The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Case Study 5

Telephone Company -alleged disclosure of customer call related information at the request of the Gardai - Information Notice issued.

A journalist complained to me that she had requested from her telephone service provider a list of all the individuals who had made enquiries in relation to her mobile telephone account and that in response she had been given a printout of all the requests and enquiries which she herself had made. On further enquiry, she was told that the company had no record of any third party requesting information on [her] account. The complainant told me that she had evidence that Gardai had accessed confidential billing information from her account but that the company were stating that they had no record of anyone other than her requesting such information.

I investigated the matter fully and due to its nature, detailed and complex issues arose.

In regard to the right of access to one's data as provided by section 4 of the Act , I noted that this can be restricted in certain circumstances by section 5 in respect of personal data

(a) kept for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of that section to the data would be likely to prejudice any of the matters aforesaid,

In regard to the alleged disclosure to the Gardai, the Act does not impose a blanket prohibition upon the disclosure of personal data because section 8 of the Act specifies a number of restricted circumstances in which the clear statutory bar on the making of such disclosures is lifted. Such circumstances include safeguarding the security of the State (section 8(a)), a requirement for the purpose of preventing, detecting or investigating offences or prosecuting offenders, in cases where the application of the nondisclosure rule would prejudice such matters (section 8(b)), or a requirement by or under any enactment or rule of law or order of a court (section 8(e)).

I noted that the Postal and Telecommunications Act, 1983, as amended by the Interception of Postal Packets and Telecommunications Messages (Regulation) Act, 1993, makes provision for the disclosure of customer call related information by telecommunications operators at the request of An Garda Síochána or the Defence Forces. The Act also sets out the procedure that must be followed in such requests e.g. the request must be signed by a member of An Garda Síochána not below the rank of Chief Superintendent or not below the rank of Colonel in the Defence Forces. Such disclosures would be covered under section 8(e) of the Data Protection Act. The Postal and Telecommunications Act, 1983 also provides that a telecommunication provider is prohibited from disclosing information relating to requests for information made by An Garda Síochána, or indeed confirming whether such requests have been made by An Garda Síochána.

The matter was taken up by my Office with the company who referred to the Telecommunications legislation quoted above and to the restrictions provided in it as to the circumstances in which it could not confirm or deny to my Office whether or not any request for customer call related information had been made by or provided to the Gardai in this case. I considered the response to be unsatisfactory but understandable to a degree. Accordingly I considered whether, in the light of my powers under section 12 of the Act, to issue an information notice requiring the furnishing of specified information. Section 12(4) provides that where the Commissioner issues an information notice

(a) No enactment or rule of law prohibiting or restricting the disclosure of information shall preclude a person from furnishing to the Commissioner any information that is necessary or expedient for the performance by the Commissioner of his functions.

(b)Paragraph (a) of this subsection does not apply to information that in the opinion of the Minister or the Minister for Defence is, or at any time was, kept for the purpose of safeguarding the security of the State or information that is privileged from disclosure in proceedings in any court.

Because of the nature of this complaint I decided that such an information notice be issued so that I could fully investigate the complaint. The information notice was complied with by the company and was responded to within the 28 day time limit.

Following further consideration of the response, I found that the company had not contravened any of the provisions of the Data Protection Act in this instance. In so deciding I did not confirm or deny that the Gardai had sought or received the information in question as to do so could frustrate the powers of inquiry of the Gardai in their normal work. However my actions ensured that the Gardai and telecommunications companies are aware that I have an oversight power in this area and is an assurance to them and the general public that in this sensitive area such an oversight power can be exercised when necessary.