Data Protection Commissioner
Data Protection Commissioner

  Case Studies 2012

Case Study 1: Insurance Companies Prosecuted for Registration Offences

In February 2012 three insurances companies, Zurich Insurance Plc, FBD Insurance Plc and Travelers Insurance Company Limited appeared in the Dublin District Court on charges relating to the processing of personal data by them in contravention of Section 19 of the Data Protection Acts.
Background
A formal data breach report was received by the Office in December 2010 from the Department of Social Protection concerning the alleged leaking to third parties by one of its officials of personal data held on the Department’s computer systems. We immediately launched an investigation which identified two suspect entities engaged in ongoing contact with the official in question.
Having established the identity of these entities we carried out an unannounced inspection at a firm of private investigators, Reliance Investigation Services Ltd, in Co. Kildare. During the course of that inspection, we obtained a copy of that firm's active client list for 2010. Having examined the client list, we identified that Zurich Insurance Plc, FBD Insurance Plc and Travelers Insurance Company Ltd were active clients of the private investigator. To progress the investigation of the data breach, the Commissioner requested Authorised Officers to conduct inspections at all three insurance companies. These inspections took place in December 2010.
Using the information which had been obtained at the premises of the private investigator, a number of claim files were identified in each insurance company as cases in respect of which the private investigator had provided services to insurance companies concerned. The email systems and a number of files were examined in both manual and computer form during the course of those inspections.
Over the course of the following months, we continued our investigations by examining this information and during this time also received from the Department of Social Protection a list of all of the computer accesses made in 2010 on the Department’s computer systems by the official suspected of committing the data breach. This led to the identification of further cases which required examination in the context of the investigation of the data breach. Further inspections took place at all three insurance companies in 2011. During these inspections, our Authorised Officers identified a number of cases which were of interest in the context of the data breach investigation. Amongst some of those cases were reports submitted by the private investigator which contained information of a social welfare nature.
The Authorised Officers sought and were provided with copies of private investigator reports in respect of several cases of the five individuals. The information which appeared to us to contain social welfare data of the individuals concerned was presented by us to the Department of Social Protection in August 2011 for examination. We subsequently received written confirmation from the Department of Social Protection in respect of each of the individuals concerned that the Department's computer system contained a data set of information relating to the individuals, that the data was used by the Department for the performance of its functions, that the data was "social welfare data," that the information on the sheets matched the social welfare data stored on the Department's computer system and that the social welfare data concerned was stored securely on the Department's computer systems and was not publicly accessible.
Register Entry
Under Section 16 of the Data Protection Acts, the Data Protection Commissioner has established, as is required, a public register of data controllers and data processors who are obliged to apply to be registered and to give certain details about their processing of personal information. Insurance undertakings fall into the category of data controllers which are required to be registered. All three insurance companies had current entries on the register at the time of this investigation.
We examined all the register entries for each company. We noted that a description of personal data in the form of social welfare data was not recorded on the register entry. We also noted that the purpose for which personal data in the form of social welfare data was processed by the insurance companies was not recorded on the register entry. Having examined the data breach investigation file and the register entries for each of the three insurance companies, the Commissioner decided to initiate prosecution proceedings for breaches of section 19 of the Data Protection Acts. This section sets out the effect of registration. It provides, among other things, that a registered data controller shall not keep personal data of any description other than that specified in the register entry and that the data controller shall not keep or use personal data for a purpose other than the purpose described in the entry.
Court Hearing
On 13 February, 2012 the Dublin District Court accepted jurisdiction in the matter. Each of the defendant insurance companies pleaded guilty to ten charges in respect of breaches of Sections 19(2)(a) and 19(2)(b) of the Data Protection Acts. Having heard the prosecution evidence, the Court was satisfied that the prosecution case had been proven. Section 1(1) of the Probation of Offenders Act was applied in the case of each defendant company. Each of the defendant companies made an offer of a charitable donation of €20,000 to be paid to a charity of the Court’s choosing. In each case, the Court accepted the offer and it directed that all three payments be made to the Capuchin Day Centre within two weeks. The Office also recovered from the defendants the legal costs arising from the prosecution.
Other Matters Arising
The Department of Social Protection also notified An Garda Síochána of the data breach and separate Garda investigations have taken place focussing on the source of the leakage and the role of private investigators in the breach.

Case Study 2:Unacceptable delay by O2 in processing an access request

We received a complaint in March 2012 in relation to the alleged failure of O2 (a Telecommunications company) to comply with an access request made to it in January 2012 seeking a copy of call records in respect of a mobile phone number from November 1999 to the date of the access request. In response to an access request, a data controller must supply the personal data to the individual within forty days of receiving the request.
We commenced our investigation initially by way of telephone contact with O2 during which we were assured by the company that it would immediately contact the requester's legal representatives to progress the matter of the access request. O2 subsequently wrote to the requester's legal representatives requesting a fee of €6.35 for the processing of the access request. It also informed them of the two year retention period applying to such data as set out in the Communications (Retention of Data) Act, 2011 and it informed them that call records beyond two years were not available.
The requester rejected the suggestion that there were limitations on the availability of call records beyond two years. They were informed by O2 that it was not simply a technical limitation but a legislative limitation and obligation incumbent on it on foot of the Communications (Retention of Data) Act, 2011 which obliges telecommunications service providers not to retain any such call data after a period of two years has elapsed.
In April 2012 O2 provided us with a copy of a letter which it sent to the requester's legal representatives informing them, among other things, that the mobile number for which the data was requested was an unregistered number. We urged the requester's legal representatives to provide O2 with any information available to substantiate ownership of the mobile number.
During the course of a subsequent conference call with O2 we established that the telephone number used by O2 when conducting its initial search of its database contained an incorrect digit. A further search by O2 using the correct digit established that the phone number was registered to the requester. We instructed O2 to commence the process of retrieving the call records immediately. O2 informed us in August 2012 that the retrieval process had been completed and that a copy of the call records for the previous two years had been provided to the requester's legal representatives in response to the access request.
The requester's legal representatives subsequently requested a formal decision under Section 10 of the Data Protection Acts. The Commissioner found in his decision that O2 contravened Section 4(1)(a) of the Data Protection Acts by not providing the relevant personal data within the time limit specified in respect of the access request submitted to it in January 2012.
There were several failings on the part of O2 in the processing of this access request:
                       
The Data Protection Acts provide at Section 4(1)(c)(i) that a fee may be payable to the data controller in respect of an access request. O2 requested the fee of €6.35 more than two months after the receipt of the access request and it did not commence processing the request until the fee was received. As the application of the fee is entirely discretionary on the part of the data controller, it is our view that if the data subject does not submit the fee with the access request, the onus lies on the data controller who intends to apply the fee to request payment at the earliest possible opportunity within the forty day statutory period.
In the meantime, the data controller should continue to process the access request with a view to meeting the forty day timeframe for release of a copy of the personal data, subject to the fee being received within that timeframe. If the fee is not submitted until after the statutory timeframe, the data controller is not obliged to release a copy of the data sought until it receives it. However, a data controller may not delay the processing of a data access request and the release of a copy of personal data by failing to request payment of the fee until the statutory timeframe of forty days has either elapsed or is about to elapse within a few days.
                       
The data retrieval process did not commence until the end of May 2012, four months after the receipt of the access request. This was due to O2's delay in requesting the fee and the fact that its initial search for records was conducted using an incorrect number. As a result of these delays, four months of data which the data subject wished to access was no longer in existence by the time the data retrieval process commenced.
                       
The data retrieval process was completed in August 2012. By O2's own admission and due to technical limitations all such requests made to O2 can take up to ten weeks to process. Therefore, had the retrieval process commenced as soon as the access request was received, the 40 day statutory timeframe in which such requests must be complied with would still have been exceeded - thereby resulting in a breach of Section 4(1)(a) of the Acts.

