the matter of potential irregularities in attendance as it could not rely on CCTV evidence obtained in contravention of the Data Protection Acts.
 
This case demonstrates how data controllers are tempted to use personal information captured on CCTV systems for a whole range of purposes.  Many businesses have justifiable reasons, related to security, for the deployment of CCTV systems on their premises.  However, any further use of personal data captured in this way is unlawful under the Data Protection Acts unless the data controller has made it known at the time of recording that images captured may be used for those additional purposes.  Transparency and proportionality are the key points to be considered by any data controller before they install a CCTV system.  Proportionality is an important factor in this respect since the proposed use must be justifiable and reasonable if it is not to breach the Data Protection Acts.  Notification of all proposed uses will not be enough if such uses are not justifiable.

Substantial guidance is available on our website in relation to the use of CCTV in a business or in a workplace.  I would encourage all data controllers, particularly those who may already have such recording systems in place, to familiarise themselves with our guidance on this important issue.
 

Case study 11: Marketing telephone calls to numbers on the NDD Opt-Out Register

The marketing activities of Celtic Water Solutions came to the attention of my Office in January 2008.  I received complaints from two individuals who received marketing telephone calls from Celtic Water Solutions even though they had registered their preferences not to receive marketing calls on the National Directory Database (NDD) opt-out register.  This is the register of all the phone and fax numbers that have been opted out of receiving marketing calls or faxes.

When my Office investigated the matter it found that the data controller was unaware of its obligations in relation to the NDD opt-out register.  However, ignorance of the law is no excuse for breaching it.  All data controllers have a responsibility to ensure that they are aware of and compliant with all of their data protection obligations.

My Office ordered the company to cease all telemarketing activities with immediate effect and not to resume such activities until such time as it was in a position to comply with preferences recorded on the NDD opt-out register.  We also sought an undertaking from the company that all future marketing calls would comply with the requirements of the law with regard to the NDD opt-out register.  The company complied immediately and it ceased all telemarketing activity.  It also wrote letters of apology to the complainants and it made a goodwill gesture in the form of gift tokens to each complainant.  The complainants accepted the letters of apology and the goodwill gesture as an amicable resolution of their complaints to my Office.

I welcome the swift remedial action taken by the company in response to these complaints.  I note in particular that the issues were resolved to the satisfaction of the complainants within a relatively short period of four weeks following the receipt of the complaints by my Office.


Case study 12: Credit unions transmitting personal data via unsecured e-mails

I received complaints from two individuals concerning e-mails they had received from two credit unions confirming details about online access to their accounts.

My Office contacted both credit unions for their views on the matter.  It transpired that both credit unions were using the same third party vendor to supply their online account facilities.

When a customer registered to use the online facility, they received a confirmation e-mail that contained details about their account, including username, account number and password.  A separate letter was sent to their home giving them a PIN number which would allow them to get online access to their credit union account.

Section 2 (1) (d) of the Acts requires that adequate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network.  My Office entered into discussions with the third party vendor to address this issue.

The vendor's initial concern was that when people registered, they would not remember their account details when they went to log on to the system at a future date and for this reason they were e-mailing the account details to the customers. As a solution, my Office proposed that when a customer was registering they should be encouraged to print off or otherwise record the details.  This would eliminate the need to have confidential information transmitted to them via an unsecured e-mail.

The third party vendor agreed to change its systems to reflect this and to inform all of its clients that it was changing its systems for security reasons.

My Office was also concerned that one of the credit unions was using a free web-based e-mail service as a method of communicating with its customers.  My Office took the view that this mode of communication was not adequately secure because the data controller could not adequately control access to the contents of such an e-mail account.  The data controller had no record of access to the e-mails, even within their own organisation.  My Office instructed the credit union concerned to stop using the free web-based e-mail account as a method of contacting customers.  The credit union responded promptly and it changed its email to a more secure system.

This case highlights the need for all data controllers to be aware of the need for appropriate security when processing personal data.  If there is a weakness in security, the matter needs to be addressed and a more secure method of providing the service must be established.  Although I understand that the purpose of credit unions is to provide services to the community in a cost effective manner, this does not in any way exempt them from ensuring that appropriate steps are taken to protect customer data.


