Case Studies
The following is a list of case studies, by year, as featured in Annual Reports published by this Office. These case studies provide an insight into some of the issues that this Office investigates on a day to day basis. For ease of reference, some of the case studies have been indexed by categories below.
Case Studies - By Year
Case Studies - By Category
- Right of Access
- Disclosure
- CCTV
- Fair Obtaining
- Further Processing
- Minors
- Medical Data
- Accurate & Up To Date
- Security of Data
- Direct Marketing - Email
- Direct Marketing - Postal
- Direct Marketing - SMS
- Direct Marketing - Telephone
- Direct Marketing - Fax
- Enforcement
- Registration
- Retention
- Right of Rectification / Deletion
- PPSN
- Legal Privilege Exemption
- Excessive Information
- Improper Procesing
Right of Access
- Case Study 15 of 2016: Personal data withheld from an Access Request by Airbnb on the basis of an Opinion given in confidence
- Case Study 14 of 2016: Data Controller obliged to demonstrate effort made to locate data within the statutory 40 day period.
- Case Study 11 of 2014: Eircom fails to meet Statutory Timeframe for processing Access Requests
- Case Study 8 of 2014: Patient denied Right of Access by SouthDoc
- Case Study 11 of 2013 : Incorrect application of Section 4(4A) to restrict access to personal data
- Case Study 13 of 2013 : Access Request for CCTV footage
- Case Study 9 of 2012: Disclosure of Student Personal Data by Secondary School
- Case Study 4 of 2012: Discovery Process Reveals Data Protection Breach
- Case Study 3 of 2012: Access Restriction Under Section 5(1)(A) Requires a Prejudice Test
- Case Study 2 of 2012: Unacceptable Delay By O2 in Processing an Access Request
- Case Study 10 of 2011: Financial Institutions Deny Right Of Access To Credit Assessments.
- Case Study 11 of 2011: Access Request For Old Records.
- Case Study 12 of 2011: Access Requests To Solicitors For Copies Of Files.
- Case Study 13 of 2011: Access To Reports Compiled By Private Investigators.
- Case study 6 of 2008 : Total Fitness Ireland and legal powers used to ensure compliance with an access request
- Case study 9 of 2008 : An access request and a successful claim of legal privilege by a Data Controller
- Case study 21 of 2008 : Access is wrongly denied in respect of an accident report
- Case study 2 of 2007 : Data Controller breaches several provisions in is processing of Sensitive Personal Data
- Case study 8 of 2007 : Failure to finalise a complaint against Money Corp Limited
- Case study 13 of 2007 : Dairygold - failure to comply in full with an access request
- Case study 9 of 2006 : An Garda Síochána - Failure to respond to an access request on time
- Case study 10 of 2006 : Caredoc - failure to comply with an access request & appeal of an enforcement notice
- Case study 11 of 2006 : Barcode / Westwood Club - failure to comply with an access request for CCTV footage
Disclosure
- Case Study 8 of 2016: Disclosure of personal information to a third party by a data processor
- Case Study 5 of 2016: Prosecution of Glen Collection Investments Limited and one of its Directors.
- Case Study 2 of 2016: Disclosure of personal data to a third party in response to a Subject Access Request
- Case Study 1 of 2016:Prosecution of James Cowley Private Investigator
- Case Study 8 of 2015: Disclosure of personal information to a third party by the Department of Social Protection
- Case Study 10 of 2015: Danske Bank erroneously shares account information with third parties
- Case Study 10 of 2014: Personal data disclosed by County Council
- Case Study 7 of 2014: Complaint of disclosure by Permanent TSB - Not Upheld
- Case Study 6 of 2014: Disclosure ffinancial information by a Credit Union
- Case Study 4 of 2014: Disclosure of employee salary details by the HSE
- Case Study 7 of 2013 : Customer information disclosed by phone retailer
- Case Study 6 of 2013 : Doctor discloses sensitive personal data to insurance company without consent.
- Case Study 18 of 2012: Health Service Executive
- Case Study 16 of 2012: Major Retailer - Credit Card Slips Discarded
- Case Study 15 of 2012: Allied Irish Banks - Postal Breaches
- Case Study 10 of 2012: Customer Data Transfer For Waste Collection Service in Dublin
- Case Study 6 of 2012: Outstanding Debt Details Legitimately Passed On To Debt Collection Agency
- Case Study 6 of 2011: Customer Data Legitimately Passed From Car Dealership To New Buyer.
- Case Study 8 of 2011: Veterinary Practice Discloses Dog Owner's Personal Data.