Case study 3: Access Restriction Under Section 5(1)(a) Requires A Prejudice Test

We received a complaint from an individual in relation to an access request he submitted to the Health Information and Quality Authority (the Authority). The complainant had worked as a healthcare assistant in a nursing home and was allegedly involved in an incident there. Details of this alleged incident were reported to the Authority and the individual concerned sought to access any personal information now held by the Authority.
The Authority refused to provide the requester with a copy of the personal data held by it as it was of the opinion that the data was exempt from disclosure under Section 5(1)(a) of the Data Protection Acts 1988 and 2003. This provision states that Section 4 of the Act does not apply to personal data “kept for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders …. in any case in which the application of that section to the data would be likely to prejudice any of the matters aforesaid.” The Authority stated that the data it held in relation to the requester was kept for the purpose of preventing, detecting or investigating offences under Section 79 of the Health Act 2007.
We commenced an investigation by contacting the Authority, we informed it of the nature of the complaint and we requested that it explain how it had come to the view that the requester’s personal data in this case was exempt from disclosure under Section 5(1)(a). It was not immediately clear to us that personal data relating to an alleged incident involving a healthcare assistant came within the ambit of the offences which the Authority had power to investigate and/or prosecute.
The Authority stated that the offences within Section 79(2) of the Health Act 2007 related inter alia to compliance by the registered provider (i.e. the nursing home) with the Health Act 2007 (Care and Welfare of Residents in Designated Centres for Older People) Regulations 2009. It said that the offences thereunder are offences to which the registered provider would be subject to sanction and, for that reason, it was considered that the data fell under the ambit of Section 5(1)(a). Regarding the status of the investigation into alleged offences under the Health Act 2007 we were informed that following its initial review the matter was concluded from a care and welfare perspective. However, the Authority indicated that it intended to keep the file on the matter active until the relevant statute of limitations period has elapsed.
We advised the Authority that a prejudice test applied to the applicability of the exemption under Section 5(1)(a). We also pointed out that the requester's right to access personal data is confined to that data which relates to them, or by which they can be identified. We pointed out that this does not provide a basis for the requester to access from a report or files information which is not their personal data. We informed the Authority that while it was a matter for it to determine in the first instance, it was not immediately obvious to us what prejudice would arise in relation to an investigation by releasing the personal data to the requester in this case.
The relevant issue for the Authority to consider was whether the provision of the requester’s personal data would be likely to prejudice the Authority’s ability to investigate the alleged non-compliance by the care home with the Health Act 2007. Following a further examination, the Authority concluded that no prejudice would arise by the release of the personal data concerned. The requester was subsequently provided with a copy of the personal data concerned.
While the Data Protection Acts restrict the right of access to personal data where that data is kept for the purpose of investigating and/or prosecuting offences, the mere existence of such an investigation or proceedings does not permit the exercising of a blanket exemption by the data controller across all personal data held by it. The personal data of an individual who requests access to such data may only be withheld where the provision of that data would be likely to prejudice the particular investigation or prosecution proceedings. The exemption is not a permanent one.
Where investigations and follow-on proceedings (if any) have been completed it is unlikely that those matters can continue to be prejudiced by the release of the personal data concerned. Once the prejudice no longer exists, the exemption used to withhold the personal data ceases to apply and a copy of the personal data must be made available to the data subject.

Case study 4: Discovery Process Reveals Data Protection Breach.

We received a complaint in September 2011 from an individual in relation to the alleged failure of the Dublin Airport Authority to comply in full with an access request made to it in May 2005. Dublin Airport Authority had responded to this access request in July 2005 stating that it held no personal data in relation to the requester.
Some years later, however, a number of documents were produced following a discovery process undertaken by the Dublin Airport Authority pursuant to High Court proceedings. In that context, the data subject was given access to a copy of three documents which contained some personal data relating to him. These documents pre-dated the access request made in 2005. The data subject complained that his right of access had been wrongly denied six years previously.
Having examined the documents concerned, we were satisfied that they did contain some personal data relating to the data subject and that those items of personal data did fall due for release at the time of the access request in 2005. We commenced an investigation by contacting the Dublin Airport Authority on the matter and we sought a full explanation in relation to the handling of the access request in 2005.
We received correspondence from Dublin Airport Authority’s legal representatives informing us that, following receipt of the access request in May 2005, Dublin Airport Authority identified a small number of documents in its possession relating to the request. They informed us that, at the time of the access request, an assessment of the documents was made in conjunction with legal advice obtained by the Dublin Airport Authority. This concluded that the documents did not constitute personal data within the meaning of the Data Protection Acts given that only passing reference was made to the data subject and that the data subject was not the focus of the documents in question. Consequently, a letter issued to the requester in July 2005 stating that Dublin Airport Authority held no data in relation to him which would be regarded as personal data.
The complainant sought a decision on his complaint. The Commissioner subsequently issued a formal decision which found that Dublin Airport Authority contravened Section 4(1)(a) of the Data Protection Acts, 1988 and 2003 by not providing the relevant personal data to the data subject within the time limit specified in respect of the access request made in May 2005.
The Commissioner specifically identified on the documents involved the text which he considered to constitute personal data of the data subject concerned. (The documents discovered on foot of the High Court proceedings contained non-personal information as well as some personal data relating to the data subject). As this case demonstrates, a court discovery process undertaken long after the access request was processed uncovered a data protection breach which took place at the time of the processing of the access request and this breach was caused by the data controller's interpretation of the definition of personal data. As a result, the data subject was wrongly denied his right of access to his personal data for a number of years.

Case study 5: High Court Rules That Personal Data Can Be Accessed By Litigant

My Office received a complaint in February 2010 from the legal representative of an individual concerning the alleged failure of Dublin Bus to supply her, in response to an access request, with a copy of CCTV footage of an incident involving her which occurred on one of its buses.
Córas Iompair Éireann Group Investigations Department responded to the access request stating that:
"All documents and records in this office are prepared in contemplation of litigation. These days every incident is a potential claim and our files fall within legal professional privilege. In those circumstances, information in any form, is not disclosed pursuant to a Data Subject Access Request nor is our defence evidence disclosable. In the event of disputes on that point, you can apply to Court for a Discovery Order”
The complainant also informed us that, at the invitation of Dublin Bus, the legal representative of the data subject had attended, on its client's behalf, at CIE Offices to view the footage concerned prior to the submission of the access request to the company.
Investigation
In commencing our investigation of the complaint we asked Dublin Bus to outline the specific circumstances under which the data subject's image was captured by CCTV systems operating in Dublin Bus and to provide an explanation as to why a copy of the CCTV footage was not provided to the data subject in response to her access request. We stated that it was unlikely that CCTV footage of an incident would fall under the legal professional privilege exemption provided for at Section 5(1)(g) of the Data Protection Acts.
Dublin Bus responded by claiming “the CCTV footage was preserved solely for use in the defence of any litigation arising out of the accident and regardless of whether or not litigation is yet in being it is privileged.” 
In attempting to progress our investigation we gave Dublin Bus a number of opportunities to re-consider its position on the application of the Section 5(1)(g) exemption. However, it maintained its position and it refused to supply a copy of the footage in response to the access request.
Enforcement
An Enforcement Notice was served on Dublin Bus in January 2011 requiring it to provide the data subject with a copy of the CCTV footage concerned. The Notice stated that the Commissioner was of the opinion that Dublin Bus was in contravention of Section 4(1) of the Acts in failing to comply with an access request made to it in February 2010. Dublin Bus appealed the Enforcement Notice to the Circuit Court. Subsequently, Dublin Bus requested that the Enforcement Notice be withdrawn as the data subject sought discovery in April 2011 in the context of High Court proceedings of all information held by Dublin Bus relating to the incident which had allegedly taken place on the bus. The Commissioner did not accede to this request.
Circuit Court
In its appeal to the Circuit Court in May 2011 and relying heavily on the UK Durant case, Dublin Bus submitted :
                       
