The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission


The Data Protection Commissioner today welcomed the outcome of prosecution proceedings which concluded at Dublin Metropolitan District Court and which were taken by her Office against a private investigator.

Prosecution Details

Following an investigation by the Office of the Data Protection Commissioner (ODPC), Michael J. Gaynor, (trading as MJG Investigations) of 38 Beatty Grove, Celbridge, Co. Kildare was charged with seventy two counts of breaches of the Data Protection Acts, 1988 & 2003. Twelve charges related to breaches of Section 22 of the Data Protection Acts for obtaining access to personal data without the prior authority of the data controller by whom the data is kept and disclosing the data to another person. In the cases before the Court, the personal data was kept by the Electricity Supply Board (nine cases) and by An Garda Síochána (three cases). In all cases, the personal data was disclosed to various Credit Unions in the State. A further sixty charges related to breaches of Section 16(2) of the Data Protection Acts in respect of the processing of personal data of a number of individuals in circumstances where no record was recorded in respect of the accused in the public register maintained by the Data Protection Commissioner. Mr. Gaynor is a former member of An Garda Síochána.

Court Outcome

Following a trial at Dublin Metropolitan District Court today Michael J. Gaynor was convicted on two charges for offences under Section 22 of the Data Protection Acts, 1988 & 2003. The Court imposed a fine of €2500 in each of those two charges.
Separately, the defendant pleaded guilty to 69 charges and these were taken into consideration by the Court in the sentence imposed. The Court awarded costs to the Data Protection Commissioner.
This was a significant investigation and prosecution on several fronts:
·It was the first prosecution to be completed by the Data Protection Commissioner of a data processor for processing personal data without having registered as a data processor on the public register of the Office of the Data Protection Commissioner.
·The investigation in this case uncovered access by the defendant to customer data held on databases held by the Electricity Supply Board. To access the personal data, the defendant used a staff contact in the Electricity Supply Board which he had established during his previous Garda career.
·The investigation also uncovered access by the defendant to personal data held on the Garda PULSE computer database and the Garda National Immigration Bureau computer database. In these cases, the defendant solicited personal data from these databases using a serving Garda who was known to him from his previous Garda career.
·This was the second completed prosecution in recent weeks related to the private investigations sector. These prosecutions send a strong message to private investigators and tracing agents to comply fully with data protection legislation in the conduct of their business and that if they fail to do so, they will be pursued and prosecuted for offending behaviour. A number of other investigations in this sector are ongoing and these may result in future prosecutions.

Role of Credit Unions

Once again, the Data Protection Commissioner notes with disappointment a number of failures on the part of Credit Unions. Firstly, the ODPC investigation found no evidence that any Credit Union established from Michael J. Gaynor what methods he was using to obtain access to new address information. Secondly, it is particularly disturbing that the trace reports supplied by Michael J. Gaynor contained, in numerous cases, substantial details concerning the electricity account of the Credit Union members concerned. Despite the significant level of detail concerning electricity accounts, no alarm bells sounded in the recipient Credit Unions who asked no questions of Mr. Gaynor in that regard. Finally, the ODPC investigation found no evidence that any Credit Union had carried out any due diligence prior to hiring the services of Mr. Gaynor. This was a serious deficiency. For the future, Credit Unions across the State will be expected to undertake appropriate due diligence in advance of passing on any member's details to private investigators or tracing agents.

Follow-Up With the ESB and AGS

Finally, the Office of the Data Protection Commissioner will engage further with the Electricity Supply Board and An Garda Síochána on the implications of the data security breaches which occurred in their organisations (as uncovered by the ODPC investigation) and on the steps that will be required to deal with those breaches and to prevent a recurrence. An Garda Síochána has already been audited by the Data Protection Commissioner (details of which were published earlier this year). A data protection audit of the Electricity Supply Board will be undertaken in the near future.
Media Queries to: Ciara O'Sullivan
Telephone: 057 8684800
Email: media@dataprotection.ie
Website: www.dataprotection.ie