Case Studies Disclosure / Unauthorised Disclosure
Disclosure of an employee’s special category data by their employer to a third party services provider, without the employee’s consent
An individual submitted an access request to their employer, a SME business-to-business service provider. Based on the documentation provided by the organisation to the individual in response, the individual submitted a complaint to the DPC alleging that the organisation unlawfully disclosed their personal data, including special category data, to a third party, a Human Resources Service Provider (HR provider).
See More InformationExcessive sharing of special category data to a third party in order to seek guidance on behalf of an employee
An individual submitted medical documentation to their employer’s disability officer in order to request reasonable accommodations that would support them in performing their work within a public sector organisation. The disability officer was the central point of contact and service provider for all staff with disabilities working for the organisation and the individual had occasionally had reason to contact the disability officer over the course of their employment.
See More InformationProcessing occupational health data
An individual submitted a complaint to the DPC after a medical facility disclosed their medical data to their employer. The individual attended the medical facility at the request of their employer, due to a long absence of sick leave from work. During the consultation at the medical facility, the individual was queried on
their past medical history, which was not directly related to their current illness. The medical facility furnished the individual’s employer with a full copy of their consultation notes, including their historical medical data.
Disclosure of health and financial data to a third party
An individual submitted a Freedom of Information (‘FOI’) request to their former employer, a State Agency. Once in receipt of the response to the FOI request, the individual became aware that the State Agency had disclosed their financial data and special category personal data, namely health data, to a connected third party. The individual subsequently submitted a complaint to the DPC in relation to this disclosure.
See More InformationDisclosure of personal data to a debt collection agency
An individual contacted the DPC after an energy service provider further processed their personal data by sharing it with a third party (data processor), a debt collection agency. According to the individual, they had completed the contract with the service provider and had received their final invoice for the services provided.
See More InformationAlleged disclosure of the complainant’s personal data by a local authority (Data Breach Complaint)
The DPC received a complaint from an individual concerning an alleged disclosure of the complainant’s personal data by a local authority. The complainant alleged that the local authority had disclosed the complainant’s name, postal address and information relating to the housing assistance payment in error to a third party. The individual had been informed by the local authority that this disclosure had occurred. However, the individual was dissatisfied with the actions taken by the local authority in response to the disclosure and did not wish to engage further with the local authority with a view to seeking an amicable resolution of the complaint.
See More InformationCSO data breach — Disclosure of P45 data (Applicable law — Data Protection Acts 1988 and 2003)
We received several complaints in late 2017 against the Central Statistics Office (the CSO), each alleging that the CSO had disclosed the respective complainants’ personal data without their consent or knowledge. The complaints related to a data breach that the CSO had previously reported to us (under the voluntary Personal Data Breach Code of Practice) and to the affected individuals.
See More InformationDisclosure and unauthorised publication of a photograph
A data subject made a complaint to the DPC regarding the publication of their child’s image, name and partial address in a religious newspaper. The image used in the publication was originally obtained from a religious group’s Facebook page. The data subject informed the DPC that consent was not given for the wider use of the image through the publication in the newspaper. The concern was for the child’s privacy arising from the use of the image, name and partial address by the newspaper. In correspondence sent directly between the data subject and the newspaper the data subject cited Article 9 of the GDPR concerning special category personal data applies to their complaint because the image disclosed information regarding the child’s religious beliefs.
See More InformationDisclosure by a credit union of a member’s personal data to a private investigations firm
The complainant in this case was a borrower from a credit union and was alleged to be in arrears on a loan. The credit union claimed to be unable to contact the complainant. The credit union disclosed personal data of the complainant to a private investigations firm with the intention of locating and communicating with the complainant. The data disclosed included the complainant’s name, address, former address, family status and employment status. Approximately four years later, the complainant became aware of that disclosure and complained to the DPC.
See More InformationDisclosure of account statements by a bank to the representative of a joint account holder
The complainant in this case held a joint bank account with a family member. Following a request from the solicitors of the other joint account holder, the bank (the data controller) disclosed copies of bank statements relating to the account, which included the complainant’s personal data, to those solicitors. The complainant was concerned that this disclosure did not comply with data protection law.
See More InformationDisclosure of Sensitive Data
An individual complained to the DPC that a clothing and food company disclosed their personal medical information by issuing postal correspondence with the words “Coeliac Mailing” printed on the outside of the envelope. As part of the Stores Value Card facility, the individual in question had signed up to receive an ‘Annual Certificate of Expenditure’ of gluten-free products purchased during the year, which could be used for tax purposes. The DPC advised the store that under Article 9 of the GDPR, health data is deemed sensitive data and is afforded additional protection and that displaying the words “Coeliac Mailing” has to be examined in light of Article 9 of the GDPR. In response, the store advised the DPC that it instructed its marketing department to cease using this wording on the outside of envelopes for all future mailings. The DPC welcomes the positive outcome to this engagement.
See More InformationDisclosure Without Consent
An individual complained to the DPC that the Criminal Assets Bureau (CAB) disclosed his personal financial details without his consent, to a number of individuals against whom CAB had taken legal proceedings. CAB advised the DPC that the proceedings in question were under the Proceeds of Crime Act, 1996-2016 (PoCA), the purpose of which is to identify and confiscate property, established to the satisfaction of the High Court, to be the proceeds of crime. CAB stated the information contained in the subject documentation was required to establish the provenance of property the subject matter of the proceedings. CAB outlined that the personal data of the complainant was intertwined with the personal data of the individuals being prosecuted and could not be redacted from the court documents. The DPC noted such proceedings are governed by section 158(1) of the Data Protection Act, 2018 (the Act) which provides that the GDPR and Law Enforcement Directive as transposed in the Act may be restricted in order to ensure the protection of judicial independence and judicial proceedings.