  • that the Enforcement Notice was an attempt to subvert the jurisdiction of the courts;
  • that the CCTV footage did not constitute personal data within the meaning of the Data Protection Acts;
  • that the CCTV footage was not held or maintained on a relevant filing system; and 
  • that the CCTV footage was downloaded solely for the purposes of the defence of anticipated litigation and is, as such, privileged.
Counsel for the Data Protection Commissioner submitted :
                       
  • that the Durant case was irrelevant as the UK Data Protection Act 1998 gives the Court discretion as to whether to direct access to such data;
  • that by allowing an inspection of the CCTV footage to the data subject's legal representatives, Dublin Bus thereby waived any privilege it claimed;
  • that even if any privilege was not waived, Dublin Bus does not come within the exception provided at Section 5(1)(g) in relation to the CCTV footage in this case; 
  • that there is no provision in the Acts which precludes a data subject from exercising their right to access personal data to which they are entitled because they are litigating before the Court; and
  • that there are no exemptions from the right of access where civil legal proceedings are contemplated or ongoing.
On 5 July, 2011 the Circuit Court judgment was delivered (Record No. 1316/2011). It ruled that:
                       
  • the CCTV footage concerned is personal data within the meaning of the Data Protection Acts;
  • Dublin Bus does not come within the exception relating to privilege under Section 5(1)(g) of the Data Protection Acts from the obligation to comply with a data access request under Section 4;
  • there are no exemptions under the Data Protection Acts from the right of access under Section 4 where civil legal proceedings are contemplated or ongoing; and 
  • the UK Data Protection Act 1998 is distinct from the Irish legislation in that it confers a discretion on the Court as to whether to grant an order for access.
The appeal by Dublin Bus was accordingly dismissed and costs were awarded to the Data Protection Commissioner.
High Court
Dublin Bus appealed the Circuit Court judgment to the High Court. The case was heard in June 2012 (Record No. 123CA/2011). Dublin Bus submitted:
  • that the Circuit Court erred in law in holding that, subsequent to the commencement of legal proceedings, the High Court did not have the sole competence to deal with and adjudicate upon all of the matters arising between the parties relating to the accident;
  • that the proper forum for adjudicating on matters of Discovery between the parties is the court which has seisin of the proceedings, in this instance, the High Court; 
  • that any attempt to seek disclosure outside of the High Court is a mistaken and inappropriate attempt to usurp the function of the High Court;
  • that the role of the Data Protection Commissioner is protecting the data of the citizens of the state. The Commissioner should have no role in the conduct of litigation; 
  • that by affording an appellant the right to first appeal to the Circuit Court, and thereafter to the High Court on a point of law, the drafters of the legislation clearly intended that the Courts would have discretion in deciding upon the interpretation of the Acts. Therefore, the purposive effect of the Acts provisions must be considered, and it is on this basis that the dicta of Auld LJ in the Durant case retains very strong persuasive value in terms of the interpretation of the Irish Acts; and
  • that the High Court should take cognisance of the dicta of Auld LJ that the purpose of data protection law is not "to assist [a litigant].... to obtain discovery of documents that may assist him in litigation or complaints against third parties."
Counsel for the Data Protection Commissioner submitted:
                       
  • that the Circuit Court was correct in its finding;
  • that the serious and significant error test (in Ulster Bank v Financial Services Ombudsman [2006] IEHC 323) is of long standing in Irish law and is the appropriate standard to apply to this appeal;
  • that a person's fundamental right to access their personal data under the Acts is not conditional upon their establishing a good motive for wanting their personal data and the Commissioner is not required to demand of a requester why they want their personal data;
  • that if the drafters of the legislation wished to impose limitations on the right of access to personal data in circumstances where litigation had been instituted they would have done so expressly; 
  • that there is nothing about making a data access request pursuant to the statutory right of access that amounts to subverting the jurisdiction of the courts, indeed quite the opposite, since the courts expect parties to see if they can obtain information from other sources before taking up the time of the court with a discovery request; 
  • that any exemption to data protection law should be narrowly construed since it is an exemption from a fundamental right.
On 8 August 2012 Hedigan J delivered judgment. He noted that no attempt had been made in the appellant's notice of appeal to identify any points of law. He stated "From the Courts perspective this is completely unsatisfactory. Simply saying that you are appealing the whole of a judgment does not amount to a valid appeal on a point of law. An appeal on a point of law is just that. The point of law should be identified and the submissions should be directed to that point. When pressed on the matter, the appellant did identify the point of law which it wished to raise on appeal as follows: 'Whether the existence of legal proceedings between a data requester and a data controller precludes a data requester making an access request under the Act.'"
Hedigan J found that the English case law relied upon by Dublin Bus was not relevant. He found that in effect the appellant was "seeking to carve out a new exception in the Acts, to the effect that whenever a data requester has instituted litigation against a data controller he or she is precluded from making a data access request under the Acts." Hedigan J accepted Counsel's submission that "if the drafter of the legislation wished to place such limitations on the right of access to personal data then they would have done so expressly."
Hedigan J concluded: "Thus in my judgment, the existence of proceedings between a data requester and the data controller does not preclude the data requester making an access request under the Act nor justifies the data controller in refusing the request. I am not therefore satisfied that the appellant has raised a point of law giving rise to grounds for overturning the decision of the learned circuit judge. I must therefore dismiss this appeal."
The High Court subsequently made an Order for costs in favour of the Data Protection Commissioner.
The High Court's ruling in this matter is welcome as it provides important legal clarity on the right of access to personal data for individuals involved in matters of litigation while at the same time it defines for data controllers the narrow restriction to the right of access which is contemplated by the exemption in Section 5(1)(g).

Case study 6: Outstanding debt details legitimately passed on to debt collection agency

In January 2012, the Office received a complaint from an individual alleging that her personal data had been unfairly processed by the telecommunications company Hutchison 3G Ireland (Three). The complainant alleged that her personal data had been passed by Three to a debt collection agency without her consent.
The complainant informed us that she had entered into a twelve month broadband contract with Three and paid for the service by direct debit. She informed us that after the twelve months had expired, she cancelled her direct debit for payment of the service as she considered the contract was up. She stated that she also contacted Three to cancel her contract. The complainant alleged that she began to receive phone calls from Three querying the cancellation of her direct debit and in relation to an outstanding debt on her account. The complainant further informed us that, despite her communications with Three in relation to the matter, a number of months later she received a letter from a debt collection agency regarding her debt to Three.
This matter was raised with Three and in its response, it informed us that the complainant had originally signed up for a twelve month minimum term contract. It also informed us that all of Three's minimum term contracts remain in place following the expiry of the minimum term which is standard in the industry.
According to Three, under the terms of its customer contracts, if a customer wishes to cancel a contract, they must provide thirty days written notice. In this case, Three informed us that the complainant continued to use the account long after the minimum term of twelve months had expired. Three further informed us that the complainant cancelled her direct debit payment for the broadband service prior to her cancellation of the contract and it sought to recoup the monies owed in respect of the broadband usage which occurred after the direct debit had been cancelled.
It also informed us that, in accordance with its normal debt collection process, it issued the account of the complainant to a debt collection agency. Three's terms and conditions clearly stated that it may use and share customer details for the collection of any debts on an account and that this may include the use of debt collection agencies to collect debts on its behalf. In this case, Three used a debt collection agency to obtain repayment of the complainant's debt.
It was our view, following the investigation of this complaint, that Three did not unfairly process the complainant's personal data when it passed her details to a debt collection agency in order to have any outstanding debt collected.
This case study highlights that it is vital when individuals are signing up to contracts with any company, that they are fully aware of what they are signing up to. Terms and conditions of a contract should always be read and fully understood before committing to such a contract.

