- CASE STUDY 1: LEISURE CENTRE REQUESTS EXCESSIVE PERSONAL DATA FROM PATRONS.
- CASE STUDY 2: TELECOMMUNICATIONS COMPANIES PROSECUTED FOR MARKETING OFFENCES.
- CASE STUDY 3: PROSECUTION OF REGINE LTD FOR THE SENDING OF UNSOLICITED MARKETING TEXT MESSAGES.
- CASE STUDY 4: MARKETING PHONE CALL MADE TO A NUMBER ON THE NATIONAL DIRECTORY DATABASE (NDD) OPT OUT REGISTER.
- CASE STUDY 5: UNLAWFUL OBTAINING AND USE OF EMAIL ADDRESSES FOR MARKETING PURPOSES BY THE ZONE EXTREME ACTIVITY CENTRE.
- CASE STUDY 6: CUSTOMER DATA LEGITIMATELY PASSED FROM CAR DEALERSHIP TO NEW BUYER.
- CASE STUDY 7: ALLIANZ REQUESTING EXCESSIVE PERSONAL INFORMATION AT QUOTATION STAGE.
- CASE STUDY 8: VETERINARY PRACTICE DISCLOSES DOG OWNER'S PERSONAL DATA.
- CASE STUDY 9: UNLAWFUL USE OF CCTV TO REMOTELY MONITOR AN EMPLOYEE.
- CASE STUDY 10: FINANCIAL INSTITUTIONS DENY RIGHT OF ACCESS TO CREDIT ASSESSMENTS.
- CASE STUDY 11: ACCESS REQUEST FOR OLD RECORDS.
- CASE STUDY 12: ACCESS REQUESTS TO SOLICITORS FOR COPIES OF FILES.
- CASE STUDY 13: ACCESS TO REPORTS COMPILED BY PRIVATE INVESTIGATORS.
In October 2010 I received a complaint from an individual in relation to a leisure centre, Swan Leisure in Rathmines, refusing him and his child entry to its swimming pool because he declined to complete its Guest Registration Form. The complainant provided a copy of the Guest Registration Form. The first page of the form requested details such as the individual's name, address, date of birth, email and mobile phone number. The second page consisted of a list of medical-related questions such as the person's family medical history of heart disease, respiratory disease and diabetes, the extent to which they may be overweight, and details of their lifestyle. The complainant refused to complete the registration form because he considered it to be too intrusive as it required him to divulge sensitive, personal medical information. He said that he should be able to take his child for a swim without having to provide sensitive personal information.
Section 2(1)(c) of the Data Protection Acts, 1988 and 2003 provides that data "shall be adequate, relevant and not excessive" in relation to the purpose for which it is kept. My Office informed Swan Leisure that we considered its practice of requesting the aforementioned information to be excessive. In addition we pointed out that medical data is deemed to be sensitive personal data and its processing is subject to additional safeguards under the Acts. We asked the leisure centre to outline to us the basis on which medical data was sought and how the processing of that information complied with its obligations under the Acts.
In its reasoning for asking guests who attend the facility to provide their name and contact information, Swan Leisure referred to its Child Protection Policy. It indicated that in order to safeguard children attending its facilities it was imperative that it take a record of everyone that came onto the premises. It was not clear to us how having the name and address of every person attending the facility was relevant to child protection. In relation to the medical screening forms, the leisure centre informed us that the reason for requesting guests' medical data was to help prevent injuries or medical issues arising from the use of its facilities. It also referred to advice given by the American College of Sports Medicine (1976) stating that anyone who has risk factors for heart disease (a family history of heart disease, a history of smoking, high blood pressure or high blood fat levels) should be given a full medical examination before exercising in a health club. The leisure centre informed us that it was collecting medical information under Section 2(B)1 of the Acts which, among other things, allows the processing of sensitive personal data where the processing is necessary to prevent injury or other damage to the health of the data subject or another person.
Having reviewed its response, we told Swan Leisure that its policy of recording the name, contact details and medical information of all of its patrons was unacceptable. We acknowledged the importance of protecting children and safeguarding the health and well-being of patrons during the use of the leisure facilities. However, we informed it that from a data protection perspective, the systematic recording of patrons' information was a disproportionate response to the aims it sought to further, i.e. health promotion and the protection of children. We further informed the leisure centre that the request for such information could not be justified by reference to the policy guidelines and academic commentary it had cited.
In its response, the Centre referred to the Institute of Leisure and Amenity Management (ILAM) facility standards. Following further communications with my Office, the leisure centre subsequently confirmed that in order for it to meet both ILAM's guidelines and the Data Protection Guidelines it had changed its policy so that it now offers a guest register form. However, the completion of this form is no longer a condition of entry to the leisure centre and the right of patrons not to provide the personal information requested is respected. In relation to the forms already completed prior to the introduction of this change, it informed us that guests would be given the option to have their data deleted at any point during or after their time with the centre. As a result of this complaint, members of the public may now use the swimming pool at the leisure centre on an anonymous basis and that is as it should be.