Case Study 13: Retention of personal data provided online

In January 2008, I received a complaint from a data subject in relation to the retention of his personal data by Ticketmaster.  The data subject had provided his credit card details and his email address to Ticketmaster for the purpose of a particular transaction in 2006.  However, in October 2007 and January 2008 he received emails from Ticketmaster regarding the cancellation of a concert for which he had not purchased a ticket.  The data subject was concerned that his personal data had been retained by Ticketmaster for such a long time.  He asked Ticketmaster to remove his details from its database and, at the same time, he complained to my Office.

On receipt of the complaint, my Office commenced an investigation into the matter.  Ticketmaster holds an extensive amount of personal data including credit card details.  At the outset we were concerned that the organisation might not have appropriate procedures in place for deleting personal data when no longer required for the purpose for which it was given.  A subsequent response from Ticketmaster stated that the emails sent to the data subject were customer service emails regarding the cancellation of an event rather than marketing emails.  I accepted this.  It explained that the first email was sent in error and that the purpose of the second email was to inform the recipient that the previous email had been sent in error and that he should ignore or delete it if he had not purchased tickets to the event in question.  Ticketmaster informed us that steps had been put in place to ensure that such an error would not occur again and it wrote to the data subject to confirm that it had deleted all of his personal data from its records in accordance with his request.  

In the course of the investigation my Office requested a copy of Ticketmaster's data retention policy and highlighted issues in relation to the privacy policy statement on its website.  Having reviewed Ticketmaster's privacy policy we found that it referred to UK data protection legislation and made no reference to Irish data protection legislation.  As Ticketmaster is registered in Ireland, we considered it appropriate that a data protection notice relevant to Ireland should be published on its website. 

In its response, Ticketmaster provided my Office with a detailed account of the type of personal data it collects, the purposes for which it is used and the retention policy for such data.  In relation to its privacy policy statement lacking a data protection notice for Irish customers, Ticketmaster indicated that the omission was an oversight on its part and it supplied my Office with a copy of a draft privacy policy statement for Irish customers.  Ticketmaster also informed my Office that it only sends performer alert emails to customers who have previously bought tickets and that such emails are only sent in respect of "similar products or services" as they notify customers of future performances by artists for whom they had previously bought tickets.  It also pointed out that Ticketmaster offers the customer in each message an easy and free opt-out from receiving future messages.  My Office was still concerned about the length of time Ticketmaster retained personal data such as credit card details.  Ticketmaster informed my Office that it retained personal data for sixteen months.  However, my Office considered that twelve months was a more appropriate retention period and it advised that, if there was no activity on a customer's account during that time, all details should be deleted.  In relation to the storage of customers' credit card details, we advised that it would be more appropriate for customers to opt in to have their details retained rather than the existing practice of requiring a customer to uncheck a box when he or she purchases a ticket.  Ticketmaster agreed to implement my Office's recommendations.

I am satisfied that Ticketmaster takes its data protection responsibilities seriously and I was encouraged by the cooperative manner in which it addressed the issues and implemented my Office's recommendations. 

It is important that data controllers who process personal data via websites are fully aware of their obligations in relation to personal data.  Websites with customer interfaces should clearly outline to potential customers how their personal data will be processed in future and for how long it will be retained.  No data subject should be surprised to find that their personal data continues to be processed long after initially inputting their information on a data controller's website. 


Case study 14: Credit union commits several breaches by failing to update a member's address record.

In March 2008 I received an unusual and complex complaint against Halston Street Credit Union.  The Credit Union had sent correspondence for the complainant's ex-wife to the complainant's address.  After receiving the registered correspondence at his home address, the complainant informed the Credit Union by phone that his ex-wife did not reside at his address, nor indeed had she ever resided at that address.  In fact they had been living apart for twenty-two years.  Despite this, two further pieces of correspondence from Halston Street Credit Union to his ex-wife arrived at the complainant's address on separate dates.

