The DPC received a complaint from the parent of a child whose health data was mistakenly disclosed to an unknown third party. The data was contained in a document attached to a misaddressed email that had been sent by an employee of a public body.

The child was the subject of a health-related assessment by a therapist employed by the public body. The therapist prepared a draft report, which was to be sent to a senior professional . Before sending it, the therapist decided to ask a colleague for a second opinion. The colleague was not in the office, so the therapist chose to send the draft report to the colleague’s personal email address . Soon after doing so, the therapist realised that the email address was incorrect. The public body’s IT service was not able to recall the misaddressed email. The recipient’s email service provider confirmed that the recipient’s account was active, but emails from the public body asking the recipient to delete the misaddressed email were not answered. The public body contacted the parent by telephone, in person and in writing to inform them of the error and apologise for it. It also notified the DPC of a personal data breach. The parent subsequently lodged a complaint with the DPC.

As part of its examination of the complaint, the DPC asked the public authority to explain the steps taken to secure deletion of the misaddressed email, its policy concerning the sending of work-related emails to staff members’ personal addresses, and the measures being adopted to prevent a recurrence of the breach.

In its response, the public body confirmed the sequence of events described above, including its attempts to recall the email and its interactions with the email service provider. It advised the DPC that it had reissued a copy of its data protection policy to all members of the team on which the therapist worked, and wrote to it reminding it that it is not permitted to send any information to personal email addresses, regardless of whether they were asked to do so. It was made clear that this included reports and other work-related documentation. Data protection was added as a fixed item on the agenda of the team’s bi-monthly meetings, and all team members were scheduled for data protection awareness training. In assessing the matter, the central issue identified by the DPC was the obligation of a data controller to take appropriate security measures against risks including unauthorised disclosure of personal data. Appropriate security measures were to be identified having regard to factors including the technology available, the harm that could be caused by disclosure, and the nature of the data. Further, controllers must take all reasonable steps to ensure that their employees are aware of and comply with those measures.

The DPC’s view was that sending a draft report to a personal email address was clearly inappropriate having regard to the required level of security, and was contrary to the public body’s own data protection policies. However, the mere existence of those policies was not enough to satisfy the obligation to take reasonable steps to ensure its employees were aware of and complied with them. The public body had done so only after the breach had occurred.

A data subject issued a complaint to the Data Protection Commission (DPC) against their owner management company (data controller) regarding the disclosure of their personal data under the General Data Protection Regulation (GDPR). The data subject explained to the DPC that an email containing their personal data was circulated by a property management company on behalf of an owner management company (OMC) and contained information regarding the payment of annual services charges.

Before contacting the DPC the data subject contacted the OMC to address their concerns of the disclosure of their personal data. The OMC responded that its policy was to include such personal data in emails to all clients. The data subject confirmed that it had not seen, nor signed this policy.

Following the engagement of the DPC the data controller cited a clause in its OMC Memorandum of Association, which allowed for the disclosure of payment or non-payment of service charges to other unit owners.

The DPC provided both parties with guidance from this office for consideration, “Data Protection Consider- ations Relating to Multi-Unit Developments and Owners’ Management Companies”. The guidance indicated that the disclosure must be justified as both necessary and proportionate to achieve a specific, explicit and legitimate purpose, in accordance with data protection law.

The data controller informed the DPC that a balancing test was conducted and highlighted that the processing of the personal data was necessary to achieve the legitimate interest of the management company to obtain payment of service charges.

Under section 109(5)(c) of the 2018 Act the DPC advised that the data controller had not been able to provide an adequate lawful basis for the processing of personal data as outlined in the complaint.

The outcome reminded the data controller of their obligations as a data controller under Articles 5, 6 and 24 of the GDPR and under section 109(5)(f) of the 2018 Act, the DPC recommended that the data controller review their Memorandum of Association to ensure compliance with the DPC guidance; consider alternative methods to resolve the non-payment of service charges and consider and balance any legal obligation or legitimate interest against the rights and interests of the data subject.

A data subject provided their personal and financial data to an organisation (the data controller) as part of their relative’s application for a scheme. The application was unsuccessful and the applicant was issued with a refusal letter, which included a breakdown of the data subject’s personal and financial data. The data subject made a complaint to the Data Protection Commission (DPC) regarding the lack of transparency in the application process and the disclosure of their personal and financial data to their relative. The data subject requested the return of their personal data from the data controller. The data subject also requested that their personal data be erased by the data controller under Article 17 of the General Data Protection Regulation (GDPR), and if erasure was not an option, their legal basis for retaining their data.

