Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

CASE STUDY 3/98

Joint bank account - issue of accuracy - disclosure - right of access

 The complainant and another person held a joint account with a bank. It came to the complainant's attention that her name was not included in the details of the account kept by the bank. The bank undertook to correct the omission. Subsequently, the complainant found that the name which was recorded on the account was not her own, but a name similar to hers that could be regarded as having a certain public notoriety. In a letter to the bank the complainant alleged that the bank had failed to meet its responsibilities under the Data Protection Act, 1988, in the following respects -

  • maintaining an inaccurate record
  • disclosing the information to an unauthorised person
  • failing in its duty of care to her
  • causing her damage and distress
  • failing to provide information on request.

The complainant raised the matter with my Office. This complaint concerned a number of distinct issues, which were considered separately in the light of the various relevant provisions of the Data Protection Act. In the first instance, section 2(1)(b) of the Act obliges data controllers to ensure that "the data shall be accurate and, where necessary, kept up to date". In addition, section 6(1) entitles a data subject "to have rectified or, where appropriate, erased any such data in relation to which there has been a contravention by the data controller of section 2(1) of this Act".

The bank acknowledged to me that the complainant's name had initially been omitted from the details of the account and that another name, not that of the complainant, had subsequently been incorrectly entered through a typing error. When this error was brought to the bank's notice it was immediately corrected and a letter of apology was sent to the complainant.

I adjudged the bank to have contravened section 2(1)(b) of the Act in that the complainant's data had not been accurate and up to date, and I upheld this aspect of the complaint. However, in my formal decision on the matter, I acknowledged the fact that the bank had rectified the mistake at the earliest opportunity in compliance with section 6(1) of the Act.

As to the alleged disclosure by the bank of personal details to an unauthorised person, I had regard to section 2(1)(c)(ii) of the Act, which requires that personal data "shall be not be used or disclosed in any manner incompatible with [the specified and lawful] purpose [for which the data are kept]".

Disclosure, in the case in question, would occur only if data relating to the account-holder were made available to a third party. The complainant made no reference to any specific instance of disclosure. The bank informed me that the only occasion on which the inaccurate information had been made available outside the bank was in a statement to the other joint account holder. The issuing of a bank statement to joint account holders would not ordinarily, in my view, constitute a disclosure in contravention of the Act, and this aspect of the complaint was not upheld.

Finally, I considered the question of the data subject's right of access to her personal data. Section 4(1)(a) of the Act provides as follows -

Subject to the provisions of this Act, an individual shall, if he so requests a data controller in writing -(i) be informed by the data controller whether the data kept by him include personal data relating to the individual, and

(ii) be supplied by the data controller with a copy of the information constituting any such data, as soon as may be and in any event not more than 40 days after compliance by the individual with the provisions of this section.

In her letter to the bank, the complainant had written -

"I want my subject access request under the Data Protection Act to be complied with to the fullest extent to which I am entitled ... I want to know what computer files the name and/or address has been linked to within the bank and I want to see those files."

I am satisfied that this constituted a valid request by the complainant under section 4 of the Act for a copy of her personal data. The bank responded to the complainant, shortly before the expiry of the 40-day reply period, by forwarding to her a copy of its official 'access request application form'. This response did not, in my view, constitute compliance with the individual's access request, and accordingly I upheld this aspect of the complaint against the bank. Data controllers must appreciate that where an individual supplies them in writing with sufficient information to process the access request, and meets the other requirements (for example payment of the processing fee that may apply) set out in the Act, then that request is valid and must be complied with. The bank did eventually provide the individual with a copy of the relevant records.