My Office wrote to Halston Street Credit Union in early April 2008 informing it that we were commencing an investigation of this complaint.  The complainant was anxious to establish what personal data the Credit Union held in relation to him.  He was genuinely concerned that the correspondence he was receiving was prompted by fraudulent use of his personal data by a third party.  We advised him to submit a request to the Credit Union under section 3 of the Acts.  Section 3 of the Acts provides that an individual may submit a request in writing to a data controller to be informed whether the data controller keeps personal data relating to the individual.  If the data controller does have such data, section 3 provides that the data subject should be given a description of the data and the purposes for which it is kept.  Under the provisions of the Acts a data controller must respond to such a request within twenty one days.  The complainant took our advice but unfortunately did not receive a response from Halston Street Credit Union to the section 3 request that he submitted in mid-July 2008.

Halston Street Credit Union failed to reply to my Office's initial correspondence despite three separate reminders during the period April to July.  One of my officials received a very unsatisfactory call from one of the elected members of the Credit Union which did not provide any response to the issues raised.  This situation, coupled with the failure by the Credit Union to meet its statutory obligation to respond to the request under section 3 of the Data Protection Acts, led my Office to form the view that the Credit Union had little regard either for the data protection rights of the complainant or for my Office.  For these reasons I instructed two of my senior officers, using the powers conferred on them by section 24 of the Data Protection Acts, to enter and inspect the premises of Halston Street Credit Union to obtain information relevant to the investigation of this complaint.  In the course of their inspection, my authorised officers found records which confirmed that the complainant had indeed informed Halston Street Credit Union in June 2007, as he had indicated, that his ex-wife did not live at his address.  No action had been taken by the Credit Union on foot of this information in terms of updating the address on file and, as a result, the complainant's address was used on two further occasions by the Credit Union to send letters intended for his ex-wife.  My authorised officers also found the section 3 request that the complainant had submitted in July 2008 on the premises.  They confirmed that the Credit Union had not taken any action in response to the request.

Subsequent to the inspection by my authorised officers, Halston Street Credit Union confirmed to my Office that a response issued to the complainant's section 3 request in mid-September 2008.  This was over five weeks outside the statutory requirement.  My Office was disappointed to discover that the Credit Union had copied its response to the section 3 request to four separate third parties.  The complainant was entitled to have his request handled in a confidential manner.  It was, to say the least, very disappointing that the Credit Union copied the response to the request to third parties who had no business in relation to it.

Following my Office's investigation, we found Halston Street Credit Union to be in breach of section 3(b) of the Data Protection Acts for failing to respond to the complainant's section 3 request within the statutory timeframe of twenty one days.  We found that the Credit Union was also in breach of section 2(1)(d) of the Acts for its unauthorised disclosure of the complainant's personal data to third parties when responding to his section 3 request.  The records of Halston Street Credit Union showed that the complainant first contacted it by telephone in June 2007 to inform it that his ex-wife did not live at his address.  The Credit Union's subsequent failure to take action to remove the complainant's address from its records led it to process the complainant's personal data on two further occasions, constituting two additional breaches of his data protection rights under section 2A of the Acts.  The failure of Halston Street Credit Union to remove the complainant's address from his ex-wife's records caused two further breaches.  This time the Credit Union breached the data protection rights of the complainant's ex-wife, because it sent her personal data on two occasions in August 2007 and September 2007 to an address which it knew from June 2007 to be incorrect.

The sequence of events that culminated in my instruction to my authorised officers to use their powers under Section 24 of the Acts to progress the investigation of this complaint demonstrates the dismissive attitude shown by an elected member of Halston Street Credit Union towards my Office.  This uncooperative approach by the Halston Street Credit Union was disappointing and unacceptable.  Thankfully my staff do not encounter such attitudes every day and, in the event, the staff and manager in the Credit Union were very co-operative to my authorised officers during their visit.  Our approach to complaints, as provided under the Acts, is to try to reach an amicable resolution by engaging openly and honestly with the parties concerned.  When a data controller fails to cooperate satisfactorily with an investigation conducted by my Office, I will use my legal powers without hesitation, as this case demonstrates.  Neither I nor my staff will be deterred from taking the actions that we consider necessary.