Prior to the commencement of an examination by the DPC, the data subject made suggestions to amicably resolve their complaint, which included, among other things, a ‘goodwill gesture’ from the data controller. However, due to the role of the organisation, the data controller was not in a position to facilitate this request.

As part of its examination, the DPC engaged with the data controller and requested a response to the data subject’s complaint. The data controller stated that while it is part of their procedure to inform applicants of their reasons for refusal, only a partial disclosure should be made in their decision letters where information was gathered from a third party. With regards to the data subject’s erasure request, the data controller advised that the personal data provided would be retained for the lifetime of the applicant plus 10 years. The data controller explained that the data is retained for this period as the data in question may affect any future applications by the applicant.

Subsequently the data subject’s erasure request was refused by the data controller as they advised they are relying on Article 17(3)(b) of the GDPR, which restricts the obligations on data controllers to erase personal data where the personal data is required for compliance with a legal obligation. Also, the data controller relied on Article 23(1)(e) of the GDPR, which states that a data subject’s rights may be restricted for: “Important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security.”

An apology was issued to the data subject by the data controller, as a result of the disclosure of their personal data in the refusal letter issued to their relative, the applicant. The data subject queried if this disclosure was reported to the DPC as a breach. Under Article 33 of the GDPR, a data controller is required to report a personal data breach to the relevant competent authority without undue delay, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. A data breach is described in Article 4(12) of the GDPR as: “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The DPC found that the disclosure was a result of human error and not identified as a systemic issue.

Through its examination, the DPC found that the refusal letter which resulted in the disclosure of the data subject’s personal data, could be distinguished from other records retained by the data controller as it did not directly follow their guidelines. As such, the DPC invited the data controller to erase or redact the data subject’s personal data from the decision letter held on file. In addition, an amended letter could be issued to the applicant redacting the data subject’s personal data. The data controller advised they would reissue the refusal letter and request the applicant return the initial letter sent. The data controller also advised they would delete the initial letter from their records.

Under section 109(5)(c) of the 2018 Act, the DPC advised the data subject that the explanation put forward by the data controller in the circumstances of their complaint was reasonable. While the data controller acknowledged the disclosure of the data subject’s personal data to their relative, the applicant, they issued an apology for same, and indicated that the original refusal letter will be amended on their system, while an updated letter will issue to the applicant.

Further, under section 109(5)(f) of the 2018 Act, the DPC recommended the data controller provide updated training to their staff regarding their guidance for decision letters.

The complainant in this case was a journalist who emailed a public figure to ask questions about decisions that the public figure had taken in relation to their work. The public figure used their Twitter account to publish a copy of the email. The journalist’s name, work email address and mobile phone number were legible in the published copy of the email. The journalist reported receiving a number of threatening text messages afterwards.

The journalist asked the public figure to delete the published copy of the email. The public figure did so, but also published a Tweet saying that the journalist’s mobile phone number was available online. This included a link to a discussion board message posted by the journalist six years previously, while a student, which included the same mobile number. The journalist complained to the DPC.

As part of its investigation, the DPC asked the public figure to identify the legal basis for disclosing the journalist’s data. The public figure’s response queried whether the journalist’s name and contact details constituted personal data. It also asserted that, because the journalist had previously made that information available on the internet, the journalist had impliedly consented to its publication by the public figure. The journalist rejected that assertion.

The DPC took the position that the journalist’s name, email address and mobile phone number were personal data because the journalist was clearly identifiable by them. Concerning the legal basis for disclosing them, the DPC noted that, while data protection law provided for several possible legal bases for processing, the only basis raised by the public figure had been consent. The DPC’s view was that a media enquiry to a public figure from a journalist acting in that capacity did not amount to valid consent to the sharing of any personal data in the enquiry. For those reasons, the public figure’s disclosure of the data breached data protection law.

The complainant in this case was a borrower from a credit union and was alleged to be in arrears on a loan. The credit union claimed to be unable to contact the complainant. The credit union disclosed personal data of the complainant to a private investigations firm with the intention of locating and communicating with the complainant. The data disclosed included the complainant’s name, address, former address, family status and employment status. Approximately four years later, the complainant became aware of that disclosure and complained to the DPC.

The private investigations firm had ceased to trade several years before the complaint and so was not in a position to assist the DPC’s investigation. The DPC asked the credit union to explain the legal basis on which it had disclosed the data, and why it considered it necessary to do so. The credit union informed the DPC that it did not have a written contract with the private investigations firm, so the DPC asked it to provide details of any internal policy or procedure concerning when it was appropriate to liaise with that firm.