- Case Study 1 of 2009: Disclosure of personal data due to inappropriate security measures
- Case Study 3 of 2009: Disclosure of personal details by a local authority on its website
- Case Study 12 of 2009: Paternity test result sent to wrong address
- Case Study 13 of 2009: Use of postcards to communicate with customers regarding overdue account
- Case study 1 of 2008 : HSE West and a consultant ophthalmic surgeon breach the Acts
- Case study 2 of 2008 : Disclosure of email addresses by a financial institution
- Case study 14 of 2008 : Credit Union commits several breaches by failing to update a member's address record
- Case study 15 of 2008 : Tesco - resale of an apple Ipod containing a customer's personal data
- Case study 19 of 2008 : Personal data is disclosed in a letter
- Case study 2 of 2007 : Data Controller breaches several provisions in its processing of sensitive personal data
- Case study 7 of 2007 : Aer Lingus - disclosure of employee information
- Case study 14 of 2006 : School Archiving Project - disclosure of personal data
- Case study 4 of 2005 : Complaint by a school manager about disclosure to parents of his personal data contained in a school inspection report
CCTV
- Case Study 7 of 2015: Supermarket's excessive use of CCTV to monitor member of staff
- Case Study 9 of 2015: Covert CCTV installed without management knowledge
- Case Study 12 of 2015: Unfair use of CCTV data
- Case Study 13 of 2013 : Access Request for CCTV footage
- Case Study 8 of 2013 : CCTV images of staff member unlawfully transmitted to third parties
- Case Study 8 of 2012: Excessive Use of CCTV in a Nursing Home
- Case Study 5 of 2012: High Court Rules That Data Can Be Accessed By Litigant
- Case Study 9 of 2011: Unlawful Use Of Cctv To Remotely Monitor An Employee.
- Case study 10 of 2008 : An employer attempts to use CCTV for disciplinary purposes
- Case study 3 of 2007 : Inappropriate use of CCTV footage by West Wood Club
- Case study 6 of 2007 : Data Controller breaches data protection law in regard to use of covert CCTV footage
- Case study 11 of 2006 : Barcode/Westwood Club: Failure to comply with an access request for CCTV footage
- Case study 8 of 2005 : CCTV cameras on the Luas line
Fair Obtaining
- Case Study 10 of 2016: Residential Care Home's legitimate use of audio recording and photograoph of data subject concerning allegations of abuse
- Case Study 9 of 2016: The necessity to give clear notice when collecting biometric data at a point of entry
- Case Study 7 of 2016: Further processing of an individual's personal data in an incompatible manner
- Case Study 5 of 2016: Prosecution of Glen Collection Limited and one of its Directors
- Case Study 1 of 2016:Prosecution of James Cowley Private Investigator
- Case Study 10 of 2013 : Breaches by hotel in use of photographs of employees in dismissal cases
- Case Study 16 of 2013 : Loss of photocopies of passports
- Case Study 14 of 2012: Client List Taken By Ex-Employee to new Employer
- Case Study 7 of 2009: Recruitment companies sharing CV's
- Case Study 14 of 2009: Employer breaches Acts by covert surveillance using a private investigator
- Case study 1 of 2008 : HSE West and a consultant ophthalmic surgeon breach the Acts
- Case study 10 of 2008 : An employer attempts to use CCTV for disciplinary purposes
- Case study 6 of 2007 : Data Controller breaches data protection law in regard to use of covert CCTV footage
- Case study 6 of 2006 : News of the World: Limits of the Media Exemption
- Case study 2 of 2003 : PMI Ltd mailing list rented in good faith by a bank resulted in minors being marketed for credit cards without proper consent
- Case study 1 of 2001 : Bank and insurance company – cross-marketing of a third-party product – incompatible use and disclosure – fair obtaining and processing – small print and transparency
- Case study 4 of 2001 : Credit card transaction – use of details from a previous transaction without consent – fair obtaining – transparency - retention period
- Case study 2 of 2000 : Department of Education & Science – use of trade union membership subscription data to withhold pay – fair obtaining and processing – specified purpose – compatible use – purpose as described in register entry
Further Processing
- Case Study 18 of 2016: Incorrect association of an individual's personal details with another file
- Case Study 7 of 2016: Further processing of an individual's personal data in an incompatible manner
- Case Study 6 of 2015: Further processing of personal data by a state body
- Case Study 9 of 2009: Further processing personal data without consent
- Case study 1 of 2008 : HSE West and a consultant ophthalmic surgeon breach the Acts
- Case study 10 of 2008 : An employer attempts to use CCTV for disciplinary purposes
- Case study 2 of 2007 : Data Controller breaches several provisions in its processing of Sensitive Personal Data
- Case study 3 of 2007 : Inappropriate use of CCTV footage by West Wood Club
- Case study 4 of 2004 : The Bar Council's In-house Legal Diary and Ashville Media
- Case study 5 of 2004 : Political database and a charity request, "spamming" of constituents and non co-operation from a County Councillor
- Case study 1 of 2003 : Drogheda Hospital- investigation into a consultant's practice- patients felt consent was necessary- balance to be struck with concerns for public health issues overall
Minors
- Case study 3 of 2008 : A marketing campaign sets up personalised website addresses and breaches the Acts
- Case study 4 of 2008 : Interactive Voice Technologies and unsolicited text messages
- Case study 6 of 2006 : News of the World - Limits of the Media Exemption
- Case study 10 of 2006 : Caredoc - Failure to comply with an access request and appeal of an enforcement notice
- Case study 10 of 2004 : Bank of Ireland marketing of 12 and 13 year old school children
- Case study 2 of 2003 : PMI Ltd mailing list rented in good faith by a bank resulted in minors being marketed for credit cards without proper consent
- Case study 6 of 2002 : Women's Mini- Marathon-unauthorised and incompatible disclosure-Internet photographs-informed consent
- Case study 10 of 1998 : School web site - personal data relating to children - issue of fair obtaining
- Case study 7 of 1997 : Direct mailing to children – complaint by parent – issues of fair obtaining and keeping data longer than necessary
Medical Data
- Case Study 6 of 2013 : Doctor discloses sensitive personal data to insurance company without consent.