As I reflect on this regrettable and time-consuming incident, I note that it comes down to the Credit Union's refusal to respond to a person with a genuine complaint.  The complaint was well-grounded and reasonable and, if the Credit Union had demonstrated even a basic level of customer service, the matter would have been resolved quickly and without consuming the resources of my Office.  In this respect, I accept that a Credit Union has a right to trace the location of a person with whom it needs to communicate for a genuine business reason and using reasonable means.  For this reason I have no difficulty with the sending of the initial letter.


Case study 15: Tesco and the resale of an Apple ipod containing a customer's personal data

In March 2008 I received a complaint from a data subject regarding the resale by a Tesco store of an Apple ipod which she had returned to the store after it developed a fault and onto which personal data relating to her had been downloaded.

The data subject informed my Office that she purchased the ipod at a Tesco store in May 2007 and that she returned it a few days later when it developed a fault.  After purchasing it, the data subject had successfully downloaded music and photographs from her computer onto the ipod and she had registered it in her name.  On returning the ipod she made a point of informing a member of staff at the Tesco store that due to the fault she was unable to delete from the ipod her personal photographs and music prior to returning it.  She was given a replacement ipod immediately.

However, in early January 2008, the data subject became aware through an acquaintance that the ipod she had returned the previous May had subsequently been resold by Tesco to a different customer.  The data subject contacted this customer who confirmed to her that she had purchased the ipod as a Christmas gift for her daughter at the same Tesco store some months after the data subject had returned it.  She also informed the data subject that, on purchasing the ipod, she found that she had access to the data subject's music and personal photographs.  When she tried to register the ipod in her daughter's name, it was confirmed that the ipod was still registered in the name of the data subject.  That customer also returned the ipod to the Tesco store.

Understandably, the data subject was concerned to find that the faulty ipod that she had returned to Tesco in May was resold again some time later with her personal data still on it.  My Office contacted Tesco's Head Office regarding this matter.  Tesco subsequently acknowledged to my Office that the ipod returned by the data subject should not have been put on sale after she had returned it.  It informed my Office that its own internal controls failed to operate on this occasion and that the ipod should have been returned to its supplier.  Instead, it appears to have been repackaged, retained in the store for some time and then inadvertently put on sale again.  Tesco also informed my Office that when the ipod was returned a second time, its internal processes operated effectively and the ipod was returned to the supplier.

Tesco informed my Office that as a result of this incident it instituted a review of the data protection compliance processes in its stores.  This included implementing more robust processes for the storage, return and tracking of any devices that contain personal data.  Tesco also informed my Office that as part of its review of its data protection compliance processes, it had reiterated to its entire staff the need to be careful about how its customers' personal data is used.

During my Office's investigation of this complaint, Tesco expressed regret at the inconvenience and concern caused to the data subject as a result of the manner in which the matter was dealt with by the store.  It also offered a gesture of goodwill to the data subject and expressed a wish to write directly to her to express its apologies for the incident.

As the Data Protection Acts mandate my Office, in the first instance, to resolve complaints amicably between the parties concerned, my Office informed the data subject of Tesco's interest in reaching an amicable resolution.  The data subject accepted Tesco's goodwill gesture and letter of apology, both of which were forwarded to her via my Office.

This case perfectly demonstrates circumstances when, through the intervention of my Office, a data controller is made aware that it has breached the Acts and is reminded of its obligations under the Acts.  At the same time, the concerns of a data subject are addressed and the matter is resolved amicably between the parties.  It also highlights the need for retailers to raise awareness among their staff about the capacity of portable devices which they sell in their stores to process and retain personal data.  Robust procedures are necessary in retail outlets to prevent incidents of a nature similar to that outlined in this case.


Case study 16: Failure to properly safeguard a staff member's medical certificate

My Office received a complaint from a solicitor on behalf of a data subject whose personal information, contained in a medical certificate, had been accessed in an unauthorised manner while in the possession of her employer.