Concerning the legal basis for the disclosure, the credit union claimed that the disclosure was necessary for the purposes of pursuing a legitimate interest and for the performance of its contract with the complainant. It also referred to a provision of section 71(2) of the Credit Union Act 1997 that allows a credit union to disclose a member’s account information where the Central Bank of Ireland (previously, the Registrar of Credit Unions) is of the opinion that doing so is necessary to protect shareholder or depositor funds or to safeguard the interests of the credit union. (The credit union was unable to say whether the Central Bank had expressed such an opinion in relation to this case.)

The credit union maintained that the disclosure was necessary because it had been unable to communicate with the complainant by letter, telephone or through the complainant’s solicitor. In its view, the complainant was seeking to evade its efforts to update its records and discuss the outstanding loan. (The complainant strongly disputed that, pointing out that they had made repayments shortly before the credit union contacted the private investigations firm.)

The credit union told DPC that its credit control policy dealt with cases where it was proposed that a member’s non-performing loan should be written off as a bad debt. Before doing so, the relevant provisions directed that the credit union should make “every effort…to communicate with the member, including the assistance of a third party” to try and continue with agreed arrangements and assist collection of the debt.

The DPC assessed that the legal basis for the disclosure and the existence of a data processing contract as the central issues in the complaint.

In light of all the facts presented, and on the basis of applicable legislation, the DPC concluded that the credit union had a legitimate interest in seeking to obtain up-to-date contact details in order to re-establish contact with the complainant with a view to discussing the repayment of the loan . The processing of personal data was necessary for the purposes of pursuing that legitimate interest. The DPC accepted that the disclosure could affect the complainant’s fundamental rights and legitimate interests. Against that, however, fulfilling the important social function provided by credit unions required that they be able to take action to engage with members whose loans fall into arrears. For that reason, the disclosure was warranted despite the potential prejudice to the complainant’s fundamental rights and freedoms or legitimate interests . The credit union therefore assert the pursuit of its legitimate interest in contacting the complainant and seeking repayment of the loan as the legal basis for disclosing personal data to the private investigations firm.

The DPC also considered whether section 71(2) of the Credit Union Act 1997 provided a legal basis for the disclosure in this case. The DPC noted that compliance with a legal obligation, such as under a court order or provision of a statute, can provide a legal basis for processing . However, section 71(2) (including the provision mentioned by the credit union in its submissions to the DPC) was permissive rather than mandatory in its effect: while it allowed credit unions to disclose information in certain circumstances, it did not require them to do so. Accordingly, the section did not justify the disclosure for the purposes of applicable data protection legislation.

The DPC noted that processing by a processor on behalf of a controller must be conducted under the terms of a contract in writing or in equivalent form that complies with applicable data protection legislation, and in particular ensures that the processing meets the obligations imposed on the controller. In the DPC’s opinion, the credit union’s credit control policy was not sufficient to meet this requirement, so the credit union had failed to meet its statutory obligation in this regard.

A data subject made a complaint to the DPC regarding the publication of their child’s image, name and partial address in a religious newspaper. The image used in the publication was originally obtained from a religious group’s Facebook page. The data subject informed the DPC that consent was not given for the wider use of the image through the publication in the newspaper. The concern was for the child’s privacy arising from the use of the image, name and partial address by the newspaper. In correspondence sent directly between the data subject and the newspaper the data subject cited Article 9 of the GDPR concerning special category personal data applies to their complaint because the image disclosed information regarding the child’s religious beliefs.

As part of its examination, the DPC engaged with the data controller and asked for a response to the complaint. The data controller informed the DPC they never intended any distress to the data subject or their family. A reporter had seen the image on the group’s Facebook page and asked permission to use it from a leading member of the religious group, subsequently this member granted permission for its usage . The newspaper stated the image was already available online through the group’s Facebook page and was taken at a public event and the address used was that of the religious group and not the child’s personal address.

In further response to the DPC’s queries, the newspaper informed the DPC that it was their normal practice to seek consent to take and use images and although in this circumstance the image was available on an open Facebook page the newspaper still contacted the religious group and queried if permission had been obtained to use the image. The leading member of the religious group they had contacted advised them that another person in loco parentis (acting in the place of a parent) had given permission. The newspaper stated to the DPC, that this person “was acting in loco parentis as far as [the newspaper] was concerned and consent had been therefore given.” The newspaper also informed the DPC they rely on Article 9(2)(a) and 9(2)(e) of the GDPR for the processing of special category personal data. The newspaper concluded that they had the required legitimate interest in publishing the photograph, the photograph was in a public domain through the open Facebook page, they took steps to ensure that consent was obtained to publish the photograph and the consent furnished was adequate and they were entitled to rely on same. The newspaper said they were satisfied they had complied with their obligations but they had reviewed and amended their internal policies on this issue.