- Case Study 11 of 2012: Dept. of Education Circular Leads to Complaint about Sick Leave Information
- Case study 1 of 2008 : HSE West and a consultant ophthalmic surgeon breach the Acts
- Case study 1 of 2007 : Right of Rectification of Personal Data Held by a Data Controller
- Case study 2 of 2007 : Data Controller breaches several provisions in its processing of Sensitive Personal Data
- Case study 10 of 2006 : Caredoc: Failure to comply with an access request and appeal of an enforcement notice
- Case study 2 of 2005 : Life assurance company and medical reports - access request denied
- Case study 9 of 2005 : Disclosure of patient details to the National Treatment Purchase Fund
- Case study 1 of 2004 :Employment matters – claim of legal privilege and access to medical data in the workplace
- Case study 1 of 2003 : Drogheda Hospital- investigation into a consultant's practice- patients felt consent was necessary- balance to be struck with concerns for public health issues overall
- Case study 4 of 2003 : Access to medical records on a change of general practitioner
Accurate & Up To Date
- Case Study 18 of 2016: Incorrect association of an individual's personal details with another file
- Case Study 11 of 2015: Failure to update customer's address compromises the confidentiality of personal data
- Case Study 10 of 2009: Mobile network operator fails to suppress customer marketing preferences
- Case study 14 of 2008 : Credit union commits several breaches by failing to update a member's address record
- Case study 18 of 2008 : A civil summons is served on the wrong person
- Case study 1 of 2007: Right of Rectification of Personal Data Held by a Data Controller
- Case study 1 of 2000 : An Garda Síochána – subject access request – time limit for response – accuracy of personal data – excessive and irrelevant personal data – date of birth
- Case study 6 of 1999 : Financial institution - inaccurate credit rating - rectification - notification of third parties to whom incorrect data had been released
- Case study 2 of 1997 : Data about two people combined in one record kept by a credit referencing agency – issue of accuracy
- Case study 11 of 1997 : Direct mail for previous householder – decline direct marketing – inaccurate data – repeated promises
- Case study 2 of 1996 : A customer disputed his credit rating by a financial institution – issue of accuracy – the rating as understood by the institution
- Case study 8 of 1997 : Credit record indicated that borrower had faced litigation and loan had been partly written off – issue of accuracy – previous concerns about fair obtaining revived
Security of Data
- Case Study 17 of 2016: Data Breach at an online retailer
- Case Study 16 of 2016: Crypto Ransomware attack on a Primary School
- Case Study 3 of 2016: Data Breach at retail and online service provider
- Case Study 5 of 2015: Defence Forces Ireland - failure to keep data safe and secure
- Case Study 16 of 2014: Compromise of Adobe Network
- Case Study 15 of 2014: Theft of unencrypted laptop
- Case Study 14 of 2014: Employee of financial institution resigns, taking customer personal data
- Case Study 13 of 2014: Data Controller discloses personal data to business partner
- Case Study 12 of 2014: Third Level student data appeared on 3rd Party website
- Case Study 14 of 2013 : Data Security Breach at Loyaltybuild Ltd
- Case Study 2 of 2013 : County Council Causes Breach by Outsourcing Data Processing to Third Party
- Case Study 15 of 2013 : Client list taken by ex-employee to new employer
- Case Study 17 of 2013 : Medical files sent to incorrect email address
- Case Study 18 of 2013 : Computer affected by Ransomware
- Case Study 19 of 2013 : Customer had on-line access to third party telephone bill details
- Case Study 17 of 2012: O2 - Missing Media Tape
- Case Study 13 of 2012: Stolen Laptops - Phone Companies Prosecuted for Loss of Personal Data
- Case study 12 of 2008 : Credit unions transmitting personal data via unsecured e-mails
- Case study 16 of 2008 : Failure to properly safeguard a staff member's medical certificate
- Case study 10 of 2007 : Member of staff at Revenue accessing and using personal data of a taxpayer
- Case study 3 of 2003 : Visa application details accidentally put on website of Department of Justice, Equality and Law Reform
- Case study 9 of 2002 : Details of other bank account holders of the same name, supplied in response to access request-inadequate response to customer-security procedures-lack of awareness at branch level of data protection
- Case study 3 of 2001 : Employee performance ratings disclosed to other staff – inadequate security
- Case study 6 of 2000 : Financial institution – Laser card – printing of home address on receipts – incompatible disclosure – adequate security
- Case study 2 of 1999 : Life insurance company - retention by ex-employee of customer data - unauthorised access - obligation to take appropriate security measures