Data Protection Commissioner
Data Protection Commissioner

Case Study 4

The Bar Council's In-house Legal Diary and Ashville Media

The Bar Council complained to me about the use of their members' data by a publication "The Irish Legal Professional" which was published by the Ashville Media Group. The Bar Council explained that Ashville Media Group had published the Bar Council's in-house legal diary, which was for the sole use of barristers from 1998 to 2002, under contract. On expiry of the contract, the Bar Council then changed to another company for publication of the diary. In order to publish the barristers' diary, Ashville Media Group had been afforded access to an internal database containing contact details for all barristers, including their home addresses, home and work telephone numbers, mobile numbers and email addresses. The Bar Council stated that despite the termination of the contract between the Bar Council and Ashville Media Group, Ashville Media Group used the database in their own publication "The Irish Legal Professional" in 2003 and 2004.

In my investigation, Ashville acknowledged the facts alleged in the complaint. However they submitted that the personal data (contact details) of barristers are already in the public domain and are readily available to the public, and as such the Legal Diary simply makes these more accessible to Barristers and Solicitors. I noted that section 1(4)(b) of the Acts provides that the Acts do not apply to personal data which is required to be made available to the public by the person keeping it. However, I was satisfied that there is no legal obligation on the Bar Council to make the personal data of barristers available to the public so I found that section 1(4) was not relevant in this case. However, even if it was the case that barristers' details are in the public domain by virtue of a requirement on the Bar Council to publish the data, that would not absolve other data controllers or data processors acquiring those data of their obligations under the Acts.

In my decision, I noted that during the currency of the contract, Ashville was a data processor on behalf of the Bar Council within the meaning of the Acts (a data processor being a person who processes personal data on behalf of a data controller). I found that this means that personal data obtained for the purposes of a data processor contract may not be processed subsequently for a different purpose and that as a data processor; Ashville in publishing the contact details of Barristers in their 2003 and 2004 Guide contravened section 21(1) which provides that

"personal data processed by a data processor shall not be disclosed by him...without the prior authority of the data controller on behalf of whom the data are data processed".

I also found that Ashville Media Publications

? in continuing to process the data were in that respect also a data controller and that as such they had contravened section 2(1)(c)(ii) of the Acts by further processing the data for a new purpose, i.e. in publishing the contact details of Barristers in their 2003 and 2004 Guide;

? as a data controller, had contravened section 2(1)(a) of the Acts in that the data was not fairly obtained for the new purpose and

? contravened section 2A of the Acts in that none of the conditions specified in that section (consent or another specified condition) were met in order to legitimise the processing of the data.

In reaching my Decision, I required Ashville to delete the Bar Council's 2002 database and any other data derived from it i.e. the 2003 and 2004 databases and I noted that they responded promptly undertaking to comply with this requirement. Accordingly, I decided not to institute proceedings against Ashville Media for an offence under section 21(2) of the Acts.

personal data obtained for the purposes of a data processor contract may not be processed subsequently for a different purpose- responded promptly undertaking to comply with Commissioner's requirements and not necessary to prosecute