See More InformationFinancial information erroneously cc’d to a restaurant (Applicable law — Data Protection Acts 1988 and 2003 (the Acts))
We received a complaint concerning the alleged disclosure by a motor dealership of the complainants’ personal data to a third party. The complainants had provided the dealership with copies of their driver’s licences and bank details, including bank statements and full account details, in order to purchase a car through a Personal Contract Plan. They were subsequently copied in on an email from the dealership to a third-party email address, believed to be an address associated with a bank, which contained the complainants’ driver’s licences and bank details. The complainants were concerned that the third-party address was that of a restaurant and contacted the dealership about this, but were assured that the email address in question pertained to a bank and was secure.
See More InformationHSE Hospital/Healthcare Agency
In 2019, the DPC received a complaint about the disclosure of a patient’s data via Facebook messenger by a hospital porter regarding her attendance at the Early Pregnancy Unit of a hospital. Upon examination of the complaint, the HSE clarified to the DPC that the hospital porter who disclosed the personal information of the patient was in fact employed by a healthcare agency contracted by the HSE. The DPC contacted the agency and sought an update in relation to its internal investigation, details of any remedial action as well as details of any disciplinary action taken against the employee in question. At the same time, the DPC advised the HSE that, as it contracts the company concerned to provide agency staff to work in the hospital, ultimately the HSE is the data controller for the personal data in this instance.
See More InformationLack of appropriate security measures unauthorised disclosure in a workplace setting
The DPC received a complaint against an employer, a manufacturing company, asserting that their private information including attendances with the company doctor, details of a personal injury claim being pursued against the company and details of a disciplinary procedure taken against the complainant had been placed on the company’s shared ‘C-Drive’, available to be viewed by anyone within the company, and that a copy of the data on a CD-ROM was also left on the complainant’s desk.
See More InformationRyanair webchat transcript sent to another customer (Applicable law — GDPR & Data Protection Act 2018)
We received a complaint from a data subject whose webchat with a Ryanair employee was accidentally disclosed by Ryanair in an email to another individual who had also used the Ryanair webchat service. The transcript of the webchat contained details of the complainant’s name and that of his partner, his email address, phone number and flight plans. The complainant told us that he had been alerted to the disclosure by the individual who had been erroneously sent the transcript of his webchat.
See More InformationTransmission of data by a Government Department via WhatsApp (Applicable law — Data Protection Acts 1988 and 2003 (the Acts))
We received a complaint against the Department of Foreign Affairs and Trade (the DFAT), alleging that the mission in Cairo, Egypt, had shared the complainant’s personal data with a third party (his employer) without his knowledge or consent, and that it had failed to keep the complainant’s personal data safe and secure, having transmitted it via WhatsApp to his employer. This related to processing of the complainant’s personal data contained in a short-term visa application that the complainant had submitted in order to sit an exam in Ireland.
See More InformationUnauthorised disclosure in a workplace setting
The complainant alleged that insecure processing by his former employer had made his personal data accessible to unauthorised persons, including former colleagues and external third parties.
See More InformationUnauthorised disclosure of mobile phone e-billing records, containing personal data, by a telecommunications company, to the data subject’s former employer (Applicable law: Data Protection Acts 1988 and 2003)
The complainant, during a previous employment, asked the telecommunications company to link her personal mobile phone number to her (then) employer’s account. This enabled the complainant to avail of a discount associated with her (then) employer. While this step resulted in the name on the complainant’s account changing to that of her (then) employer, the complainant’s home address remained associated with the account and the complainant remained responsible for payment of any bills. Following termination of the employment relationship, the complainant contacted the telecommunications company to ask that it (i) restrict her former employer’s access to her mobile phone records; and (ii) separate the account from that of her former employer. Following this request, an account manager took a number of steps in the mistaken belief that this would result in the separation of the complainant’s account from that of her former employer. The complainant, however, became aware that, subsequent to her request, her former employer continued to access her account records. On foot of further inquiries from the complainant, the telecommunications company discovered its error and the complainant’s account was eventually separated from that of her former employer.
See More InformationAppropriate security measures for emailed health data
The DPC received a complaint from the parent of a child whose health data was mistakenly disclosed to an unknown third party. The data was contained in a document attached to a misaddressed email that had been sent by an employee of a public body.
See More InformationDisclosure of a journalist’s name and mobile phone number by a public figure
The complainant in this case was a journalist who emailed a public figure to ask questions about decisions that the public figure had taken in relation to their work. The public figure used their Twitter account to publish a copy of the email. The journalist’s name, work email address and mobile phone number were legible in the published copy of the email. The journalist reported receiving a number of threatening text messages afterwards.
See More InformationDisclosure of personal and financial data to a third party and erasure request
A data subject provided their personal and financial data to an organisation (the data controller) as part of their relative’s application for a scheme. The application was unsuccessful and the applicant was issued with a refusal letter, which included a breakdown of the data subject’s personal and financial data. The data subject made a complaint to the Data Protection Commission (DPC) regarding the lack of transparency in the application process and the disclosure of their personal and financial data to their relative. The data subject requested the return of their personal data from the data controller. The data subject also requested that their personal data be erased by the data controller under Article 17 of the General Data Protection Regulation (GDPR), and if erasure was not an option, their legal basis for retaining their data.
See More InformationDisclosure of personal data (Applicable Law — GDPR & Data Protection Act 2018)
A data subject issued a complaint to the Data Protection Commission (DPC) against their owner management company (data controller) regarding the disclosure of their personal data under the General Data Protection Regulation (GDPR). The data subject explained to the DPC that an email containing their personal data was circulated by a property management company on behalf of an owner management company (OMC) and contained information regarding the payment of annual services charges.
See More Information