Arising from a number of complaints which I received in 2009 and 2010 I took prosecution proceedings against four telecommunications companies in March 2011 in relation to offences under SI 535 of 2003 (as amended). The cases against Eircom, Vodafone, O2 and UPC were heard on the same day at the Dublin Metropolitan District Court.
Eircom entered a guilty plea in respect of one charge for an offence under Regulation 13(4)(b). The charge related to an unsolicited marketing telephone call to an individual whose landline number stood recorded on the NDD opt out register as not wishing to receive marketing calls. During the course of our investigation of this complaint, we established that the call had been made from a mobile phone used by one of the company's "feet on the street" sales agents. The list used by the agent had not been cleansed against the NDD opt out register. The Court accepted the guilty plea and it applied the Probation of Offenders Act conditional upon a payment of €2,000 being made by Eircom to Accord.
Vodafone entered guilty pleas in respect of four charges under Regulation 13(4)(b) and one charge under Regulation 13(1)(b). The charges under Regulation 13(4)(b) related to the making of repeated unsolicited marketing phone calls to an individual whose landline number stood recorded on the NDD opt out register. The calls were made between September 2009 and June 2010. Three of the four calls were made while my Office's investigation was ongoing. The Court accepted the guilty pleas, it entered convictions against Vodafone in respect of all four charges. It imposed a fine of €250 in respect of the first unsolicited call, €400 in respect of the second call, €1,000 in respect of the third call and €1,200 in respect of the fourth call.
The charge under Regulation 13(1)(b) related to the sending of an unsolicited marketing text message in February 2010 to a customer who had opted out of receiving marketing communications from Vodafone. The customer had complained previously to my Office in 2009 about the sending of such marketing text messages by Vodafone. Further to that complaint the company assured us that it had opted her out of further marketing contact. The Court accepted the guilty plea, it entered a conviction against Vodafone and it imposed a fine of €1,000.
O2 entered a guilty plea in respect of one charge under Regulation 13(1)(b). The charge related to an unsolicited marketing text message sent to a customer in February 2010. The customer had previously opted out of receiving marketing communications from O2 in 2007. The Court accepted the guilty plea and it applied the Probation of Offenders Act conditional upon a payment of €2,000 being made by O2 to The Spinal Injuries Fund.
Guilty pleas were entered by UPC in relation to eighteen charges against it under Regulation 13(4)(a). The charges related to the making of unsolicited marketing phone calls to four individuals who had previously informed UPC that they did not wish to receive further marketing calls. In one case the defendant faced twelve charges for persistent calling of an individual in a two-week period in 2009. The Court recorded twelve convictions in this case and it imposed fines of €400 for each conviction. In the second case, UPC was convicted on three charges of making unsolicited marketing phone calls and the Court imposed a fine of €300 on each conviction. In the third case, two convictions were recorded with fines of €400 imposed for each. In the last case, one conviction was recorded with a fine of €600 imposed by the Court.
The total amount of fines imposed on UPC amounted to €7,100. In deciding the penalties, the Court noted that UPC had two previous convictions arising from prosecution proceedings taken by me in 2010 concerning the making of unsolicited marketing phone calls.
In all of the above cases, the defendants paid costs to my Office. I was very pleased with the outcome of the prosecution proceedings in these cases. It sent a strong message to organisations that they must comply with the law which applies to the making of unsolicited marketing contact with individuals, be they customers or not, or else risk prosecution and the consequences of a criminal record.
At the time of the prosecution proceedings against UPC, my Office had three complaints on hands concerning unsolicited marketing telephone calls, the investigation of which had not been completed. By mid-year those investigations were concluded and we were satisfied that prosecutable offences had been committed in respect of each complaint. We met with UPC to present it with the options (including prosecution) available to us to progress these files to a conclusion. Subsequently, we reached agreement with UPC in August 2011, the terms of which included a goodwill gesture of €500 to each of the three complainants, an overall donation of €20,000 to charity (this amount was shared among four Irish charities- Focus Ireland, Canteen Ireland, Respect and The Jack & Jill Children's Foundation) and the publication of a statement on the homepage of the UPC website. This statement, among other things, outlined broadly the terms of the agreement and it indicated that additional controls had been put in place internally and with third party sales agents to ensure that customer preferences are accurately recorded in future. The statement also noted that the Office of the Data Protection Commissioner was satisfied that UPC now has in place improved procedures to enable it to fully comply with its data protection obligations.
In 2010 I received a complaint regarding marketing text messages sent by Regine Ltd, trading as Fran & Jane. The complainant stated that she had never consented to the receipt of marketing text messages from them. She informed me that she had phoned the Fran & Jane outlet in Clarendon Street, Dublin on numerous occasions to ask for her phone number to be removed but despite her requests she continued to receive marketing text messages. Furthermore, the text messages contained no opt-out mechanism.