The DPC provided the data subject with the response to the complaint and asked the data subject whether they considered their data protection concerns adequately addressed and amicably resolved . In addition to this the data subject was invited to make their observations on the response from the data controller. The data subject responded to inform the DPC the matter was not amicably resolved and that explicit consent should have been obtained. The DPC proceeded to conclude the examination and provide an outcome to both parties as required under section 109(5) of the Data Protection Act 2018 (the 2018 Act) .

The DPC advised the data subject under section 109(5)(c) of the 2018 Act that the explanation put forward by the data controller concerning the processing of the child’s personal data in the circumstances of this complaint was reasonable. In saying this, the DPC wrote to the religious newspaper and under section 109(5)(f) of the 2018 Act recommended that it considers the Code of Practice from the Press Council, in particular principle 9 therein, ensuring that the principle of data minimisation is respected, and to conduct and record the balancing exercise between public interest in publication and the rights and interests of data subjects.

The complainant in this case held a joint bank account with a family member. Following a request from the solicitors of the other joint account holder, the bank (the data controller) disclosed copies of bank statements relating to the account, which included the complainant’s personal data, to those solicitors. The complainant was concerned that this disclosure did not comply with data protection law.

During the course of the DPC’s handling of this complaint, the bank set out its position that any joint account holder is entitled to access the details and transaction information of the joint account as a whole. The bank further took the view that, in relation to solicitors who are acting for its customers, it is sufficient for it to accept written confirmation from a solicitor on their headed paper that the solicitor acts for the customer as authority for the bank to engage with the solicitor in their capacity as a representative of the bank’s customer. Data protection law requires that personal data be collected or obtained for specified, explicit and legitimate purposes and not be further processed in a manner that is incompatible with those purposes (the “purpose limitation” principle). In this case, the DPC noted that the bank had obtained the complainant’s personal data in order to administer the joint account which the complainant held with the other account holder, including the making of payments, the collection of transaction information and the preparation of bank statements. It appeared to the DPC that it was consistent with the bank’s terms and conditions for the joint account, and the account holder’s signing instructions on the account (which allowed either party to sign for transactions without the consent of the other account holder), that the administration of the account could be completed by one account holder without the consent of the other. In the light of this, the DPC considered that the disclosure of bank statements to the solicitors of the other joint account holder was not incompatible with the specified, explicit and legitimate purpose for which the complainant’s personal data had been obtained by the bank, that is, for the administration of the joint account.

Second, the DPC considered whether the bank had a lawful basis for the disclosure of the complainant’s personal data, as required under data protection law. In this regard, the DPC was satisfied that the bank was entitled to rely on the “legitimate interests” lawful basis, which permits the processing of personal data where that processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party. In this case, the bank had disclosed the complainant’s personal data on the basis that the solicitor was acting for the other joint account holder and was seeking the statements for legitimate purposes, namely to carry out an audit of the other account holder’s financial affairs. In circumstances where, in accordance with the signing instructions on the account, the other account holder would have been entitled to administer the account, the DPC was satisfied that the bank would not have had any reason to suspect that the disclosure would be unwarranted by reason of any prejudice to the complainant’s fundamental rights or freedoms. Accordingly, the DPC considered that the bank had a lawful basis for the disclosure, regardless of whether the complainant had provided consent.

Finally, the DPC considered whether the bank had complied with its obligations under data protection law to take appropriate technical and organisational measures to ensure security of personal data against unauthorised or unlawful disclosure. In this regard, the DPC accepted the position of the bank, set out in its policies, that it was appropriate to accept written confirmation from a solicitor that they were authorised to act on behalf of an account holder, without seeking further proof. The bank’s policy in this regard was based on the fact that a solicitor has professional duties as an officer of the court and as a member of a regulated profession.

An individual complained to the DPC that a clothing and food company disclosed their personal medical information by issuing postal correspondence with the words “Coeliac Mailing” printed on the outside of the envelope. As part of the Stores Value Card facility, the individual in question had signed up to receive an ‘Annual Certificate of Expenditure’ of gluten-free products purchased during the year, which could be used for tax purposes. The DPC advised the store that under Article 9 of the GDPR, health data is deemed sensitive data and is afforded additional protection and that displaying the words “Coeliac Mailing” has to be examined in light of Article 9 of the GDPR. In response, the store advised the DPC that it instructed its marketing department to cease using this wording on the outside of envelopes for all future mailings. The DPC welcomes the positive outcome to this engagement.

