The complainant in this case was a journalist who emailed a public figure to ask questions about decisions that the public figure had taken in relation to their work. The public figure used their Twitter account to publish a copy of the email. The journalist’s name, work email address and mobile phone number were legible in the published copy of the email. The journalist reported receiving a number of threatening text messages afterwards.

The journalist asked the public figure to delete the published copy of the email. The public figure did so, but also published a Tweet saying that the journalist’s mobile phone number was available online. This included a link to a discussion board message posted by the journalist six years previously, while a student, which included the same mobile number. The journalist complained to the DPC.

As part of its investigation, the DPC asked the public figure to identify the legal basis for disclosing the journalist’s data. The public figure’s response queried whether the journalist’s name and contact details constituted personal data. It also asserted that, because the journalist had previously made that information available on the internet, the journalist had impliedly consented to its publication by the public figure. The journalist rejected that assertion.

The DPC took the position that the journalist’s name, email address and mobile phone number were personal data because the journalist was clearly identifiable by them. Concerning the legal basis for disclosing them, the DPC noted that, while data protection law provided for several possible legal bases for processing, the only basis raised by the public figure had been consent. The DPC’s view was that a media enquiry to a public figure from a journalist acting in that capacity did not amount to valid consent to the sharing of any personal data in the enquiry. For those reasons, the public figure’s disclosure of the data breached data protection law.

The complainant in this case was a borrower from a credit union and was alleged to be in arrears on a loan. The credit union claimed to be unable to contact the complainant. The credit union disclosed personal data of the complainant to a private investigations firm with the intention of locating and communicating with the complainant. The data disclosed included the complainant’s name, address, former address, family status and employment status. Approximately four years later, the complainant became aware of that disclosure and complained to the DPC.

The private investigations firm had ceased to trade several years before the complaint and so was not in a position to assist the DPC’s investigation. The DPC asked the credit union to explain the legal basis on which it had disclosed the data, and why it considered it necessary to do so. The credit union informed the DPC that it did not have a written contract with the private investigations firm, so the DPC asked it to provide details of any internal policy or procedure concerning when it was appropriate to liaise with that firm.

Concerning the legal basis for the disclosure, the credit union claimed that the disclosure was necessary for the purposes of pursuing a legitimate interest and for the performance of its contract with the complainant. It also referred to a provision of section 71(2) of the Credit Union Act 1997 that allows a credit union to disclose a member’s account information where the Central Bank of Ireland (previously, the Registrar of Credit Unions) is of the opinion that doing so is necessary to protect shareholder or depositor funds or to safeguard the interests of the credit union. (The credit union was unable to say whether the Central Bank had expressed such an opinion in relation to this case.)

The credit union maintained that the disclosure was necessary because it had been unable to communicate with the complainant by letter, telephone or through the complainant’s solicitor. In its view, the complainant was seeking to evade its efforts to update its records and discuss the outstanding loan. (The complainant strongly disputed that, pointing out that they had made repayments shortly before the credit union contacted the private investigations firm.)

The credit union told DPC that its credit control policy dealt with cases where it was proposed that a member’s non-performing loan should be written off as a bad debt. Before doing so, the relevant provisions directed that the credit union should make “every effort…to communicate with the member, including the assistance of a third party” to try and continue with agreed arrangements and assist collection of the debt.

The DPC assessed that the legal basis for the disclosure and the existence of a data processing contract as the central issues in the complaint.

In light of all the facts presented, and on the basis of applicable legislation, the DPC concluded that the credit union had a legitimate interest in seeking to obtain up-to-date contact details in order to re-establish contact with the complainant with a view to discussing the repayment of the loan . The processing of personal data was necessary for the purposes of pursuing that legitimate interest. The DPC accepted that the disclosure could affect the complainant’s fundamental rights and legitimate interests. Against that, however, fulfilling the important social function provided by credit unions required that they be able to take action to engage with members whose loans fall into arrears. For that reason, the disclosure was warranted despite the potential prejudice to the complainant’s fundamental rights and freedoms or legitimate interests . The credit union therefore assert the pursuit of its legitimate interest in contacting the complainant and seeking repayment of the loan as the legal basis for disclosing personal data to the private investigations firm.