The data subject was employed by a catering company that had a contract to provide services to the Defence Forces.  It was brought to her attention by a member of the Defence Forces that her medical certificate was displayed on a notice board in the office of a Unit Manager in the catering company.  This office was shared with a member of the Defence Forces.

Upon receipt of the complaint, my Office contacted the catering company and requested that the medical certificate be removed from the notice board immediately.  We also advised the company that a medical certificate, which reveals the health status of a person, is sensitive personal data under the Data Protection Acts.  We informed them that, from the information supplied by the data subject, it appeared likely that appropriate security measures were not in place to prevent unauthorised access to the medical certificate.

My Office received a response from the catering company outlining the findings of its investigation into the alleged breach.  It explained that the Unit Manager placed the certificate on her personal notice board which hangs directly behind her desk.  It was not on view at any time.  It was placed behind a number of other documents on the notice board.  It alleged that the third party who had accessed the certificate had entered the office without permission and would have had to deliberately seek the certificate.  The company informed my Office that it takes its obligations under the Data Protection Acts very seriously and that all personal data relating to employees at any unit is the responsibility of the Unit Manager.  Such data is to be held securely in locked cabinets unless required by another department within the business.  The company also informed my Office that steps had been taken to remind all managers of their duties when dealing with confidential data.

The main concern for my Office was that the certificate was placed on a notice board in an unlocked office and it was clear that the Unit Manager did not adhere to the company's security procedures when handling the data subject's medical certificate.  Under Section 10 of the Acts I am mandated to seek an amicable resolution of complaints.  To this end my Office requested that the company submit proposals to help achieve an amicable resolution.  The company subsequently proposed to make a donation to a charity of the data subject's choice and it agreed to send a letter of apology to the data subject.  The data subject, through her solicitor, accepted this proposal as an amicable resolution of her complaint.

This case demonstrates well the care which data controllers must exercise in the processing of all personal data in its possession, especially sensitive personal data.


Case study 17: A web design company is requested to delete a marketing database

I received a complaint from a data subject about the receipt of an unsolicited marketing email from Matrix Internet, a company advertising website design services.  Disappointingly, this was the second time that this company had come to the attention of my Office concerning marketing emails sent to the same complainant.  During a previous investigation, the company had given an undertaking that the complainant's email address would be removed from its marketing database. 

As a result of this complaint and given our previous encounter, my Office had serious concerns about the marketing activities of this company.  We sought an immediate explanation as to how the complainant's details had remained on its marketing database.  In response, the company apologised and it explained that an internal error had resulted in the email address of the complainant being listed twice on the marketing database.  The company had removed only one of those entries and, as a result, the complainant had continued to receive marketing emails.

I was encouraged by the company's swift response and co-operation with my Office's investigation.  However, in light of what had happened to the complainant's personal data, it was clear that it was necessary to request the company to delete its entire marketing database.  I considered that this was the only certain method of protecting other individuals on the company's marketing database from exposure to the receipt of unsolicited marketing emails.  The company agreed to the request to delete its marketing database.  In addition, the company undertook to cease marketing activity until such time as it had put in place a more appropriate system for carrying out marketing operations and managing 'opt out' requests.  After a period of three months, the company reported that it was in a position to recommence marketing activities as it had, in the intervening period, introduced a new system to ensure that its marketing systems were compliant with the requirements of data protection legislation.  The complainant was satisfied with this outcome.  Since then my Office has received no further complaints against this company.

This complaint resulted in the deletion, at my request, of a data controller's marketing database.  In terms of remedial action to protect the public from unsolicited marketing, a request for the deletion of a marketing database is not insignificant and it can result in a large loss of marketing targets for the data controller concerned.
 

Case study 18: A civil summons is served on the wrong person

In February 2008 I received a complaint from a data subject who had received a District Court civil summons from a firm of Solicitors acting on behalf of a property management company.  The civil summons named a male and a female as the defendants in the matter. The data subject shared the same full name as that of the male named on the summons. The data subject phoned the solicitors concerned to inform them that he did not know anything about the matter referred to on the summons, that the female named on the summons was not known to him and that she did not reside at his address.  When he asked the solicitors where they had sourced his address he was told that their enquiry agent had given it to them.

