The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission


Debt collection service - acting on behalf of hospital - whether data had been "disclosed" for purposes of Data Protection Act - whether debt-collecting agency is entitled to build database of debtors

The two complaints in this case study arose from the actions of a hospital and a debt collection company. The first complainant, an elderly man, attended the hospital on a number of occasions for medical treatment. The hospital subsequently sent him a bill for the treatment. He paid some of the outstanding amount, but he did not pay the full amount straight away. After a period, he was contacted at home on his unlisted telephone number by a debt collection service. The debt collection service said it was acting to recover the hospital's money. The second complaint was from a young college student who had attended the same hospital and had been written to by the same debt collection service in similar circumstances. The agency wrote to the complainant in the following terms -

If within 48 HOURS our client has not received payment, we will be given full instructions on the accounts. I would point out that once we have been instructed your name will be placed on our CREDIT INFORMATION BUREAU. This could affect your ability to obtain credit and loans from other companies.

The first complainant was concerned that his personal details - including his unlisted telephone number - had been passed by the hospital to a third party, and he felt that this contravened the Act. The second complainant was very concerned that "they will put me on a black list".

Section 2(1)(c) of the Data Protection Act provides inter alia that personal data -

(i) shall be kept only for one or more specified and lawful purposes, [and]

(ii) shall not be used or disclosed in any manner incompatible with that purpose or those purposes.

Section 1 of the Act defines "disclosure" in the following terms -

"disclosure", in relation to personal data, includes the disclosure of information extracted from such data and the transfer of such data but does not include a disclosure made directly or indirectly by a data controller or a data processor to an employee or agent of his for the purpose of enabling the employee or agent to carry out his duties ... .

From my investigation of the case, I established that the debt collection service was retained by the hospital as its agent for the purpose of collecting outstanding moneys. I determined that the relationship between the hospital and the debt collection service was a bona fide principal-agent relationship, in that: (i) there was a formal contractual relationship in place between the hospital and the debt collection service; (ii) the contract made clear that the hospital retained control over the personal records in question; and (iii) the debt collection service was not permitted to retain the personal data for longer than necessary for the purpose of collecting the debt. Accordingly, I concluded that the Data Protection Act did not preclude the hospital from passing personal data, including patients' telephone numbers held by the hospital, to the debt collection agency.

On the question of the retention of personal details on the debt collection agency's files, my Office had detailed discussions with the debt collection agency. It was pointed out that the agency had no entitlement to retain personal details regarding the hospital's patients, and that it certainly had no entitlement to use these details to create a credit reference "blacklist". The agency explained that the language it used on its correspondence with debtors was designed to put maximum pressure on the debtors to pay what they owed. However, I pointed out my view that it is not permissible for a debt collection agency, or indeed for any data controller, to misrepresent the purpose for which it keeps personal data, in order to put people under pressure to behave in a certain way. As a result of these discussions, the debt collection agency agreed to reword its letters so as to avoid any misrepresentation of what it is entitled to do with personal data it keeps as agent of the hospital. The managing director wrote to the complainants apologising for any inconvenience or distress caused, and confirming that the information had not been made available to any third party.