The DPC also considered whether section 71(2) of the Credit Union Act 1997 provided a legal basis for the disclosure in this case. The DPC noted that compliance with a legal obligation, such as under a court order or provision of a statute, can provide a legal basis for processing . However, section 71(2) (including the provision mentioned by the credit union in its submissions to the DPC) was permissive rather than mandatory in its effect: while it allowed credit unions to disclose information in certain circumstances, it did not require them to do so. Accordingly, the section did not justify the disclosure for the purposes of applicable data protection legislation.

The DPC noted that processing by a processor on behalf of a controller must be conducted under the terms of a contract in writing or in equivalent form that complies with applicable data protection legislation, and in particular ensures that the processing meets the obligations imposed on the controller. In the DPC’s opinion, the credit union’s credit control policy was not sufficient to meet this requirement, so the credit union had failed to meet its statutory obligation in this regard.

A data subject made a complaint to the DPC regarding the publication of their child’s image, name and partial address in a religious newspaper. The image used in the publication was originally obtained from a religious group’s Facebook page. The data subject informed the DPC that consent was not given for the wider use of the image through the publication in the newspaper. The concern was for the child’s privacy arising from the use of the image, name and partial address by the newspaper. In correspondence sent directly between the data subject and the newspaper the data subject cited Article 9 of the GDPR concerning special category personal data applies to their complaint because the image disclosed information regarding the child’s religious beliefs.

As part of its examination, the DPC engaged with the data controller and asked for a response to the complaint. The data controller informed the DPC they never intended any distress to the data subject or their family. A reporter had seen the image on the group’s Facebook page and asked permission to use it from a leading member of the religious group, subsequently this member granted permission for its usage . The newspaper stated the image was already available online through the group’s Facebook page and was taken at a public event and the address used was that of the religious group and not the child’s personal address.

In further response to the DPC’s queries, the newspaper informed the DPC that it was their normal practice to seek consent to take and use images and although in this circumstance the image was available on an open Facebook page the newspaper still contacted the religious group and queried if permission had been obtained to use the image. The leading member of the religious group they had contacted advised them that another person in loco parentis (acting in the place of a parent) had given permission. The newspaper stated to the DPC, that this person “was acting in loco parentis as far as [the newspaper] was concerned and consent had been therefore given.” The newspaper also informed the DPC they rely on Article 9(2)(a) and 9(2)(e) of the GDPR for the processing of special category personal data. The newspaper concluded that they had the required legitimate interest in publishing the photograph, the photograph was in a public domain through the open Facebook page, they took steps to ensure that consent was obtained to publish the photograph and the consent furnished was adequate and they were entitled to rely on same. The newspaper said they were satisfied they had complied with their obligations but they had reviewed and amended their internal policies on this issue.

The DPC provided the data subject with the response to the complaint and asked the data subject whether they considered their data protection concerns adequately addressed and amicably resolved . In addition to this the data subject was invited to make their observations on the response from the data controller. The data subject responded to inform the DPC the matter was not amicably resolved and that explicit consent should have been obtained. The DPC proceeded to conclude the examination and provide an outcome to both parties as required under section 109(5) of the Data Protection Act 2018 (the 2018 Act) .

The DPC advised the data subject under section 109(5)(c) of the 2018 Act that the explanation put forward by the data controller concerning the processing of the child’s personal data in the circumstances of this complaint was reasonable. In saying this, the DPC wrote to the religious newspaper and under section 109(5)(f) of the 2018 Act recommended that it considers the Code of Practice from the Press Council, in particular principle 9 therein, ensuring that the principle of data minimisation is respected, and to conduct and record the balancing exercise between public interest in publication and the rights and interests of data subjects.

The complainant in this case held a joint bank account with a family member. Following a request from the solicitors of the other joint account holder, the bank (the data controller) disclosed copies of bank statements relating to the account, which included the complainant’s personal data, to those solicitors. The complainant was concerned that this disclosure did not comply with data protection law.