In response to our investigation, Fran and Jane admitted that it had no opt-out facility in the message due to a lack of awareness about this requirement. It indicated that, in future, an opt-out would be included in all marketing text messages. Regarding its failure to respond to the opt-out requests made by telephone to its Clarendon Street outlet, it informed us that the database of customer contact details is controlled at its head office and that the outlet concerned had not passed on the opt-out requests. It apologised for these oversights. At this point, in May 2010, Fran & Jane informed us that the complainant's mobile phone number had now been removed from its marketing database. In line with our usual "two-strikes" policy on such matters we noted its assurances and we issued a formal warning.
The same complainant contacted us again in October 2010 to inform us that she had received a further marketing text message from Fran & Jane despite the previous assurances given to my Office. We contacted the company again and we were informed that due to human error it had removed a different but similar number from the database on the previous occasion. Fran & Jane then assured us in November 2010 that the complainant's phone number had been fully removed from its database.
While our investigation was ongoing, the complainant contacted us for a third time to inform us that she had received another marketing text message in December 2010 which did not include an opt-out facility. On seeking an explanation for this latest breach, Fran & Jane told us that its service provider for the marketing service was responsible. We subsequently received correspondence direct from the service provider. This indicated that when the number was given to it by phone for the purpose of being opted out, it was initially entered on the stop list system as a fax number. This was noticed and it was altered to a mobile number on one platform. The alteration was not made on a second platform. This led to the number being targeted again on a further marketing campaign. It informed us that it had since corrected the error.
I decided to take prosecution proceedings in this case in light of the repeated offending behaviour. In June 2011 the case came before Dublin Metropolitan District Court where Regine Ltd, trading as Fran & Jane, pleaded guilty in respect of one offence under Regulation 13(1)(b) of SI 535 of 2003 (as amended) for the sending of a direct marketing text message without consent. The Court accepted the guilty plea, a conviction was recorded and a fine of €450 was imposed.
Case study 4: Marketing phone call made to a number on the National Directory Database (NDD) Opt out register.
I received a complaint regarding a marketing phone call made by a life assurance company Acorn Life Ltd. The complainant stated that her preference was recorded on the National Directory Database (NDD) Opt-Out Register not to receive marketing phone calls. On receipt of this complaint, we checked the complainant's phone number against the NDD Opt-Out register which showed the phone number had been opted out of marketing when the call was made.
In response to our investigation, Acorn Life Ltd stated that a member of its telesales team had made the marketing phone call to the complainant. It stated that its procedure was to clash a prospective number against the NDD Opt-Out Register to ensure that it was not listed. It could not confirm that this procedure was followed in this instance as the staff member who made the call had left the company in the meantime.
Acorn Life Ltd stated that it wished to apologise to the complainant and by way of amicably resolving this complaint it suggested a donation of €500 to a charity of the complainant's choice. The complainant accepted this offer. In addition, a formal warning was issued to Acorn Life Ltd to the effect that if we received any further complaints regarding its marketing operations prosecution action may be taken against it in the event that offences were found to be committed.
This case highlights the need for those involved in marketing activity to follow correct procedures to ensure that marketing calls are not made to those wishing not to receive them. The simple step of properly clashing the complainant's phone number against the NDD Opt-Out Register would have ensured that the number was not called in this instance and a breach would have been avoided.
Case study 5: Unlawful obtaining and use of email addresses for marketing purposes by The Zone Extreme Activity Centre
I received a complaint regarding a marketing email sent by The Zone Extreme Activity Centre. The means by which the activity centre obtained the email address of the complainant as well as the email addresses of many other people was a matter of concern to my Office and is worthy of detailing in this case study as a lesson to those involved in marketing. The circumstances were as follows:
An entity previously received an email from a now defunct company which mistakenly included a list of recipient email addresses in the "To" field, rather than in the "BCC" field. That entity then forwarded on these email addresses to the activity centre with the message "I just found this email that (Name removed) sent me last Christmas and they stupidly had all the email addresses on their mailing list in the TO bar?. Guess there yours now??". The activity centre subsequently used the email addresses to send an unsolicited marketing email promoting a Christmas party at the centre. Included at the bottom of the marketing email was an email thread containing the full details of all of the email addresses. In the process of issuing the marketing email complete with the email thread, the activity centre then further disclosed this personal data, which included both personal and business email addresses, to everyone to whom the email was sent.
It was clear in this case that the personal data in the form of email addresses was not obtained fairly by the activity centre from the other entity. This was also abundantly clear to the activity centre given that the method of obtaining the messages was fully disclosed to it by the original email recipient. This personal data was then processed unlawfully by the activity centre in the sending of the marketing emails to the list of email addresses it had no consent to send marketing emails to in the first place. In addition, by supplying the email addresses to the activity centre without the consent of the individuals concerned, the other party also unlawfully processed the personal data.
