CASE STUDY 6/98
Local authority housing loan - disclosure of personal data by a local authority to a financial institution - whether such data are in the public domain - statutory discretion to make personal data publicly available does not take precedence over data protection law
The complainant received a letter from a bank inviting her to convert her local authority housing loan to a housing loan provided by that bank. The bank informed the complainant that the offer was unique to people who held mortgages from the local authority in question. The complainant queried this matter with her local authority. It admitted that it had passed names and addresses to the bank, in order to allow the bank to advise people of its re-mortgage facilities. The local authority said that no loan account details had been passed to the bank. The complainant raised the matter with my Office, complaining that her personal details had been disclosed without her knowledge or consent, in contravention of the Data Protection Act.
The local authority confirmed to my Office that it kept data relating to loan account holders for the purpose of administering its loan accounts, and that it had not obtained the complainant's consent to the disclosure of her name and address to the bank. However, the local authority was of the opinion that these details were already in the public domain, because whenever a local authority borrower is approved for a loan, a County Manager's Order is drafted, and all such orders are included as part of the local authority's minutes which are publicly available documents.
In considering this matter, I had regard to section 1(4)(b) of the Data Protection Act, 1988, which provides that the Act does not apply to "personal data consisting of information that the person keeping the data is required by law to make available to the public". This provision would mean that, if the names and addresses of the local authority's housing loan account holders were required by law to be made available to the public, then the disclosure of such data by the local authority could not have been in breach of the Data Protection Act.
Accordingly, the local authority was requested to indicate whether the County Manager's Orders were required by law to be made available to the public. The local authority pointed out that there was a legal obligation to make such orders and to retain records of them, by virtue of the County Management Acts of 1940 and 1955. However, while that legislation allowed the County Manager discretion to record the names and addresses of housing loan account holders, the local authority was unable to cite any statutory requirement to place such personal data in the public domain. In the absence of any such statutory requirement, I could only conclude that the data in question were subject to the Data Protection Act, 1988, in the normal way.
Accordingly, I upheld the complaint against the local authority. All data controllers, and in particular those in the public sector, should note that statutory discretion to make personal data publicly available is not the same as a statutory requirement to do so. It is only the latter that takes precedence over the normal application of data protection principles.