CASE STUDY 5/01
MBNA Bank – unwanted direct marketing – mailings and telemarketing – failure to delete details from direct marketing databases – Eircom – the practice of 'teleappending' – fair processing – incompatible purpose
A number of individuals contacted my Office to complain about the receipt of direct marketing contacts from MBNA Bank, a financial institution specialising in credit cards. Some individuals were unhappy about receiving unsolicited telephone calls at their homes, while one individual – who had received a number of unwanted mailings and telephone calls over a period of several months – had gone to some lengths to remove his details from MBNA's direct marketing databases, but apparently without success. In investigating this series of complaints, two distinct but related issues arose for consideration: (i) MBNA's response to individuals' requests to opt out of direct marketing, and (ii) Eircom's practice of adding telephone directory details onto other large databases – the practice of 'teleappending'. Both will be considered in turn.
As regards the difficulties and concerns of individuals with regard to direct marketing, I raised the issue with MBNA and found the bank to be cooperative and helpful. The bank stressed its desire to comply fully with data protection law, and I had no reason to doubt the bank's bona fides in this regard. At a meeting with MBNA representatives, the bank explained that personal information was obtained from two principal sources: application forms (which included an 'opt-out' tick box, for those who did not wish to receive direct marketing), and a direct marketing agency called PMI, which maintains an extensive database (derived in large part from the electoral register) to facilitate direct marketing of Irish residents. The bank was fully aware of individuals' legal right to be removed from direct marketing databases, and had detailed procedures in place to ensure that this right was honoured. The bank acknowledged that these procedures had clearly failed for the complainant in this case.
My office insisted that fuller details be provided as to why the procedure had failed so badly in the case of the particular complainant in question. Having investigated the matter, MBNA concluded that the problem had arisen due to deficiencies in communication with its direct marketing associate, PMI. MBNA said that more stringent checking procedures had been put in place, and that direct marketing staff had been re-educated, with a view to addressing these deficiencies.
Section 2(7) of the Data Protection Act, 1988 provides that, on request, a person's name must be removed from a direct marketing list. In the circumstances of this case, I concluded that the Bank was, in this instance, in breach of its data protection obligations. I also found it appropriate, in the interests of fairness, to place the Bank's failure in this instance in proper context. I noted that the Bank issues of the order of 2,000,000 direct mailings every year, and process about 40,000 "do not contact" requests. The evidence would appear to indicate that they succeed in complying with the great majority of such requests, and I had no basis for doubting their stated commitment to complying with data protection law. I also noted that the bank had taken concrete steps to prevent a recurrence of this matter.
As regards the separate issue of telephoning people at home, MBNA explained that the phone numbers had been made available for direct marketing purposes via Eircom. I therefore decided it would be appropriate to raise this matter with that organisation, which was the data controller in respect of the telephone directory database. In my discussions with Eircom, I established that the phone company offered a commercial service to clients, which involved Eircom automatically appending telephone numbers in bulk onto other databases of names and addresses – such as direct marketing databases derived from the electoral register. This process was referred to as 'teleappending'. My Office suggested to Eircom that the disclosure of telephone directory data in this context was not a disclosure which was compatible with the purpose for which subscriber data was held by Eircom, in the absence of the clear consent of subscribers, and that the disclosure was therefore contrary to section 2(1)(c)(ii) of the Data Protection Act, 1998. In essence, I took the view that the purpose for which Eircom held the data – and which would be ordinarily understood by telephone subscribers – was the provision of a traditional 'look-up' directory service. This service was quite distinct from the population of third-party databases, which would effectively allow direct marketers to generate 'reverse-searchable' directories. In my view, such a potentially far-reaching application of personal data would need to be subject to additional clear consent from subscribers.
Following discussions, Eircom indicated its acceptance of my position on this matter, and that the practice of teleappending would be discontinued until the consent issues could be resolved. I did, however, accept that that limited forms of teleappending – for example, to update databases automatically, where an extra digit had been added to existing telephone numbers – were not incompatible with data protection law.
This case illustrates the sensitivities attaching to telephone directory information, and confirms my view that the data protection and privacy rights of telephone subscribers cannot be taken for granted. I am satisfied that Eircom appreciates this point of principle, and this is borne out by its positive response to my concerns in this case.