Case study 7: Collection of photographic identity by a fertility clinic

In November 2011 the Office received a complaint from an individual regarding what she considered excessive personal data being sought by a fertility clinic. The complainant informed us that she had been attending at the clinic, that she had been told at one of her appointments that the clinic required a photograph of her and her partner and that, without it, she could not proceed with the fertility treatment. The complainant allowed the clinic to take the photograph but she felt that it was excessive.
The complainant alleged that she had not been informed at the initial consultation of the compulsory condition to provide a photograph. Following further communication with the clinic, the complainant was informed that the photograph was necessary to prevent and diminish any potential mistakes with identification of tissue tests and embryos.
We wrote to the clinic and we asked it to outline the basis for the collection of photographs, and the need for them to be retained on the clinic's database. We also asked if the same level of security could otherwise be achieved by having sight of the patient's photographic identification, without retaining a copy of it.
In its response, the clinic indicated that the basis for the collection of the photographs was to verify the identity of each patient when they presented for an appointment. It informed us that it believed this to be an appropriate security measure to minimise the risk of unauthorised access to or disclosure of medical records to anyone other than the presenting patient. It also informed us that it was not possible to maintain and provide the same level of security by having sight of photographic identity without retaining a copy.
As a result of this complaint, the clinic undertook to introduce some new procedures. This involves requesting all patients to sign a consent form for the taking of their photograph. If a patient refuses to sign the form, the data protection officer at the clinic will meet with the patient to explain the purpose of the photograph and to offer an alternative option of producing photographic identification at each appointment. In this case, the clinic undertook to facilitate the complainant and her partner's request to have their photographs removed from the database.
This Office was satisfied with the new procedures as they took into account the patient's preference while at the same time maintaining the same level of security which the clinic required.

Case study 8: Excessive use of CCTV in a Nursing Home

In April 2012, we received a complaint from an individual in relation to the operation of CCTV cameras at a nursing home. The nursing home had installed CCTV cameras in the corridors, day room, kitchen, front entrance, staff room, residents' dining room, games room and drug therapy room. Concerns were also raised that the CCTV system was linked to the owner’s private residence allowing the cameras to be checked remotely during the night.
Images of people captured by CCTV cameras are personal data and the processing of such images is covered by the provisions of the Data Protection Acts. The use of CCTV cameras must be proportionate and transparent. We asked the nursing home to outline to us the circumstances under which CCTV footage was recorded and accessed. We also asked the nursing home to confirm if there was a linkage of the CCTV system to a private residence and its purpose.
In its reasoning for the use of CCTV, the nursing home informed us that it was to ensure the safety, protection and quality of care to its residents and also to ensure the safety and protection of staff. It also informed us that the CCTV system was not connected to a private residence but it was connected to the smart phones of both directors to allow them to maintain the quality and care of residents from a distance. It said that this alleviated the need for the directors to constantly make unannounced visits at night.
Having reviewed the nursing home’s response we informed it that it was clear that it was using CCTV and live monitoring via cameras as a substitute for on-the-ground supervisory staff. We informed it that we could not see any basis under which the use of smart phones for live monitoring purposes could operate legitimately in accordance with the Data Protection Acts. We asked the nursing home to voluntarily cease the practice with immediate effect. We also asked it to provide some still screen shots taken from the CCTV cameras in the kitchen area so that we could consider further the appropriateness of the cameras operating in that area.
The nursing home immediately removed the CCTV camera from the staff room and it also disconnected the smart phone links to the CCTV system. It also provided screen shots from the CCTV cameras in the kitchen area. It explained that the kitchen area was unsupervised between the hours of 8pm and 8am and, as kitchens can be a dangerous place for elderly residents, it felt that the use of a CCTV camera was justified in this particular area.
Having fully reviewed the situation, we recommended that the camera in the kitchen be switched off during working hours when staff are present. We also gave the nursing home recommendations concerning changes we considered were necessary to the CCTV signage which was in place there.
Of particular interest in this case study is the concept of remote access to CCTV cameras. In this instance, the remote access was carried out by means of smart phones. Remote access to CCTV cameras, by whatever means, is becoming more frequent with advances in technology. Clearly such technology is helpful in terms of providing security monitoring of an empty building at night time or at weekends and no data protection issues arise in such situations. However, concerns from a data protection perspective arise where the remote access takes place in relation to areas such as manned workplaces and where workers perceive that their work performance is being monitored on a live basis.
Employers are tempted to use such technologies as a substitute for on-the-ground supervision by supervisory or managerial staff. Such situations are difficult to reconcile with the requirements of the Data Protection Acts and this Office cannot see any legal basis to justify the monitoring of individuals in the course of their normal activities by such means. In instances such as that outlined in this case study, where there is no valid justification for the use of remote access technology to link to CCTV cameras, we will continue to order that the remote access concerned be terminated.

Case Study 9: Disclosure of Student Personal Data by Secondary School

In November 2011 we received a complaint from an individual concerning the alleged disclosure of his daughter’s personal data by a secondary school at which she was a student, St. Joseph's College, Borrisoleigh, Co. Tipperary, to a third party. It was alleged that this disclosure took place by way of a letter issued by the secondary school to a third party without the knowledge or consent of either the complainant or his daughter.
By way of background, the complainant informed us that, following a complaint which he and his wife had made to the Board of Management of a local national school, he received correspondence from the Chairperson of that school’s Board of Management in relation to that complaint. Included with that correspondence was a copy of a letter issued by St. Joseph's College which contained references to the complainant’s daughter who was a student of that College. We were further informed that this letter, which was allegedly requested by a separate third party (a parent of a different student at St. Joseph’s College) and addressed "To Whom It May Concern," was subsequently passed by that third party to the Chairperson of the Board of Management of the local national school.
My Office commenced the investigation of the complaint by writing to St. Joseph's College. We asked it for an explanation as to what led to the alleged disclosure and what steps were being taken to address the matter. We received a response from St. Joseph's College informing us that it would not be getting involved in our investigation at that juncture. We responded in early December 2011 stating that, as St. Joseph's College was the data controller in this instance, we required a response to our letter. In the absence of any further communication we issued a final warning letter to St. Joseph's College on 12 January, 2012 requiring it to respond to our investigation within fourteen days.On the following day we received a phone call from the school manager of St. Joseph’s College. He informed us that he did not have any knowledge of the issues between the complainant and his school.
On the same phone call we then spoke to the administrator of St. Joseph’s College, the signatory of the letter in question. He informed us that when the third party requested the letter he (the administrator) did not know why he wanted it. He said that he was unaware that he breached the Data Protection Acts when he made references to the complainant’s daughter in the letter. Later that day, we received an email from St. Joseph's College outlining the circumstances which led to the issuing of the letter to a parent of a student at the College and which referenced the complainant’s daughter, a different student at the same College. In the email, the administrator indicated that the parent concerned did not state that the letter would be given to the Board of Management of a primary school. The College informed us that it had redrafted its data protection policy to ensure that the Data Protection Acts are fully complied with.
Having informed the complainant of the College’s response to our investigation, we asked him if he was interested in seeking an amicable resolution of his complaint. In response, he indicated that he could not accept that there could be any informal resolution to his complaint and he sought a decision of the Commissioner.
In making the decision on this complaint, the Commissioner examined and considered all aspects of the case. He formed the opinion that St. Joseph's College contravened Section 2(1)(c)(ii) of the Data Protection Acts by disclosing the personal data of the student concerned to a third party without her knowledge or consent or the knowledge or consent of her parents. This contravention occurred when St. Joseph’s College issued a letter in September 2011 containing personal data of one of its students under the heading “To Whom It May Concern” and gave it to a third party, namely a parent of a different student.