During the course of the DPC’s handling of this complaint, the bank set out its position that any joint account holder is entitled to access the details and transaction information of the joint account as a whole. The bank further took the view that, in relation to solicitors who are acting for its customers, it is sufficient for it to accept written confirmation from a solicitor on their headed paper that the solicitor acts for the customer as authority for the bank to engage with the solicitor in their capacity as a representative of the bank’s customer. Data protection law requires that personal data be collected or obtained for specified, explicit and legitimate purposes and not be further processed in a manner that is incompatible with those purposes (the “purpose limitation” principle). In this case, the DPC noted that the bank had obtained the complainant’s personal data in order to administer the joint account which the complainant held with the other account holder, including the making of payments, the collection of transaction information and the preparation of bank statements. It appeared to the DPC that it was consistent with the bank’s terms and conditions for the joint account, and the account holder’s signing instructions on the account (which allowed either party to sign for transactions without the consent of the other account holder), that the administration of the account could be completed by one account holder without the consent of the other. In the light of this, the DPC considered that the disclosure of bank statements to the solicitors of the other joint account holder was not incompatible with the specified, explicit and legitimate purpose for which the complainant’s personal data had been obtained by the bank, that is, for the administration of the joint account.

Second, the DPC considered whether the bank had a lawful basis for the disclosure of the complainant’s personal data, as required under data protection law. In this regard, the DPC was satisfied that the bank was entitled to rely on the “legitimate interests” lawful basis, which permits the processing of personal data where that processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party. In this case, the bank had disclosed the complainant’s personal data on the basis that the solicitor was acting for the other joint account holder and was seeking the statements for legitimate purposes, namely to carry out an audit of the other account holder’s financial affairs. In circumstances where, in accordance with the signing instructions on the account, the other account holder would have been entitled to administer the account, the DPC was satisfied that the bank would not have had any reason to suspect that the disclosure would be unwarranted by reason of any prejudice to the complainant’s fundamental rights or freedoms. Accordingly, the DPC considered that the bank had a lawful basis for the disclosure, regardless of whether the complainant had provided consent.

Finally, the DPC considered whether the bank had complied with its obligations under data protection law to take appropriate technical and organisational measures to ensure security of personal data against unauthorised or unlawful disclosure. In this regard, the DPC accepted the position of the bank, set out in its policies, that it was appropriate to accept written confirmation from a solicitor that they were authorised to act on behalf of an account holder, without seeking further proof. The bank’s policy in this regard was based on the fact that a solicitor has professional duties as an officer of the court and as a member of a regulated profession.

An individual complained to the DPC that a clothing and food company disclosed their personal medical information by issuing postal correspondence with the words “Coeliac Mailing” printed on the outside of the envelope. As part of the Stores Value Card facility, the individual in question had signed up to receive an ‘Annual Certificate of Expenditure’ of gluten-free products purchased during the year, which could be used for tax purposes. The DPC advised the store that under Article 9 of the GDPR, health data is deemed sensitive data and is afforded additional protection and that displaying the words “Coeliac Mailing” has to be examined in light of Article 9 of the GDPR. In response, the store advised the DPC that it instructed its marketing department to cease using this wording on the outside of envelopes for all future mailings. The DPC welcomes the positive outcome to this engagement.

An individual complained to the DPC that the Criminal Assets Bureau (CAB) disclosed his personal financial details without his consent, to a number of individuals against whom CAB had taken legal proceedings. CAB advised the DPC that the proceedings in question were under the Proceeds of Crime Act, 1996-2016 (PoCA), the purpose of which is to identify and confiscate property, established to the satisfaction of the High Court, to be the proceeds of crime. CAB stated the information contained in the subject documentation was required to establish the provenance of property the subject matter of the proceedings. CAB outlined that the personal data of the complainant was intertwined with the personal data of the individuals being prosecuted and could not be redacted from the court documents. The DPC noted such proceedings are governed by section 158(1) of the Data Protection Act, 2018 (the Act) which provides that the GDPR and Law Enforcement Directive as transposed in the Act may be restricted in order to ensure the protection of judicial independence and judicial proceedings.