In response to our investigation, The Zone Extreme Activity Centre stated that it was their intention to contact the businesses on the email list to ask if they would mind receiving a marketing email about the Christmas Party in the centre. It accepted that the email should never have been sent out and that it had no authority to do so. My Office also wrote to the other party who had forwarded the list of email addresses to the activity centre. In its response, that party stated that it understood that the email list it forwarded would be cleaned and verified by the activity centre before any marketing emails were sent out. It stated that its intention when sending on the email list to the activity centre was a friendly one and it did not sell this list or pass it on to anyone else.
We insisted that any holdings of the email list in question by the activity centre and by the other party be destroyed. We issued a formal warning to the activity centre to the effect that if we received any further complaints regarding its marketing operations, prosecution action may be taken against it in the event that offences were found to be committed.
This case highlights a growing concern whereby businesses are sometimes careless in the way they handle bulk emails and expose the email addresses to all recipients. As can be seen from this case, an entity took advantage of an open email list and proceeded to use it for its own marketing purposes, clearly in contravention of the Regulations.
In November 2010 I received two complaints from individuals who had received direct marketing text messages from a car dealership promoting special offers. Both of the complainants had previously purchased cars from a firm which had since ceased trading. Since closure, some of the sales team had become involved with the new car dealership which was now the subject of the complaint to my Office. Neither complainant had consented to receiving direct marketing text messages from the new dealership.
As part of the investigation of these complaints, my Office contacted the new dealership to obtain details, if any, of the consent it had in place to send the text messages to the complainants. In its response, the dealership informed us that it had purchased the previous dealership from the liquidator and it had taken over the existing premises, staff, equipment, stock, etc. From this purchase it had obtained the full database of previous customers. The contact details of both complainants were contained within this database. As customers of the previous business, both complainants had opted in to receive marketing messages at the time of their car purchase and/or car service. The dealership confirmed that it had now unsubscribed both customers from their database so they would no longer receive any future marketing messages. It also offered an apology to both complainants for any confusion caused.
Where a company purchases a business from a liquidator, it is likely that in circumstances where the customer data is to be used by the purchaser for the same purposes as the previous owner had used them, there would not be a data protection concern. If the customer data was to be considered for use for another purpose then the liquidator would need to get an opt in consent from those customers on the database to pass on their personal information to the new buyer. In the above case the customer data was used for the same purpose as previously by the new buyer so no breach of the Data Protection Acts arose.
In May 2011 I received a complaint from an individual in relation to what she considered to be the excessive level of personal information requested by Allianz when she contacted them by telephone seeking a pet insurance quotation.
The complainant informed us that during the call to Allianz the agent asked her to provide her date of birth and her mother's maiden name. The complainant informed the agent that she was not a policy holder with the company and that she was only seeking a quotation. The agent then informed the caller that it was a requirement under the Data Protection Acts, as a security measure, to ask such questions.
Our communications with Allianz concerned two issues, the first one being the use of information from a birth certificate as a security question. Allianz informed us that it introduced three ID security questions consisting of date of birth, mother's maiden name and place of birth. It stated that these questions were introduced to ensure that it was keeping its customer's personal information safe and secure and to prevent any unauthorised disclosure. As previously outlined in my 2009 Annual Report it is our view that the use of questions such as date of birth and mother's maiden name for the purpose of ensuring security of data is not an adequate safeguard against disclosure to a third party. Such questions may in fact be a security vulnerability as this type of information is publicly available upon payment of a fee to the General Register Office and is therefore of limited value on its own as a security feature.
The second issue concerned excessive data collection in the context of a quotation. We informed Allianz that there was no requirement under the Data Protection Acts for it to collect date of birth, mother's maiden name and place of birth data when a person phones for a quotation – especially for pet insurance! The Acts provide that personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or are further processed. We told Allianz that to suggest to a person who phones for the first time to seek a quotation for insurance that the collection of such information is a requirement under the Acts was both false and misleading and was a misrepresentation of the requirements of the Acts. When
queried, Allianz confirmed to my Office that a quote reference number is provided over the phone so that a customer could note it for further reference. It also confirmed that unless the caller indicated that the quote was, for example, too expensive or that they were no longer interested, a quote pack would usually issue to the customer containing a quote reference number. It was our view that confirmation by a caller of the quote reference number in a follow up call would adequately meet any data security requirements the company may have at quotation stage.
Following our intervention, Allianz confirmed its intention to cease using its ID verification screen at quotation stage. In future, it undertook to not seek information at quotation stage regarding a caller's date of birth, mother's maiden name and place of birth.
The use of ID verification questions is common practice among companies in order to ensure the safety and security of personal data of their customers or policyholders and to prevent against unauthorised disclosure. This is a practice which we of course encourage in relation to the protection of customer personal data in appropriate circumstances. However, verification of a caller's identity can be easily achieved without asking questions that are bordering on invasive or which might cause upset to the caller. In addition, we discourage the collection of unnecessary personal data at quotation stage, such as in the case outlined above in relation to pet insurance. If the caller decides, having obtained the quotation, to take out a policy, it would be acceptable then to seek personal data which might be used for ID verification on subsequent calls concerning the policy.