Case Study 10: Customer Data Transfer for Waste Collection Service in Dublin

In January 2012 the Office received several complaints and enquiries from citizens of the Dublin City Council area after they received a letter notifying them that Dublin City Council and Greyhound Recycling and Recovery had reached agreement on the sale of the Council's commercial and domestic waste collection business to Greyhound Recycling and Recovery. The letter indicated that Greyhound Recycling and Recovery would take over control of bin collections for the Council's 140,000 customers on 16 January, 2012 and that from that date the Council would officially transfer its waste collection business to Greyhound Recycling and Recovery.
It went on to outline the annual service charge and lift fees which would apply to the service. It also gave details of the methods of payment and it included a customer payment card with a customer account number for the new Greyhound account. The letter also stated that the final City Council bill for the period ending on 13 January, 2012 would be issued and the revenue collected on behalf of the City Council by Greyhound Recycling and Recovery which would also collect any outstanding arrears on behalf of the City Council. Complainants to this Office expressed concerns in particular about the transfer of their personal data by Dublin City Council to a private company without their knowledge or consent.
We conducted a comprehensive investigation which focussed on both the transfer of customer data from Dublin City Council to Greyhound and the collection of Dublin City Council customer debts by Greyhound.
The transfer of customer data from Dublin City Council to Greyhound.
Our investigation concluded that the core elements of the sale of the business did not breach the Data Protection Acts. We established that the customer data transfer from Dublin City Council took place between 22 and 23 December, 2011. We noted that a notification letter regarding the new service provider was sent to customers of Dublin City Council in the first half of January 2012. The notification letter to customers should have taken place at a much earlier stage.
By notifying customers of their new service provider simultaneous to the completion of the sale but after the data transfer had occurred, it was not possible for the Office to come to the view that the “fair processing” requirements of the Data Protection Acts, 1988 & 2003 were fully met by Dublin City Council in this instance.
Dublin City Council agreed, in light of this experience, that in the event that any similar situation arises in the future, it will seek to comply with all relevant published Office of the Data Protection Commissioner guidance in relation to such matters in being at that time unless it obtains confirmation from this Office that compliance does not arise in a particular circumstance.
The collection of Dublin City Council customer debts by Greyhound.
Our investigation found that no transfer of personal data from Dublin City Council to Greyhound in respect of the collection of Dublin City Council customer debts had taken place. This was confirmed by the Office by way of an unannounced inspection at the premises of Greyhound and its agents on 26 January 2012. This inspection confirmed that only name, address and whether a household was entitled to a waiver were transferred to Greyhound.
We agreed with Dublin City Council and Greyhound that the customers of Dublin City Council and the customers of Greyhound must be assured that robust controls are in place at Greyhound to guard against any possibility of the cross pollination of debt collection information handled on behalf of Dublin City Council with personal data handled by Greyhound in the normal course of its waste collection activities. Accordingly, the following undertakings were agreed before any debt collection data was transferred from DCC:
                       
Staff at Greyhound or its agents who handle personal data in the context of debt collection for Dublin City Council will not have access to any personal data held in the context of Greyhound’s waste collection business, and vice versa.
The debt collection database held on behalf of Dublin City Council by Greyhound and/or its agent to be separate and distinct from all other aspects of Greyhound’s waste collection business. All access and use of the personal data held on behalf of Dublin City Council to be auditable and verifiable via specific usernames and passwords.
An audit procedure to be put in place by Dublin City Council to ensure that Greyhound, as a data processor on behalf of Dublin City Council, is fully compliant with all aspects of its data protection responsibilities as a data processor. An initial audit will take place within six months of the commencement of the debt collection function.
The terms of the audit to be agreed with this Office. This audit will be conducted by a competent third party auditor to be agreed with this Office. Further audits will be scheduled on an annual basis (for so long as Greyhound are acting as a data processor on behalf of Dublin City Council in relation to customer debt collection in respect of outstanding waste collection charges). This Office will be supplied with a copy of each audit report.
This case serves to highlight the steps which must be followed and the considerations which must be given to the procedures which need to be put in place when customer data transfers are envisaged in the context of the sale or transfer of a business. A guidance note on "Transfer of ownership of a Business" is published on our website and we recommend that data controllers pay close attention to it in such circumstances.

Case study 11: Department of Education Circular Leads to Complaint about Sick Leave Information

We received a complaint relating to a Department of Education Circular (No. 0060/2010) concerning sick leave for registered teachers.
Specifically, the complaint focussed on certified sick leave and the requirement in the Circular that the nature of illness must be stated in a medical certificate in order for it to be acceptable.
Under the Data Protection Acts, medical data falls into the category of “sensitive personal data.” An employer has a legitimate interest in knowing how long an employee is likely to be on sick leave absence from work. It also has a legitimate interest in knowing whether an employee, following an accident or illness, is capable of doing particular types of work. Requiring employees to produce standard medical certificates to cover absences due to illness does not therefore present any data protection issues. But an employer would not normally have a legitimate interest in knowing the precise nature of an illness and it would therefore be at risk of breaching the Data Protection Acts if it sought such information. Even the consent of the employee may not allow the disclosure of such information to an employer as there may be a doubt as to whether such consent could be considered to be freely given in an employment context.
The Office raised the matter with the Department of Education. The Department indicated that the purpose of such information was to ensure that there was sufficient information available to the employer to make an informed decision as to whether or not to make a referral to the Occupational Health Service and/or to take appropriate steps, where necessary, in relation to health and safety matters. It said that in the context of a school, where the employer has a duty of care to its students and staff and where a teacher often has sole and unsupervised access to, and responsibility for, children this was particularly important. It stated that in the Department’s view, there was a strong legitimate public interest in ensuring that there was sufficient information to enable the employer to deal with any health and safety issues that may arise.
We accept that there are limited circumstances where employers may seek information from an employee in the context of an illness-related absence from work. Such situations may also permit a health professional to provide details of illness on request to an employer in specific circumstances where specifically warranted in a workplace context. Our guidance in relation to this matter (FAQ 3.7 on our website) makes it clear that in certain very specific circumstances a doctor may be legally obliged to report certain illnesses to an employer for health and safety reasons and we recognise the need for this practice, particularly in the case of contagious diseases.
However, any general practice of requiring all employees to specifically disclose their condition or illness to account for their sick absences from work does give rise to serious concerns from a data protection perspective as it does not adequately protect the sensitive personal data of those employees who may have an illness/condition which they consider private or sensitive.
We indicated to the Department that all of the considerations it had outlined had been considered by a Working Group established by the Department of Finance in 2010, which included representation from various Government Departments, this Office and the Attorney General's Office. This led to the adoption of Department of Finance Circular 09/2010 setting out the Civil Service policy on the management of sick leave. In particular, Section 11 of that Circular states, among other things, that "While the nature of the illness does not have to be included in all circumstances, if it is not stated this may give rise to difficulties if seeking to have the absence discounted." We consider that this approach represents an appropriate balance between the concerns outlined by the Department and the legitimate privacy expectations of employees.
Following our intervention, the Department confirmed that it was no longer advising schools/teachers that the nature of illness must be stated in all cases where a medical certificate is required. The Department also undertook to reflect this change when revising the current sick leave circular for teachers in order to ensure compliance with the Data Protection Acts. In addition, the Department indicated that relevant staff had been notified of our findings on this matter.
This case study highlights that employers should be aware that, in general, only limited relevant information should be sought from an employee submitting a medical certificate to account for a period of sick absence. Seeking excessive sensitive personal data in that context is a clear breach of the Data Protection Acts.