As set out in Section 101(2) of the Act, the DPC is not competent for the supervision of data processing operations of the courts when acting in their judicial capacity. The DPC advised the complainant that CAB prepared the court documents for the purposes of court proceedings and that supervision of data processing operations of the courts when acting in their judicial capacity is assigned to a Judge appointed by the Chief Justice pursuant to section 157 of the Act. The DPC provided the complainant with the contact details for the assigned judge.

The DPC received a complaint against an employer, a manufacturing company, asserting that their private information including attendances with the company doctor, details of a personal injury claim being pursued against the company and details of a disciplinary procedure taken against the complainant had been placed on the company’s shared ‘C-Drive’, available to be viewed by anyone within the company, and that a copy of the data on a CD-ROM was also left on the complainant’s desk.

It became apparent during the examination of the complaint that a number of workplace computers had been used to access the data on the shared drive, which the company stated was downloaded, copied or sent to an external email address. The organisation advised that it had carried out an investigation of the incident resulting in two employees, identified as having a significant role in the incident, having their employment terminated and that An Garda Síochána had been notified about the incident. The company notified the DPC of the breach incident outlining that certain data was accessed and viewed by at least two of its employees.

It was stated that the data was being transferred internally from its Human Resources (HR) department to its Legal department due to the imminent departure of one of its HR employees. During the transfer a large volume of electronic files relating to legal cases involving a large number of individuals had the potential to be accessed and viewed by employees who would not ordinarily have access to these.

The implementation of measures to protect and secure personal data are foundational principles of data protection law particularly in terms of ensuring there is no unauthorised access to or destruction of personal data.

With regard to this specific complaint, the DPC observed firstly that the information in respect of the complainant which was disclosed as part of the data breach included very sensitive information, and which constituted “special category data”, in circumstances where special category data includes information about “data concerning health or data concerning a natural person’s sex life”.

The information (examples of which were provided to this office) included details of attendances with the company doctor which revealed very personal and sensitive information about the complainant’s physical health, mental health and their personal circumstances. It was noted that this information was being maintained by the company in the context of legal proceedings/ claims being taken by the individual. Given the nature of the information, there was a particularly strong onus on the company to ensure that only those who needed access to such information were granted and so could access and process same.

The issue regarding this complaint was the placing of files to include the complainant’s personal information on a shared drive accessible to all employees. The DPC considered that due regard was not given to the sensitivity of the information contained in the files and the risks entailed with making them available to any employee of the company, even if this was only for a very short period of time. It would seem that the decision to transfer the files to the shared drive was taken for pragmatic reasons, i.e. the company confirmed it was executed in this manner as the files were too large to be sent by email.

However, this did not justify the placing of the files somewhere where any employee of the company would be able to access them, particularly given the risk of harm to the data subject if colleagues of theirs were able to find out very personal and sensitive information which the complainant may, quite legitimately, not have expected or wanted other employees to know, save to the extent that it was strictly necessary for limited employees to know in relation to legal proceedings/claims between the data subject and their employer. Moreover, there were a number of alternative options in transferring the files to the Legal department, which would not have presented the same risk to the security of the personal data, including placing the files on a folder, whether on the shared drive or otherwise, where access was restricted to limited individuals. That such alternative options might have been more time-consuming or difficult to implement were no justification for the placing of the files on the shared drive with unrestricted access to other employees.

The fallout of the failure to protect personal data in this case was considerable giving rise to legal proceedings against the company by the affected individual, the loss of two long-term employees who were dismissed not to mention the impact on the individual whose data was disclosed.

The complainant alleged that insecure processing by his former employer had made his personal data accessible to unauthorised persons, including former colleagues and external third parties.

The complainant was in legal dispute with the company arising from his dismissal. In connection with that dispute, the company had prepared documents including an internal investigation report and a legal submission to the Workplace Relation Commission (WRC). While the WRC submission did not contain a great deal of the complainant’s personal data, the internal investigation report did.