In October 2010 I received a complaint from an individual who alleged that a veterinary practice had disclosed her personal information, i.e. her name and address details, to a third party, namely the original owner of a stray dog that she was now in possession of. In her complaint she explained that when the dog was found its original owner had been contacted using the information logged in connection with its identity microchip and that he had indicated that he did not want the dog returned. Following this, she said that the microchip and ownership details of the dog transferred to her. She indicated that all of these matters were conducted by her local vet (who was not the subject of this complaint). The complainant stated that she subsequently received a letter addressed to her at her home address from the dog's original owner. This letter included a request by the previous owner to meet with her and the dog and it enclosed records of the dog's medical history as compiled by the previous veterinary practice which the dog had attended. The complainant alleged that the previous veterinary practice had breached her data protection rights by disclosing her name and address to the original owner of the dog.
This matter was investigated with the veterinary practice complained of and we sought an explanation for the alleged disclosure of personal data. The veterinary practice acknowledged that it had searched for the new owner's contact details and had given them to the previous owner. This arose when the previous owner told the practice that he had re-homed the dog, that he wanted to check to see if the new owner had re-registered the microchip in their own name and to ensure that it was no longer registered in his name. The veterinary practice took this to be a reasonable request and it accepted its bona fides. On being notified of our investigation, the veterinary practice realised that the original owner had misrepresented the purpose of his request for information. The new owner's details were not held on the database of the veterinary practice concerned as she was not their client. Instead, the veterinary practice carried out a search using the dog's microchip number on the website www.fido.ie - which is a database of microchipped pets to which veterinary surgeons have access. Having found on the website that the dog's microchip was no longer registered to the previous owner, the veterinary practice informed the previous owner
accordingly and, in that context, it also disclosed the name and address of the new owner.
The veterinary practice said that it was sorry if its actions had created a situation which caused upset to the complainant and stated that it would not have happened had it been advised truthfully of the situation. It stated that as a result of this complaint all staff at the practice are now thoroughly aware of the need for protection of personal data.
This complaint demonstrates the need for data controllers to be aware of their data protection responsibilities, regardless of the situation presented to them. This disclosure of personal data could have been avoided had the veterinary practice simply informed its client that the dog's microchip was no longer registered in his name. There was no justification in this instance for the disclosure of the new owner's name and address details. Data controllers must exercise great caution where they receive requests for personal data of individuals that they are able to access, irrespective of the credibility of the case presented to them by the requester. Having said that we are entirely satisfied that the veterinary practice acted in good faith based on the information provided to it by the dog's previous owner. Equally there was no suggestion during the investigation of the complaint that the dog's previous owner was seeking to act in any untoward manner in relation to the dog's new owner or the dog but rather was simply seeking to arrange contact with his former pet.
In October 2010, I received a complaint from an individual who stated that he considered that his personal privacy was being affected in his workplace through the inappropriate use of a CCTV system which his employer had installed. The complainant was employed by Westwood Swimming Ltd in Leopardstown as an administrator. In support of his complaint the individual cited two separate occasions, three months apart, when he received phone calls from his employer who was not on the premises at the time. In both of these phone calls the employer allegedly described to him what he had been doing at a particular time, i.e. that he was conversing with and working on a computer used by an individual from the office next door (who had a different employer). The complainant stated that subsequent to these incidents he had received two separate written warnings. He also stated that the CCTV system was installed without prior staff notification as to the reason for its installation or its purpose.
My Office contacted Westwood Swimming Ltd and we informed it of its obligations under the Acts in respect of CCTV usage. We advised that any monitoring must be a proportionate response by an employer to the risk he or she faces taking into account the legitimate privacy and other interests of workers. We further advised that in terms of meeting transparency requirements, staff must be informed of the existence of the CCTV surveillance and also of the purposes for which personal data are to be processed by CCTV systems. We provided it with copies of our guidance material on the use of CCTV and staff monitoring. It was asked to outline how the processing of personal data as complained of complied with the Acts and to give details of any signage that was in place on the premises informing individuals that there was CCTV in operation and its purpose.
Westwood Swimming Ltd in response stated that the CCTV system was installed with the priority focus being security of the office due to the amount of cash and credit card slips with customer information on hand. It informed us that a secondary purpose for the CCTV was the fact that it had received numerous complaints from its customers stating that the office was not open or that the office was open and
unattended which gave it further concern for the security of cash/credit cards. It confirmed that its staff had not been informed in writing of the installation and purpose of the CCTV. However, it indicated that staff were well aware of the reasons behind the new system as the cameras were overt and the recorder and screen showing views and recordings were in the office in full view of both staff and clients. It stated that the system was installed during working hours in full view of the staff and no query, question or complaint was received from either the staff or clients. It also referred to having signage in place informing people of CCTV being in operation. In this regard, it provided us with a copy of a notice posted at its main entrance listing the various services available at the centre. While it was noted on the bottom of the signage that CCTV cameras were in operation it gave no indication as to its purpose.