Case Study 12: Prosecutions - Unsolicited Marketing

Advance Tyre Company Limited (trading as Advance Pitstop)
In June 2011, we received a complaint from an individual who received an unsolicited text message from Advance Pitstop in Dundrum. He informed us that he had never given his consent to receive marketing text messages from Advance Pitstop. We had previously sent a formal warning to Advance Pitstop in April 2011 informing it that, if we received any further complaints where offences were committed, we would prosecute it for those offences.
In this case, Advance Pitstop stated to us that it collected customer data via a form which customers were asked to complete in the branch. This included a tick box option for customers' marketing preferences. Advance Pitstop was unable to find in its records a form filled out by the complainant. The complainant also insisted that he did not fill out such a form. On this basis we decided to take prosecution proceedings against Advance Tyre Company t/a Advance Pitstop under Regulation 13 (1)(b) of SI 535 of 2003 (as amended) for the sending of an unsolicited marketing text message to an individual without consent.
On 11 June, 2012, at the Dublin District Court, Advance Tyre Company Limited pleaded guilty to the sending of an unsolicited text message to the complainant without consent. The Court accepted the guilty plea and it applied the Probation of Offenders Act on condition that Advance Tyre Company Limited pay €1,000 to a charity, the Laura Lynn Foundation. Advance Tyre Company also agreed to pay the prosecution costs incurred by the Office.
Ocsas Holdings Limited (T/A The Fitzgerald Group, etc)
At the same court sitting in the Dublin District Court, Ocsas Holdings Limited faced six charges arising from a complaint we received in July 2011 regarding unsolicited text messages and emails which the complainant received from the Fitzgerald Group. He informed us that he signed up to a loyalty card called "BeneFitz" in December 2010. At the time he said he ticked a box indicating that he did not wish to receive any marketing communications from the company. Shortly afterwards, he began to receive both unsolicited marketing emails and text messages from the group. We had investigated a previous complaint regarding the Fitzgerald Group which resulted in a formal warning to it in February 2011.
The complainant emailed the Fitzgerald Group on two occasions asking to be removed from both the email and text message database of the Fitzgerald Group. He was informed by the Fitzgerald Group on both occasions in January and February 2011 that his details had been removed. However, the complainant then received further unsolicited marketing text messages in June and July 2011, prompting his complaint. It was clear to us that the Fitzgerald Group had not put proper procedures in place to ensure compliance with its obligations with regard to its marketing operations despite the previous warning.
On this basis the Commissioner decided to prosecute the Fitzgerald Group under Regulation 13(1)(b) of SI 535 of 2003 (as amended) in relation to the sending of an unsolicited marketing text message to an individual without consent.
The Court accepted one guilty plea from Ocsas Holdings Limited T/A The Fitzgerald Group, etc. The Court ordered that it pay €1,000 to the Laura Lynn Foundation and it applied the Probation of Offenders Act. Our prosecutions costs were also recouped from the defendant.
Citywest Resort Limited
In early 2012, we received two complaints from individuals regarding unsolicited text messages sent by Citywest Resort Limited (trading as the Citywest Hotel, Conference, Leisure and Golf Resort) without consent and without the inclusion of an opt out option. All marketing emails promoted the Citywest Health and Leisure Club. Both complainants informed us that they had repeatedly contacted the Leisure Club requesting to be removed from the marketing database but they continued to receive further unsolicited marketing text messages. Previously, in August 2010, we had sent a formal warning to Citywest Health and Leisure Club with regard to its future marketing activities.
In response to our investigations, the Leisure Club admitted that it could not confirm that it had consent to send marketing text messages to either complainant. It stated that the numbers were obtained from its system of all active members but that they should not have been included in the marketing campaign. It also informed us that it was not aware that the opt-out option should have been included in the original text message as it always sent a follow up opt out text message.
Having probed this matter further with the service provider who sent the text messages on the Leisure Club’s behalf, there was no evidence to suggest that a follow up opt out message was sent to the complainants. The complainants also informed us that they did not receive such follow up opt out messages. It was clear to us that Citywest Health and Leisure Club had not heeded our previous warning letter of August 2010. The Commissioner decided, therefore, to take prosecutions against Citywest Resort Limited in relation to these offences.
On 19 November 2012, Citywest Resort Limited faced forty six charges at the Dublin District Court. It pleaded guilty to the sending of unsolicited marketing text messages to the two complainants without consent. Citywest Resort Limited was convicted on two counts and a fine of €1,000 was imposed. The prosecution costs were recovered from the defendant.
Therapie Laser Clinics Ltd
In 2010 we received a number of complaints about Therapie Laser Clinics Ltd in relation to the sending of unsolicited marketing text messages without consent and without an opt out facility. In some cases, the marketing messages promoted a sister company, Optilase. Following our investigation, Therapie assured us at the time that it would remove each complainant’s mobile phone number from its database. We issued a formal warning to Therapie in early 2011 to the effect that any further offences committed would be prosecuted.
In 2012 we received two further complaints regarding unsolicited marketing text messages sent by Therapie. One of the complainants was among those who complained in 2010 in relation to the issues described above. The second complainant stated that he had never given his mobile phone number to Therapie previously.
In response to our investigation, Therapie informed us in March 2012 that it was unable to confirm whether marketing text messages were sent to one complainant’s phone as it could not see the number on its system. We requested information from Therapie’s text service provider in relation to the text messages sent to the complainant. It informed us that Therapie had sent it an email requesting that the complainant’s number be removed form the database. This email was sent on the very same date on which Therapie informed us that it could find no record of the complainant’s number.
The Commissioner decided to prosecute Therapie on eight charges. In the Dublin District Court, the defendant entered a guilty plea on four charges. The Court convicted the defendant on two charges and it took two charges into account. It imposed a total fine of €4,000. The prosecution costs were recovered from the defendant.
Mobile Phone Companies
On 3 December 2012, we prosecuted the following companies at the Dublin District Court.
Meteor Mobile Communications Limited (T/A Meteor)
On the basis of one complaint from a member of the public we summoned Meteor Mobile Communications Limited on seven charges. The company pleaded guilty to one charge of sending an unsolicited marketing text message without consent. Meteor stated that due to human error the normal protocols were lifted in relation to a particular marketing campaign. This resulted in the complainant receiving an unsolicited marketing text message despite being previously opted out.
Of significant concern was the fact that Meteor admitted that unsolicited marketing text messages were sent to between 11,000 and 18,500 individuals due to this human error.  
The Court ordered Meteor to make a charitable donation of €5,000 to the Children’s Hospital in Temple Street and the Probation of Offenders Act was applied. The prosecution costs were recovered from Meteor.
Hutchison 3G Ireland Limited
Hutchison 3G Ireland Limited (Three) entered guilty pleas in respect of three out of seven charges for offences concerning an unsolicited marketing text message, an unsolicited marketing email and an unsolicited marketing phone call to different individuals.
In the first case, the complainant received an unsolicited text message to his mobile phone number. This person had previously opted out of receiving marketing communications from Three.
In the second case, the complainant was a former customer of Three who had requested that no direct marketing contact be made to her in any form. Due to what was described as a coding error an unsolicited marketing email was sent to the complainant without consent.
In the third case, the complainant had opted out of receiving marketing phone calls. He received a marketing phone call from a representative on behalf of Three.
The Court ordered Hutchison 3G Ireland Limited to donate €2,500 to the Children’s Hospital in Crumlin and the Probation of Offenders Act was applied. The Office’s prosecution costs were recovered from the defendant.
The Carphone Warehouse Limited
The Carphone Warehouse Limited entered guilty pleas in respect of two out of ten charges relating to the sending of unsolicited marketing emails to two individuals.
In both cases the complainants received unsolicited direct marketing emails without having been opted in to receive same.
The Court convicted The Carphone Warehouse Limited on both counts and it imposed a fine of €1,250 in each case. The prosecution costs were recovered from the defendant.