My Office commenced its investigation by contacting the solicitors concerned to establish if, as alleged, the complainant had been mistakenly served with a summons which was proper to another man of the same name.  The solicitors subsequently responded and confirmed that they accepted that the person who received the summons in this matter was not the person with whom their clients had contracted.  They informed my Office that they had relied on information provided by an agent.  They also asked my Office to convey their sincere apologies to the data subject for any inconvenience that may have been caused to him.

My Office informed the data subject of the response of the solicitors and sought his views about how his complaint against the solicitors might be resolved to his satisfaction.  He indicated that this could be achieved by the data controller agreeing to cover the legal and medical costs incurred by him as a direct result of being wrongly served the civil summons.  The data subject informed my Office that on receipt of the civil summons it was necessary for him to engage a solicitor to deal with the matter as he had been summoned to appear before the District Court on an appointed date.  He also stated that he suffered considerable distress as a result of receiving the summons and that he had attended his doctor as a direct result.  The data subject was also concerned that the summons served on him was now a matter of public record in the courts system and he said that it was incumbent on the solicitors to have this matter rectified by requesting the Courts Service to clear his good name.

The solicitors immediately indicated their willingness to resolve this matter as sought by the data subject and confirmed that there was no public record of the proceedings in this matter.  In the solicitors' view, the issue arose as a direct result of the actions of its agent.  For this reason, it had been agreed that the agent would make a payment directly to the data subject's solicitor in settlement of the matter and confirmed that this had taken place.  Unfortunately, the agent had not made any contact with the data subject or his solicitor on this matter.  Soon afterwards the solicitors sent my Office, on their own behalf, a cheque made payable to the data subject to cover the full costs incurred by him in this matter.  They stated that they had been misled by the agent who had indicated that the matter had been resolved with the data subject's solicitor.  They indicated that, as a result, they had dispensed with the services of the agent with immediate effect.  The data subject expressed his satisfaction with the outcome and thanked my Office for helping to bring this matter, which had caused him great distress, to a satisfactory conclusion.

This case highlights the distress and inconvenience that can be caused to an innocent individual as a result of the processing of inaccurate personal data.  The serving of a summons is a significant action and it can be a matter of great anxiety for an individual to receive a summons, even when that individual is not the legitimate subject of the summons.  Greater care should have been taken by all involved in the process of serving this summons.


Case study 19: Personal data is disclosed in a letter

My Office received a complaint in February 2008 from a data subject stating that a letter containing personal information about him was disclosed by the HSE to a third party without his consent.  The data subject was involved in a tenancy dispute with his landlord resulting in the matter being referred to the Private Residential Tenancies Board (PRTB) which is the dispute handling body for such situations. The data subject's Community Welfare Officer (CWO) was unable to attend a subsequent hearing at the PRTB and instead wrote to the solicitor acting for the data subject's landlord, outlining the position regarding the data subject's rent supplement entitlements.  The CWO included a statement in the letter regarding, as he viewed them, malicious letters between the data subject and Community Welfare Office staff. This information was not related to the tenancy issue and the basis for its inclusion in this letter was not clear to my Office.

My Office contacted the HSE about this case and pointed out its obligations under the Data Protection Acts, 1988 & 2003.  The HSE responded with a contention that the disclosure was proportionate.  My Office did not accept this position given the nature of the dispute before the PRTB and the lack of any clear link between that dispute and the nature of the customer relationship between the data subject and the Community Welfare Office.  The processing of this personal information took place without the consent of the data subject.  It was clearly unnecessary for the purposes of the legitimate interests pursued by the HSE and it did not meet any of the other requirements of section 2A of the Acts.  Accordingly, we informed the HSE that we considered that the disclosure of this personal information was a contravention of the Acts.

To try to reach an amicable resolution of this complaint, my Office proposed that the CWO should issue an amended version of the letter which would omit the statement referring to the nature of communications between the HSE and the data subject.  We proposed that this amended letter should be issued to the solicitor concerned with a request that he should replace the original letter with the amended version.  In addition, we asked the HSE to write to the PRTB to request it to replace the original letter with the amended version. The data controller agreed to this course of action and the matter was concluded satisfactorily.  All data controllers, but especially the HSE (given the sensitive nature of its responsibilities), need to be very careful to ensure that only strictly relevant personal data is disclosed when it is necessary to discuss customers/patients with external parties.
 

