Data Protection Commissioner
Data Protection Commissioner

CASE STUDY 9/01

Legal firm – registration under section 16 of the Act – on-site examination of computer files



A person complained to me that a law firm, which had processed sensitive personal data relating to her mental health, was not duly registered under section 16 of the Data Protection Act, 1988. She complained that the firm was therefore committing offences against her under the Act, and she was anxious that the firm should delete all sensitive personal data relating to her from their computer systems.

Section 16 of the Data Protection Act requires that data controllers keeping certain kinds of personal data – what might be termed 'sensitive' personal data – must be registered with my Office in a public register, showing the types of personal data kept, the purposes for keeping these types of data, and other details. 'Sensitive' personal data includes data relating to people's physical or mental health. Failure to register, if required to do so, is an offence under section 19 of the Act. Accordingly, I took the complanant's allegation seriously and caused it to be investigated fully.

In investigating this matter, I first confirmed that there was no entry in the public register in respect of the firm. My Office then engaged in detailed correspondence with the firm to establish inter alia whether the firm kept personal data relating to the complainant's physical or mental health. At a meeting with the firm's Managing Partner, there was a general discussion about the issue of registration under the Data Protection Act, 1988. The Managing Partner accepted that it would be appropriate for the firm to register under the Act; and indeed the law firm subsequently registered with my Office.

The Managing Partner also stated that his firm did not currently hold any personal data on computer relating to the complainant, and he agreed to have this statement verified by on-site inspection of the firm's computers. Authorised representatives from my Office subsequently visited the firm's offices to examine the computers for any personal data relating to the complainant. Prior to conducting the examination, the procedure which would be used for conducting a methodical search upon each computer and upon computer media was explained to the firm, and the firm co-operated fully with the examination.

In conducting the examination, it was found that, on one of the computers, a search based upon the complainant's name gave rise to a number of apparent positive matches, which were examined further. It was found that a word-processing document related to the complainant: the file related to a procedural matter about a court case involving both the complainant and a client of the firm. Further searches within the computer's e-mail application brought to light several e-mails to and from the complainant. The content of some of the e-mails was contentious or disputatious in nature, relating to a court case: but none of these e-mails appeared to contain 'sensitive' personal data. No other data relating to the complainant were found on the firm's other computers or upon its computer media.

The law firm subsequently confirmed that the personal data relating to the complainant, and found by the representatives of my Office, were held inadvertently by the firm; that there had been no intention to mislead this Office as to the existence of any such personal data; and that the personal data in question would be deleted forthwith.

I consider that the important issue raised by the complainant in this case – concerning the registration responsibilities of a particular law firm – is of more widespread application within the legal profession as a whole. In Part 1 of this Report, I deal with this general matter in more detail.