Case Study 13 Stolen Laptops - Phone Companies Prosecuted For Loss of Personal Data

In the first prosecution case of its kind in Ireland, two telecommunications companies, Eircom and Meteor, appeared in the Dublin District Court in September 2012 to face charges relating to the loss of customer personal data which was stored on two unencrypted laptops, which had been stolen several months previously.
Background
A data breach report was received by this Office on 2 February 2012 from Eircom and Meteor. Regulation 4(6) of SI 336 of 2011 obliges telecommunications companies to notify the Data Protection Commissioner of personal data breaches without undue delay. This Regulation also obliges telecommunications companies to notify affected individuals of a data breach where the said breach is likely to adversely affect their personal data or privacy. The breach report informed us that two unencrypted laptops had been stolen from Eircom’s offices at Parkwest in Dublin between 28 December, 2011 and 2 January, 2012.
The report confirmed that the stolen laptops contained information relating to customers, including personal data. It indicated that the number of affected customers were 454 in the case of Meteor and 6,597 in the case of eMobile. The theft of the laptops was discovered on 3 January, 2012 and the matter was reported to the Gardai (national police force) on 4 January, 2012. The breach report was made thirty days after the laptops were reported as stolen. An updated breach report was submitted on 15 March, 2012. This followed intensive contact between ourselves and eircom/Meteor including two meetings on site. The report indicated that, following a second phase of internal investigation, it was found that the number of affected customers was greater than previously reported. The revised figures were 3,944 Meteor customers and 6,295 eMobile customers.
Eircom (trading as eMobile)
6,295 eMobile customers were affected by the data breach. In relation to 142 of these cases, the personal data in question was in the form of customer application forms including proof of identity (e.g. copy of passport, driving licence, national identification, bank account/credit card details, financial statements and utility bills).
The other 6,153 cases contained details such as name, address, telephone and account number. The process of Eircom notifying its affected customers by letter began on 10 February 2012 (38 days after the laptops were reported stolen). A large number of affected customers were notified for the first time on 20 March, 2012 (77 days after the laptops were reported stolen). Letters included an apology to customers for the loss of their personal data. At our request, Eircom notified the banks of the breach via the Irish Banking Federation on 9 February, 2012.
Meteor
3,944 Meteor customers were affected by the data breach. In relation to approx 1,244 of these cases the personal data in question was in the form of proof of identity documents (e.g. copy of passport, driving licence, national identification, Bank Account/Credit Card details, financial statements and utility bills). The other 2,700 cases approx contained details such as name, address and telephone and account number. The process of Meteor notifying its affected customers by letter began on 10 February 2012 (38 days after the laptops were reported stolen). An update of the 10 February, 2012 letter was issued on 20 March, 2012. A large number of affected customers were notified for the first time on 16 March, 2012 (73 days after the laptops were reported stolen). Letters included an apology to customers for the loss of their personal data. At our request, Meteor notified the banks of the breach via the Irish Banking Federation on 9 February, 2012.
Data Security
In relation to the electronic communications services sector, Regulation 4(1) of SI 336 of 2011 places an obligation on providers to take appropriate technical and organisational measures to safeguard the security of their services. Regulation 4(2) details some requirements specific to the electronic communications services sector. It provides that the measures to ensure the level of security shall at least ensure that personal data can be accessed only by authorised personnel for legally authorised purposes, protect personal data stored or transmitted from access or disclosure and ensure the implementation of a security policy with respect to the processing of personal data. We published a comprehensive guidance note on data security on our website in August, 2010.
This included guidance to the effect that encryption is considered an essential security measure where personal data is stored on a portable device or transmitted over a public network. Encryption is the method of converting data from a readable format to an unreadable or unintelligible format so that unauthorised persons are unable to access the data. On a portable device such as a laptop, encrypting data is a method of securing the data to protect it from access by unauthorised persons in the event that the device on which the data is stored comes into the possession of unauthorised persons.
Following this breach, the Eircom Group identified approximately 160 laptops which were not encrypted. All unencrypted laptops were encrypted by 24 February, 2012.
Breach Notification
This Office considers that data breaches of this nature should normally be reported to us within two working days of the data controller becoming aware of the incident. This has been our stated position since a data security breach Code of Practice was published in July 2010. Once we are notified of a breach we can quickly advise the data controller of what steps to take, what areas to focus on, how best to notify affected parties quickly, whether other bodies such as banks need to be informed of the breach, etc. Notification of a data breach to affected individuals quickly is also critical and essential as it allows them to take remedial action to protect themselves and their identities – particularly in cases where financial and identification documentation is stolen.
Court Hearing
At the Dublin District Court on 10 September, 2012 guilty pleas were entered on behalf of each defendant, Eircom and Meteor, in relation to three charges each in respect of offences under Regulation 4(1), Regulation 4(6)(a) and Regulation 4(6)(b) of SI 336 of 2011. These charges related to the failure to protect the personal data on the laptops by means of encryption, the failure to notify the Data Protection Commissioner of the data breach without undue delay and the failure to notify the affected customers of the data breach without undue delay.
After hearing the prosecution evidence, the Court was satisfied that the prosecution case was proven. The Court applied Section 1(1) of the Probation of Offenders Act, conditional upon a charitable donation of €15,000 being made by each Defendant to charities nominated by the Court - the Laura Lynn Foundation in the case of Eircom and Pieta House in the case of Meteor. This Office also recovered from the defendants the legal costs arising from the prosecution.

Case Study 14: Client list taken by ex-employee to new Employer

This personal data security breach involved two car showrooms based in the same locality. Garage A notified this Office of a data security breach under the Code of Practice. Garage A was alerted to the fact that one of their customers had received a marketing letter from a former employee who was now working for Garage B. The letter stated that the employee had moved to a different employer and was promoting Garage B.
Our investigation into this matter focussed on the issues of Garage A failing to keep secure the personal data that it held and that of Garage B processing personal data for which it had no consent to process.
When we contacted Garage B in relation to their processing of data relating to customers of Garage A, Garage B stated that the data had been contained within the diary of the new employee. The employee had used this data to write to individuals with whom he had dealt with as an employee of Garage A. It was clear that Garage B had no consent from the individuals to process their data or to send marketing communications. Garage B also informed my Office that the data in question had now been destroyed.
Our Office also examined the data protection provisions in the employee contract of Garage A. The contract referred to the use of business data. We recommended to Garage A that the contract be amended to include specific reference to the use of personal data to prevent any ambiguity.
In certain situations that have come to our attention, there appears to be a misconception by some employees that the customers are their customers rather than that of the data controller, i.e. the employer. Data controllers must be aware that where they process data which has been brought in to the organisation by a new employee from their previous employment, without the consent of the individuals, they are in breach of the Data Protection Acts. This could be further exacerbated if they engage in electronic marketing to those individuals.

Case Study 15: Allied Irish Banks – postal breaches

During the Office’s investigation into the cause of postal breaches, it was identified that a significant proportion of Allied Irish Banks’ (AIB) breach notifications were the result of changes of address not being fully processed. We contacted AIB to raise the issue and to seek a solution. The response from AIB showed the seriousness with which they treated the matter, including bringing this matter to the attention of its Board Risk Committee.
AIB stated that it deals with, on average, 240,000 address amendments each year. However, almost one third of the notifications made by AIB to this Office were the result of errors made in the processing of such requests.
AIB, on foot of contact from this Office, carried out a comprehensive analysis of each incident to establish the cause of the error. AIB has now notified us of the procedures it is putting in place to address this issue.
AIB is to introduce a number of measures including the introduction of a “Self-Service Change of Address” facility on its internet banking portal to allow account holders to amend or change their address on accounts held solely in their name. A central unit to process address amendment requests is also to be established. It is proposed that change of address notifications will first be directed towards the self-service facility, but where this is not an option or appropriate, the notification will be forwarded to the central unit for processing.
AIB has also informed us of a number of additional steps that it will be taking immediately, including a number of training and briefing sessions to all its staff and the introduction of additional internal controls.
This Office welcomes the steps being taken by AIB to address this issue. We will monitor the effects of these new procedures and it is expected that they will lead to a serious reduction in the number of such data breach notifications that require to be made to the Office.