Case study 20: Dell and persistent unsolicited marketing faxes

The direct marketing activities of Dell resulted in a complaint to my Office during the year.  The complaint concerned repeated fax messages sent by Dell to the line of a subscriber.  The complainant provided my Office with a copy of a sample of the faxes he had received.  From an initial examination of the complaint, there were two clear issues of concern.  In the first place, the fax number of the complainant was registered on the NDD opt-out register.  Secondly, the complainant's numerous attempts to opt-out of receiving fax messages from Dell using the fax number provided by the company had failed because the number provided appeared to be out of service.  As a result, he continued to receive unsolicited marketing fax messages.

My Office contacted Dell and requested an explanation.  Dell acknowledged that eight fax messages had been sent to the individual.  Regarding the inability of the complainant to 'opt out', Dell acknowledged that an internal error resulted in an incorrect digit being inserted in the 'faxback' number printed on the fax messages sent to the complainant.  Regarding the inclusion of the complainant's fax machine number on the NDD opt-out register, Dell advised that the complainant's number was supplied to it by a third party provider.  That list was then sent to its fax marketer for checking against the NDD.  Dell stated that the fax marketer advised it that the complainant's number was not listed on the NDD at the time when the fax messages were issued.  However, my Office's investigation confirmed that the complainant's number had been listed on the NDD since 2007.

Following the intervention of my Office, Dell agreed to take a number of corrective measures to address the shortfalls in its fax marketing operations, including deletion of the complainant's number from its marketing database.  Dell also indicated that it wished to attempt to resolve the complaint by amicable resolution.  In that context, as a goodwill gesture, Dell offered laptop equipment to the value of €2,500 to a charity of the complainant's choice.  It also communicated a letter of apology to the complainant and an undertaking that he would not receive any further marketing from Dell unless he specifically requested such information.  The complainant was happy to have his complaint resolved on this basis.

This complaint demonstrates the need for any data controller engaged in direct marketing by post, fax, email or text message to have appropriate procedures in place to ensure that it meets the requirements of the law in this area.  In particular, a valid facility to opt-out must be provided and must be working.
 

Case study 21: Access is wrongly denied in respect of an accident report

I received a complaint from a data subject who had been involved in an accident at work.  The data subject had made an access request, under section 4 of the Data Protection Acts, to their employer for a copy of all information held about them, including the accident report form.  The employer had not responded to the request within the forty day timeframe specified in section 4 of the Acts.

My Office contacted the data controller to enforce compliance with the terms of the access request.  The data controller stated that they had passed the request on to their insurance company who were dealing with legal proceedings arising from the accident.  My Office pointed out that the obligation to comply with an access request was on the data controller and not on the insurance company.  My Office informed the data controller that we were investigating its failure to respond to an access request.

The data controller then provided certain documents containing personal data to the data subject.  However, it failed to provide a copy of the accident report form.

My Office contacted the data controller again to request that the outstanding documents be furnished to the data subject.  The data controller responded by claiming a restriction on the right of access under section 5(1)(g) of the Acts based on an assertion that the documents were exempt from disclosure due to legal privilege.  This provision restricts the right of access with regard to personal data in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers.

My Office rejected this claim because in this case the accident report was prepared on foot of the legal requirement for an accident report to be created if a workplace injury results in at least three days absence from work.  This is set out in Regulation 59 of Statutory Instrument No. 44 of 1993.  My Office also rejected claims by the data controller that, as the accident report form was created with the assistance of their legal adviser, it could be withheld on the basis of legal privilege.  As a result, the data controller provided a copy of the accident report form to the data subject.

While the Data Protection Acts provide for limited, narrow restrictions to the right of access by a data subject to their personal data, this case highlights the fact that my Office will rigorously examine complaints of this nature to establish whether the restriction asserted by a data controller can be legitimately relied upon.