Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

CASE STUDY 11/97

Direct mail for previous householder – decline direct marketing – inaccurate data – repeated promises

A man who bought a house found that direct mail, from several sources, arrived regularly for the former owner. My Office advised him to tell each sender that the former owner had moved, and when he did so all but one of them stopped the mailings. Post continued to arrive from a third-level educational institution, although it had made a number of promises that the matter would be rectified. This was a matter of some annoyance to the house-owner and he made a formal complaint to me.

I have had complaints before about mail being sent to an address after the sender has been told that the person concerned has moved. In my view this contravenes the requirement in section 2(1)(b) that data "shall be accurate and, where necessary, kept up to date". If a data controller knows that the information he keeps about someone is out of date, he has an obligation to change it whether or not the data subject has asked for this to be done. In this case, the former resident of the house (who had been a student at the institution) had either forgotten or chosen not to tell the institution that she was moving. But the institution knew from the present owner that she was no longer there, and therefore it was wrong to keep that inaccurate address on its mailing lists.

When contacted by my Office, the institution apologised for the continued mailings. It explained that the inaccurate data had indeed been deleted previously from its mailing lists. However, in the course of computer maintenance work an earlier back-up version of the lists had been restored on the computer system.

This case illustrates a point which needs to be borne in mind by data controllers – generally those with sizeable data-holdings – who keep back-up copies. Given the obligation under section 2(1)(d) to take "appropriate security measures" against the "accidental loss or destruction" of data it is of course proper to keep back-up versions in case data are corrupted or erased. However it is necessary for data controllers to consider what measures they can take so that a back-up version, if restored, accurately replicates the live version of data that it has replaced. My Office drew the educational institution's attention to this matter and offered some advice on how it might be dealt with.