Westwood Swimming Ltd acknowledged that the CCTV footage had been reviewed by it in respect of the incidents cited by the complainant.
After consideration of the response received from Westwood Swimming Ltd, my Office informed it that we were satisfied that it had used a CCTV system to monitor an employee and that such monitoring was in breach of the Data Protection Acts. We asked that it immediately confirm to us that it would cease the practice of monitoring employees by remotely accessing the system from a live feed or by any other means. In response, it provided us with a commitment that its employees would not be monitored remotely or by other means using CCTV. It confirmed that the cameras in the office would be removed, any disciplinary actions taken against the employee concerned on foot of the use of CCTV would be discarded, and that it would ensure that the employee would not suffer as a result of any information seen on camera.
At the request of the complainant, I issued a formal decision on this matter in March 2011 which stated that the leisure centre contravened Section 2(1)(c)(ii) of the Data Protection Acts by the further processing of CCTV images which were stated to have been obtained for security purposes in a manner incompatible with that purpose. These contraventions occurred in the two instances when the CCTV was used to monitor the performance of the complainant in the course of his employment.
The improper use of CCTV to monitor employees is a matter of increasing concern to me. Even where employers have sought to legitimise the use of CCTV to monitor staff by referring to it in their company handbook, the position remains that transparency and proportionality are the key points to be considered by any data controller before using CCTV in this manner. We would only expect CCTV footage to be reviewed to examine the actions of individual staff members in exceptional circumstances of a serious nature where the employer could legitimately invoke the provisions of Section 2A (1) (d) of the Acts ("the processing is necessary for the purposes of the legitimate interests pursued by the data controller ?except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject."). This was clearly not the case in the circumstances which formed the basis of this complaint.
I received a number of complaints in the recent past concerning the failure of some financial institutions to comply in full with access requests that are submitted to them by their customers or former customers. A recurring theme with these complaints is the withholding, under the provision set out in Section 4(4A)(b)(ii) of the Data Protection Acts, of personal data contained in credit assessments or submissions to credit committees. This provision allows a data controller to withhold personal data relating to the requester if the data consists of an expression of opinion about the requester where such an opinion was given in confidence or on the basis that it would be treated as confidential.
The exemption to the right of access in this provision is limited to expressions of opinion about the data subject given in confidence which may be contained within a document(s). The exemption does not apply to the remainder of the personal data in the document(s) which is not an expression of opinion about the data subject. It may be the case, for example, that a part, section or sentence within a document is, on its own merit, an expression of opinion given in confidence about a data subject. However, it is highly unlikely that a document would constitute in its entirety an expression of opinion given in confidence about an individual. In most circumstances, a document which contains an expression of opinion would also contain factual information about the individual who is the subject matter of the expression of opinion. I consider that an expression of opinion must be considered in its narrowest sense, namely the view(s) held by a person or entity of a living individual or what one thinks about a living individual. Clearly it does not apply to matter of fact about a living individual.
It follows, therefore, that a data controller may not be permitted to apply a blanket exemption to the right of access over an entire document(s) simply because there are parts, sections or sentences within it which may be considered to be an expression of opinion about a living individual given in confidence. The exemption, where validly claimed, may only be applied to cover the specific elements of the document(s) that constitute an expression of opinion about the data subject given in confidence. A data controller can comply with the access request and, at the same time, easily give effect to a valid exemption by blackening out the specific expression of opinion and then release the remainder of the document(s).
Some financial institutions have attempted to rely on Section 4(4A)(b)(ii) to restrict access to certain information contained in credit assessments or submissions to credit committees in the consideration of loan applications. However, I consider that an employee who submits in written form their views or opinions on the financial status of a customer does so as part of the day-to-day performance of their own functions as an employee. For that reason, I do not consider that they can validly claim that their views or opinions on the customer concerned enjoy an expectation of confidentiality. A financial services employee must be able to stand over their views or opinions on a customer without trying to conceal their thinking behind the cloak of an expectation of confidentiality.
In cases which we investigated, we upheld the rights of the requesters to access this information and the financial institutions concerned have released the personal data concerned on pain of enforcement. I am putting all financial institutions on notice that any further reliance on this exemption to withhold such personal data will be met with by enforcement proceedings.
We received a complaint from an individual concerning the alleged failure of the Public Appointments Service (PAS) to comply with an access request he submitted in March 2010. The personal data which the complainant was seeking access to related to his candidature in recruitment campaigns carried out by the PAS (formerly the Office of the Civil Service and Local Appointments Commission) in the 1960s and 1970s.