An individual complained to the DPC that the Criminal Assets Bureau (CAB) disclosed his personal financial details without his consent, to a number of individuals against whom CAB had taken legal proceedings. CAB advised the DPC that the proceedings in question were under the Proceeds of Crime Act, 1996-2016 (PoCA), the purpose of which is to identify and confiscate property, established to the satisfaction of the High Court, to be the proceeds of crime. CAB stated the information contained in the subject documentation was required to establish the provenance of property the subject matter of the proceedings. CAB outlined that the personal data of the complainant was intertwined with the personal data of the individuals being prosecuted and could not be redacted from the court documents. The DPC noted such proceedings are governed by section 158(1) of the Data Protection Act, 2018 (the Act) which provides that the GDPR and Law Enforcement Directive as transposed in the Act may be restricted in order to ensure the protection of judicial independence and judicial proceedings.

As set out in Section 101(2) of the Act, the DPC is not competent for the supervision of data processing operations of the courts when acting in their judicial capacity. The DPC advised the complainant that CAB prepared the court documents for the purposes of court proceedings and that supervision of data processing operations of the courts when acting in their judicial capacity is assigned to a Judge appointed by the Chief Justice pursuant to section 157 of the Act. The DPC provided the complainant with the contact details for the assigned judge.

The DPC received a complaint against an employer, a manufacturing company, asserting that their private information including attendances with the company doctor, details of a personal injury claim being pursued against the company and details of a disciplinary procedure taken against the complainant had been placed on the company’s shared ‘C-Drive’, available to be viewed by anyone within the company, and that a copy of the data on a CD-ROM was also left on the complainant’s desk.

It became apparent during the examination of the complaint that a number of workplace computers had been used to access the data on the shared drive, which the company stated was downloaded, copied or sent to an external email address. The organisation advised that it had carried out an investigation of the incident resulting in two employees, identified as having a significant role in the incident, having their employment terminated and that An Garda Síochána had been notified about the incident. The company notified the DPC of the breach incident outlining that certain data was accessed and viewed by at least two of its employees.

It was stated that the data was being transferred internally from its Human Resources (HR) department to its Legal department due to the imminent departure of one of its HR employees. During the transfer a large volume of electronic files relating to legal cases involving a large number of individuals had the potential to be accessed and viewed by employees who would not ordinarily have access to these.

The implementation of measures to protect and secure personal data are foundational principles of data protection law particularly in terms of ensuring there is no unauthorised access to or destruction of personal data.

With regard to this specific complaint, the DPC observed firstly that the information in respect of the complainant which was disclosed as part of the data breach included very sensitive information, and which constituted “special category data”, in circumstances where special category data includes information about “data concerning health or data concerning a natural person’s sex life”.

The information (examples of which were provided to this office) included details of attendances with the company doctor which revealed very personal and sensitive information about the complainant’s physical health, mental health and their personal circumstances. It was noted that this information was being maintained by the company in the context of legal proceedings/ claims being taken by the individual. Given the nature of the information, there was a particularly strong onus on the company to ensure that only those who needed access to such information were granted and so could access and process same.

The issue regarding this complaint was the placing of files to include the complainant’s personal information on a shared drive accessible to all employees. The DPC considered that due regard was not given to the sensitivity of the information contained in the files and the risks entailed with making them available to any employee of the company, even if this was only for a very short period of time. It would seem that the decision to transfer the files to the shared drive was taken for pragmatic reasons, i.e. the company confirmed it was executed in this manner as the files were too large to be sent by email.

However, this did not justify the placing of the files somewhere where any employee of the company would be able to access them, particularly given the risk of harm to the data subject if colleagues of theirs were able to find out very personal and sensitive information which the complainant may, quite legitimately, not have expected or wanted other employees to know, save to the extent that it was strictly necessary for limited employees to know in relation to legal proceedings/claims between the data subject and their employer. Moreover, there were a number of alternative options in transferring the files to the Legal department, which would not have presented the same risk to the security of the personal data, including placing the files on a folder, whether on the shared drive or otherwise, where access was restricted to limited individuals. That such alternative options might have been more time-consuming or difficult to implement were no justification for the placing of the files on the shared drive with unrestricted access to other employees.

The fallout of the failure to protect personal data in this case was considerable giving rise to legal proceedings against the company by the affected individual, the loss of two long-term employees who were dismissed not to mention the impact on the individual whose data was disclosed.