The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Guidance Note on Mobile Telephone Companies and Local Authority Requests for Customer Data

During 2006 I was concerned to learn that mobile telephone companies were being contacted by local authority litter wardens to seek details of mobile telephone ownership. This arose in the context of litter wardens finding mobile phone top-up receipts that were causing litter. There was also a suggestion that this information was being provided seemingly without question in some cases and without the backing of an enactment or by a rule of law or order of a court. My Office considered this matter and issued the following advice:

Requests made by local authorities for such personal information do not constitute "access requests" as provided for in Section 4 of the Data Protection Acts 1988 & 2003. Local authorities cannot use Section 4 to request personal data from data controllers.

Mobile telephone companies (data controllers) which received these requests from local authorities were, it appeared, considering using Section 8(b) of the Data Protection Acts(1)  to allow them to over-ride the restrictions on the processing of personal data and to then furnish the local authorities with the information sought. The provision for disclosure in Section 8(b) is permissive only and it does not place any obligations on these companies to provide local authorities with personal information from their customer databases.  This provision also carries the qualifier "in any case in which the application of (data protection) restrictions  would be likely to prejudice (preventing, detecting or investigating offences)." Therefore, the exemption does not cover the disclosure of all personal information held by a data controller in all circumstances. It only allows for the disclosure of personal information for the stated purposes and only if not releasing it would be likely to prejudice (that is,  significantly harm) any attempt by organisations which have crime prevention or law enforcement functions to prevent crime or to catch a suspect. Furthermore, the Data Protection Acts do not contain any provisions regarding the level of fees which data controllers may charge for such services.

In circumstances where local authorities seek this information in an effort to establish the identity of a person who topped up their phone credit and whose receipt has been disposed of in a manner which contravenes the Litter Act, there is a high risk that a person could be wrongly accused if they did not personally dispose of the receipt or if the receipt was further disposed of by a third party. I would expect mobile telephone companies who provide such personal data to local authorities to satisfy themselves that the provision of the information was proportionate to the alleged offence. In practice, they should treat each request on a case by case basis and not automatically provide the personal information. At a minimum, the data controller must be satisfied that the local authority seeking the information is doing so to prevent or detect a crime or catch or prosecute an offender. The data controller must also consider whether the non-release of the personal information sought would significantly harm any attempt by the local authority to prevent crime or catch a suspect (the risk must be that the investigation may very well be impeded). If they do decide to release personal information to the local authority, the data controller should only release the minimum information necessary for the local authority to do its job.  Ultimately, it is up to the data controller whether to release personal information under this exemption. Even if the data controller decides that the exemption applies, they still do not have to release the personal information.









(1)Section 8 (b): (Any restrictions in this Act on the processing of personal data do not apply if the processing is?) required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid.

Back to Top