In response to our investigation, the PAS confirmed that it was still in possession of the files relating to the recruitment campaigns in question, campaigns that took place over the course of a decade from 1969 to 1979. It also confirmed that it was in the process of identifying all of the personal data relating to the complainant, but it was not a straightforward process given the age of the files, and the fact that some older files had been amalgamated.
The PAS subsequently provided the complainant with copies of the personal data that it had located, but it informed him that it was applying the exemption set out at Section 4(4A)(b)(ii) to other data. This exemption allows for the withholding of data that constitutes an expression of opinion, in circumstances where the expression of opinion referred to was given in confidence or on the understanding that it could be treated as confidential. The PAS argued that the data was created in the 1970s in a culture of confidentiality, long before the introduction of Data Protection or Freedom of Information legislation. Having examined the data it was satisfied that it would not have been created in the first instance but for the understanding that it would be treated in confidence. The PAS indicated that it had an obligation to honour the guarantee given to the individuals concerned in this case and that it would not be prepared to renege on that commitment, even at this stage.
We requested sight of the documents in question to determine whether the exemption at Section 4(4A)(b)(ii) was validly applied. Following an examination, we informed the PAS that some elements of the documents could be withheld, but the exemption could not be applied to the entirety of the documents in question. The PAS followed our advice and released the personal data on that basis to the requester.
We took this opportunity, given the complaint and the issues highlighted by it, to advise the PAS to re-examine its policies in relation to the retention of personal data for longer than was necessary for the purpose/s for which it was obtained. The PAS informed us that it had a Records Retention Policy in place, in accordance with data protection requirements, which sets out the timeframes for the retention and destruction of records. Records such as those that had been examined by my Office on foot of this complaint have a retention period of three years after the determining of the candidate as suitable, or otherwise, for appointment, but in this instance records had been retained by the PAS for over 30 years. PAS indicated that it had applied for, and had only recently received Certificates of Destruction from the National Archives in relation to these records.
As this case shows, data controllers not only need to have a retention policy in relation to the keeping of personal data, but they must also have an effective mechanism in place to implement that policy. Once an access request is received by a data controller, they must provide the requester with all personal data sought, irrespective of the age of the records, once the data is still in existence. The safe destruction of older records in accordance with a data retention policy is a vital aspect of good data protection practice in any organisation and is a critical tool in ensuring compliance with the law.
My Office received a number of complaints in relation to the failure of solicitors to comply with access requests from former clients. Often the reason cited by the solicitor for not complying with the access request is that they have a common law lien on all documents and papers that constitute work carried out on the client's behalf for which payment remains outstanding.
This issue, where a common law lien on a client's file is considered to apply, is one that we have dealt with and we are not in any way unsympathetic to the scenario for the solicitor in question where a former client is seeking not to pay outstanding fees which are the subject of a dispute. Equally, in the context of a file handled by a solicitor's practice, it is undoubtedly the case that there is far more information on a file than what could be considered to be the requester's personal data and no requirement to provide any information which is not strictly the personal data of the requester arises. However, the Data Protection Acts, which transpose the EU Directive on Data Protection, do not provide any exemption to the provision of the personal data of a person in these circumstances.
A solicitor who has been engaged by an individual is a data controller of that individual's personal data which is subsequently processed. Personal information held by a data controller falls to be released in response to an access request unless a valid exemption as provided for under Sections 4 and 5 of the Data Protection Acts can be relied upon.
The complaints were resolved to the satisfaction of the complainants and the solicitors concerned on the basis of the following guidance from my Office:
- The exemption provided for under Section 5(1)(g) of the Data Protection Acts, which relates to personal data "in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers" applies to personal information held in respect of a solicitor's capacity as legal adviser to its clients (not the requester) rather than information held in their capacity, or former capacity, as legal representative for the requester.
- In relation to letters from the solicitor acting for another client, it is possible that the restriction to the right of access in Section 5(1)(g) of the Data Protection Acts may apply to any personal data of the requester contained within them.
- Regarding letters generated by a solicitor on behalf of the requester who was a client, a large number of which may have already been sent to them in the normal course of events, i.e. when generated, its difficult to see how a claim of privilege under Section 5(1)(g) would apply where the letters have previously been sent to the requester.
- It is difficult to anticipate that Section 5(1)(g) would apply to attendance notes created by the solicitor in relation to their client. Where notes relate specifically to the client and were created in that context, we would deem the personal data contained in those notes to be valid for release.
My Office received a complaint from an individual concerning the alleged failure of HSG Zander Ireland Limited to comply with an access request submitted to it in October 2010. The requester was a former employee of HSG Zander Ireland Limited and he informed us that the company had hired a private investigator to monitor him for a period of time. He was particularly eager to access any personal data contained in documentation relating to the surveillance carried out by the private investigator.