Case Study 16: Major Retailer – Credit card slips discarded

Early in the year, the Office received calls from two individuals reporting that there were credit card receipts littering a housing estate. The individuals had collected some of the receipts and were able to identify the retailer and the branch involved. We immediately contacted the retailer to advise them of the matter and to ensure that the retailer immediately sent staff to the area to recover the receipts.
The Retailer later notified this Office that the issue occurred when an envelope containing customer signed credit card receipts was put out for recycling rather than being securely destroyed. The envelope was then left out overnight in the store’s recycling bin. It is assumed that a passer-by searched through the bin, found and took the envelope. The individual then discarded the contents of the envelope a distance away from the store.
The Retailer, in an effort to recover the credit card slips, had staff search the locality in which the slips were seen and call to houses to recover any slips that may have been collected by individuals. The Retailer retrieved 500 credit card slips and was able to determine the period in which the relevant purchases had been made. We queried the total number of slips that were collected by the Retailer in this period.
It was determined that there was a balance of 200 receipt slips unaccounted for. Of the 500 recovered by the Retailer, many had been damaged by the inclement weather at the time and the details of the card holder could not be identified.
In dealing with such data security breaches, this Office employs a three-pronged approach. Firstly, we recommend that the affected individuals be notified of the matter. Secondly, the data controller should take steps to recover / secure the data. Finally, the data controller must put in place procedures to prevent a repeat of the issue.
In this case, the Retailer would not have the contact details of the affected individuals, nor was it in a position to identify all the affected individuals. The Retailer therefore contacted its service providers who process the credit and debit card payments. The card processing companies were able to identify the 700 customers involved. It was not appropriate for the card processing companies to supply the contact details to the Retailer and the card processing companies stated that in circumstances such as this it was their practice to monitor accounts for potential fraudulent activity, but not notify the cardholders directly. It was therefore agreed to proceed on this basis, the Retailer bearing all charges associated with this monitoring.
The Retailer, in attempting to secure the data, assigned considerable resources to searching the area in which the receipts slips were discarded and canvassing local houses. As noted above, this resulted in 500 of the 700 slips being recovered.
The Retailer notified my Office of the new procedures it was employing to prevent a repeat of this incident. A review of all confidential information held in stores was carried out and a special collection was arranged from all stores for the disposal of such information. A notification was issued to all staff reminding them of the need to securely store or destroy such confidential material. The Retailer’s Data Protection Policy and disposal policy were also updated.
We had also identified that the receipts being printed by the Retailer contained the full card number and start and expiry date of the card. We brought this issue to the attention of the Retailer, raising concerns with such a practice. The Retailer confirmed to this Office that it was changing its practice and future receipts would be printed with only part of the card number visible.

Case Study 17: O2 – Missing media tape

Under the requirements of S.I. 336 of 2011, O2 notified the Office of a data security breach involving a missing backup media tape in July.O2 stated that the tape had been identified as missing by its service provider, IBM, in February. IBM had conducted searches for the missing backup media tape but was unable to locate the tape and notified O2 of the matter in May.In their notification to this Office, O2 stated that the data held on the media tape could only be accessed using the same technical equipment utilised to create the tape, which would cost in excess of €600,000.
We investigated this claim and found evidence contrary to the claim of O2. We then informed O2 of our findings, requested details of the type of data held on the backup media tape, and informed O2 of the need to notify affected individuals.O2 reverted stating that the backup media tape was created in August, 2011 and it no longer held records as to what was held on the media tape. It was therefore not in a position to identify the type of data held on the tape and the affected individuals.
We also sought an explanation as to the delay in notifying our Office of the data security breach. Under the obligations imposed by S.I. 336 of 2011, Telecommunications companies & ISP’s are required to notify both this Office and affected individuals without undue delay. O2 explained that they had not been notified by their service provider of the data security breach until 3 months after the issue was identified. The service provider during this time was carrying out searches for the missing media tape and analysing the potential issues. We informed O2 that this delay was unacceptable.
O2, as part of their report to the Office, provided two separate external forensic analysis reports on the backup media. Both of these reports examined the possibility of a third party gaining access to the data held on the missing media tape. Both reports stated that the data could not be accessed by an individual without access to proper equipment and technical expertise. O2 therefore argued that the data on the media was unintelligible, given the requirements to access the data.
However, this Office pointed out that both external reports supplied by O2 did note that the data could be accessed by a third party with sufficient resources. As the data was potentially accessible, Regulation 4(6)(b) of S.I. 336 of 2011 applied, requiring notification of affected individuals. The appropriate standard to be applied is not whether a member of the public could access the data, but whether the data could be accessed at all.
Whilst O2 disagreed with the views and interpretation of this Office, they agreed, as a matter of goodwill, but without any acknowledgement of liability or failure under the Data Protection Acts or S.I.336, to make a charitable donation and notify customers of the matter. As O2 were unable to identify specifically affected individuals, it was agreed that they would make a public announcement of the matter, via their website and press release. This announcement was made in early December. O2, as a gesture of goodwill, also made a charitable donation of €50,000 to Headstrong, a non-profit organisation supporting young people’s mental health.
To ensure that this type of data security breach did not occur again, O2 had undertaken a number of steps, including improved security and controls regarding the storage of media tapes. The Office also made a number of recommendations to O2, including the encryption of its backup media and that the contract between O2 and its third party service providers be amended to include a requirement for immediate notification of any potential data security breaches. 

Case Study 18: Health Service Executive

In February, the Health Service Executive (HSE) reported to this Office a data security breach involving the disclosure of patient data to a third party. Documents which were faxed to the Assisted Admissions Services from a number of Mental Health Services were faxed to a private company in error. The company alerted the HSE to the issue, stating that it had received approximately 100 such faxes over a 3 year period. It had destroyed each fax as received but had not alerted the HSE to the issue until that point. The company stated that it had 20 such faxes in its possession which it had recently received and the HSE immediately organised to collect these documents from the company.
The HSE employs a third party company to provide assisted admissions services in certain geographic areas. The issue arose when staff incorrectly entered the wrong fax number when sending such faxes, dialling the Dublin area code number rather than the correct county code number.
This Office notified the HSE of its alarm at the fact that this type of breach was occurring, especially in light of previous communications with the HSE regarding the sending of sensitive data by fax. This Office had recommended a number of measures, including that the sender should first contact the recipient to expect the fax and that the sender should ensure that the fax number is dialled correctly. The HSE responded to this Office notifying that the investigation into the matter had been escalated to its National Incident Management Team. The HSE stated that it was pre-programming the number of the Assisted Admissions Unit into all relevant fax machines. Old fax machines were replaced and additional machines provided in areas that did not have specific access to a fax machine.
The issue had appeared to have been addressed when the HSE notified this Office in August of another such incident. The HSE notified this Office that the pre- programmed number on the relevant fax machine had disappeared from the pre-programmed number list. The HSE further informed us that it was now introducing a specific 1800 fax number for the Assisted Admissions Unit. It has also changed the number dialled to access an outside number from zero to nine, to reduce the risk of an individual mis-dialling a number. This Office also advised that a sticker with the fax number of the Assisted Admissions Unit be placed on each fax machine. The HSE policy document in relation to the use of fax machines has also been displayed beside each fax machine within the HSE.
We were disappointed that this issue arose in the first instance, especially in light of previous communications with the HSE, and to then have it reoccur during the year, after the HSE had introduced preventative measures. It is apparent that staff were not adhering to the procedures which had been introduced. This issue highlights that, while data controllers can put in place systems to address potential data protection matters, all staff must be properly informed of the procedures being introduced and adhere to them.