The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Case study 10

Bank of Ireland marketing of 12 and 13 year old school children

I received a number of complaints during 2003 relating to marketing activity by Bank of Ireland in schools where 12 and 13 year olds had received presentations by Bank staff and were offered the opportunity of opening an account. The complaints centered on the lack of parental consent, details on parents being sought, the procedure by which the teacher confirmed the identity of students and the fact that when an account was closed at the request of a parent, the details were still retained by the Bank for 6 years.

In last year's Annual Report, I referred to section 2A(1) of the Data Protection Acts which state that consent cannot be obtained from a person who, by reason of age, is likely to be unable to appreciate the nature and effect of such consent. I was pleased to note that before I had to make a determination on the matter during 2004, the Bank changed its policy and now focuses this marketing activity on Transition Year Students and classes which are taking Banking as part of the school curriculum.

In regard to the form for identifying students, this was necessary in order that the Bank may comply with its anti-money laundering identification obligations pursuant to the Criminal Justice Act, 1994. Following discussions with me, these procedures were revised by Bank of Ireland, and a new application form was introduced for second level students who wish to open a bank account. The revised form specifically provides for the student's consent to this verification and states –

"To enable the Bank to comply with its obligations to establish my identity, I give permission to the Bank to contact my school to verify the accuracy of the information I have given on this form against that supplied to my school. For the benefit of my school, I confirm that my school may act upon this authorisation as if it were specifically addressed to my school."

The revised form makes clear to students that if they wish to open an account, they are authorising their teachers to confirm their identity to Bank of Ireland. The revised form does not request information about the parents of the student. I was satisfied that the new procedures comply with Data Protection requirements in that teachers who confirm the identity of the students for the Bank, will be doing so with the authorisation of individual students who have capacity under the Acts to give consent.

In regard to the retention of data, I was advised that the Bank is obliged under anti-money laundering identification obligations pursuant to the Criminal Justice Act, 1994, to hold account opening documentation for six years, even where any money in the account has been withdrawn and the account is closed. Accordingly, in circumstances where there is a statutory obligation regarding data retention, the provision of the Data Protection Acts specifying that data should not be retained for any longer than necessary for the purpose are set aside.

This issue raised sensitive issues regarding children and their capacity to give consent. Parents, teachers and most of all students should be cautious when faced with any marketing campaigns. The test is whether the young person can reasonably be said to understand the implications of supplying personal data and giving consent.

Parents, teachers and most of all students should be cautious when faced with any marketing campaigns