We commenced an investigation with HSG Zander Ireland Limited in relation to an alleged failure to comply with the access request. It subsequently provided the requester with a copy of his personnel file but stated that it was withholding the security report compiled by the private investigator by virtue of the exemption under Section 5(1)(g) of the Data Protection Acts 1988 and 2003. This Section restricts the right of access to personal data "in respect of which a claim of privilege could be maintained in proceedings in a court in relation to communications between a client and his professional legal advisers or between those advisers".
It was not obvious to our investigation that a security report compiled by a private investigator could constitute a communication between a client and their professional legal advisers to which a claim of privilege could be maintained in proceedings in a court. On that basis we sought an explanation from HSG Zander Ireland Limited as to its application of that provision to restrict the right of access to the data subject. In response, the company immediately released a copy of the security report and associated photographs to the data subject while maintaining its position that it was entitled to restrict the right of access in accordance with Section 5(1)(g).
We also established in the course of our investigation that there was no contract in place between HSG Zander Ireland Limited and the private investigator who prepared the security report. Engaging the services of a private investigator is no different to engaging the services of any other third party service provider. For that reason, it is unlawful for an entity to pass any details of its employees to a private investigator for the purposes of surveillance or for any other purpose unless that entity has put a contract in place with in line with Section 2C(3) of the Data Protection Acts 1988 and 2003 which would render the private investigator to be a data processor.
With greater frequency complaints such as this one are coming to my Office regarding difficulties which data subjects are experiencing in accessing security or surveillance reports which have been conducted on them by private investigators. I consider it necessary, therefore, to set down my position in relation to the requisitioning of such reports in the first instance and then the right of access by data subjects to them.
The decision by a data controller to engage the services of a private investigator to gather personal data surreptitiously about a data subject carries very serious risk of breaching the provisions of the Data Protection Acts and the general right to privacy protected by Bunreacht na hÉireann (the Irish Constitution), the European Charter of Fundamental Rights and the European Convention on Human Rights. It should therefore not be taken lightly. Data controllers who hire a private investigator to undertake surveillance on an individual and/or to seek a background or other report from a private investigator on an individual must be aware of and should ensure that the following rules are observed both by themselves and by the private investigator:
I. Prior to passing any instructions to a private investigator in respect of any individual, the data controller should have a written contract in place with the private investigator which meets the requirements of Section 2C(3) of the Data Protection Acts.
II. Any processing of information by private investigators on their behalf must be undertaken in full compliance with the Data Protection Acts.
III. The private investigator is expected to comply at all times with the Data Protection Acts and should not perform their functions in such a way as to cause the data controller to breach any of its obligations under the Data Protection Acts.
IV. Any unauthorised processing, use or disclosure of personal data by the private investigator is strictly prohibited.
V. Where the private investigator, pursuant to its obligations under contract from the data controller, processes the personal data of an individual on behalf of the data controller, the private investigator should:
- Process the personal data only in accordance with the specific instructions of the data controller;
- Process the personal data only as is necessary for the fulfilment of its duties and obligations under the contract with the instructing data controller;
- Implement appropriate measures to protect against accidental loss, destruction, damage, alteration, disclosure or unlawful access to the personal data in their possession;
- At the conclusion of each investigation deliver all data collected and processed under the contract of service to the instructing data controller and delete all such personal data held by itself at that time;
- Not further disclose the personal data to any other party except with the express approval of the data controller;
- Not seek to access personal data held by other data controllers which is not in the public domain without the consent of the data subject or unless otherwise permitted by law.
With regard to the right of access to reports compiled by private investigators, the responsibility to comply with a data subject access request lies with the data controller who hired the private investigator. Where a private investigator receives an access request from an individual, they should transmit that request without delay for processing to the data controller who commissioned them in respect of the particular task. I do not consider that any of the restrictions to the right of access to personal data which are set down in Section 5 of the Data Protection Acts could reasonably be applied to an access request by an individual for a copy of a surveillance report or accompanying photographs or video footage taken by a private investigator. As in the aforementioned complaint, Section 5(1)(g) is invalidly relied on from time to time as a means of restricting access by data subjects to private investigator reports by data controllers or by solicitors who hired private investigators on their behalf. This Section does not equate to privilege at common law (i.e. legal advice privilege and litigation privilege). Instead, this very narrow statutory restriction to the right of access only applies where (i) there is a communication between a client and his professional legal advisors or a communication as between a client's professional legal advisors; and (ii) that is a communication in respect of which a claim of privilege could be maintained in proceedings in a court. A private investigator's report, commissioned by a data controller or by a solicitor acting on behalf of a data controller, is clearly not a communication between a client and his professional legal advisors. Nor is it a communication as between a client's professional legal advisors. For those reasons, the statutory exception in Section 5(1)(g) does not apply to such a report.
I will continue to defend the rights of data subjects to access a copy of private investigator reports and I do not contemplate that any of the limited restrictions to the right of access in the provisions of Section 5 can, as a generality, be validly claimed in such cases.