Data Protection Commissioner
Data Protection Commissioner

Case Study 10

Department of Social and Family Affairs market research survey on customer satisfaction by an agency did not breach Data Protection provisions

An individual complained that the Department of Social and Family Affairs(DSFA), had disclosed her name and address to the Market Research Bureau of Ireland (MRBI) for the purposes of conducting research and that subsequently, a representative of the MRBI visited her home to conduct an interview. She felt that the Department had breached the Data Protection Act 1988 and had made her data available without her consent to a private firm.

On investigation of the complaint, the DSFA confirmed that it had commissioned MRBI to carry out a national survey, on their behalf, to see in what way their service could be improved upon. MRBI, acting as an agent for the DSFA, were given a list of customers' names and addresses that were selected at random from DSFA databases for the purpose of this survey only. These people received a letter from the Department informing them about the survey, and indicating that data provided in interviews would be held in the strictest confidence by MRBI and that the names of those participating would not be disclosed to the Department. A box at the bottom of the letter contained the following statement

"In line with the Data Protection Act I would like to assure you that the MRBI is carrying out this survey as an agent of the Department. MRBI has been required to fulfil the following conditions:

  • To hold the Department's list only for as long as is required to complete the survey and thereafter to delete the list from all their records.
  • To ensure that their interviewers make no attempt to recruit any of the Department's customers for any other survey."

I noted that the letter which issued in advance of the commencement of the survey gave people an opportunity to contact the Department if they had any concerns. I obtained a copy of the contract between the Department and MRBI which confirmed that MRBI would adhere to the terms of the Data Protection Act.

The Department is not prohibited by the Act from using personal data for the purposes of its own research, such as a survey, even where the data subject was not informed in advance, provided that no damage or distress is likely to be caused to the individual. Section 2(5) of the Act provides for this.

It is a matter for the Department to decide whether it wished to carry out the research or to contract another party to carry it out. Thus, where a data controller wishes to carry out a task which is within its competence and authority to do but assigns that task to another person and makes available, to the other person, personal data for the purpose of that task and that task only, this is not considered to be a "disclosure" within the meaning of the Data Protection Act. In no circumstances may the data be retained by the agent once the task is completed.

I noted that the Department adhered to the Act by having an appropriate contract with MRBI. Accordingly, the transfer by DSFA of data to MRBI for the purpose set out in the contract with MRBI did not constitute disclosure of data within the meaning of the Data Protection Act, and consequently was not a contravention of the legislation.

In correspondence with my Office, the complainant referred to the Law of Agency and disputed my interpretation that a disclosure by a data controller to an agent does not constitute "disclosure" within the meaning of the Data Protection Act. I did not accept that proposition. Indeed Professor Robert Clark in "Data Protection Law in Ireland", published by the Round Hall Press (1990), stated that

"The definition of disclosure excludes a disclosure made, directly or indirectly by a data controller or data processor to an employee or agent of his for the purpose of allowing the employee or agent to carry out his duties''.

In response to my preliminary determination the complainant stated that

"I have studied with interest the contents of your decision regarding the apparent acceptable degree of protection that was afforded this DSFA client under Data Privacy Legislation, and most alarmingly, the implied differential civil rights. Not only does all reputable research conform to standardized 'ethical' practices, but in line with such, the process itself in no way over-rides the fundamental rights and freedoms afforded to citizens under Bunreacht na hEireann nor the EU Convention. In light of the nature of you draft decision, I would consider it a time-wasting exercise to make any further observations on this matter".

I was disappointed by this attitude as I only come to my final determination when I have considered all angles. Indeed I request all complainants and data controllers to offer as much argumentation and facts as they consider appropriate before I make a final decision on complaints- hence my practice of issuing a draft decision to both parties for further observations before I make a final decision. My final decisions can be appealed by either party to the Circuit Court. Though the complainant did not exercise her right to appeal or offer further comment on the draft decision nevertheless her arguments were considered in detail.

This case gives a clear insight that data protection law does not prevent a properly managed customer satisfaction survey being carried out by an agent acting for a data controller.