Approximately one month before the complainant first contacted the DPC, the company had notified the DPC of a data breach. The notification stated that the WRC submission had been inadvertently stored on a folder accessible by all employees, rather than on one that was accessible only by authorised HR staff. The error was noticed and corrected two days later, and the company notified the DPC shortly thereafter. The company’s systems did not record whether, when or by whom the WRC submission might have been accessed, or whether it had been copied or printed.

In the complaint, the complainant alleged that the breach affected not just the WRC submission but also the internal investigation report, and that these had been accessible from all parts of the company’s intranet, including on a device that could be used by both employees and visitors to the company’s premises. The complainant submitted statements from former colleagues who described having access to documents relating to “the internal investigation.” The company denied that the internal investigation report had ever been accessible by unauthorised persons.

It also maintained that, while the WRC submission had been inappropriately available for a short time on the company’s intranet, it was not on a part of it accessible to non-employees.

The DPC addressed two main issues: what had been the content and extent of the breach, and whether the company’s security measures had met the standard required by applicable data protection legislation.

The complainant’s former colleagues had said that documents concerning “the internal investigation” had been accessible by them. However, these statements had not described in any detail the nature or contents of the documents, did not say when or by whom they had been seen, and did not say that the documents were accessible by non-employees. Against that, the company had consistently maintained that the WRC submission, but not the internal investigation report, had been inappropriately accessible to employees for a number of days. Significantly, the company had notified the DPC of that approximately one month before the complainant had first lodged his complaint. The DPC took the view that there was insufficient evidence to support the claim that the internal investigation report had been disclosed, or that the complainant’s personal data had been accessible by non-employees as well as unauthorised employees.

Concerning the company’s security measures, the DPC noted that the applicable standard had to reflect and mitigate the harm that could be caused by relevant risks including, as in this case, disclosure to unauthorised persons. The company was clearly aware of the risk of disclosure, as it had arranged for confidential documents to be stored in a way that gave access only to authorised HR staff.

However, the company had failed to properly anticipate and mitigate the risk of human error in storing such documents, as had happened to the WRC submission. The DPC also reminded the company of the need to ensure that relevant personnel are aware of the need to handle personal data in accordance with applicable security measures, and to respond to breaches accordingly. This case illustrates how data controllers must consider all risks that can arise when they process personal data, including the risk of human error. The measures that they adopt to address those risks must reflect not just the possible causes of loss or harm, but also the consequences of a breach, and the ways in which those consequences can be minimised or remedied.

The DPC received a complaint from an individual concerning an alleged disclosure of the complainant’s personal data by a local authority. The complainant alleged that the local authority had disclosed the complainant’s name, postal address and information relating to the housing assistance payment in error to a third party. The individual had been informed by the local authority that this disclosure had occurred. However, the individual was dissatisfied with the actions taken by the local authority in response to the disclosure and did not wish to engage further with the local authority with a view to seeking an amicable resolution of the complaint.

The DPC examined the complaint and contacted the local authority in order to seek further information regarding the individual’s allegations. The local authority confirmed to the DPC that a personal data breach had occurred when the complainant’s personal data was included, in error, in a Freedom of Information request response to a third party. In addition to the information provided by the local authority to the DPC in the context of its examination of the complaint, the incident in question was notified to the DPC by the local authority as a personal data breach, as required by Article 33 of the GDPR. In that context, the DPC engaged extensively with the local authority regarding the circumstances of the personal data breach, the data security measures in place at the time the personal data breach occurred and the mitigating measures taken by the local authority, including the local authority’s ongoing efforts to retrieve the data from the recipient.

On the basis of this information, the DPC concluded its examination of the complaint by advising the individual that the DPC was satisfied that the complainant’s personal data were not processed by the local authority in a manner that ensured appropriate security of the personal data and that an unauthorised disclosure of the complainant’s personal data, constituting a personal data breach, had occurred. On the basis of the actions that had been taken by the local authority in response to the personal data breach and, in particular, the fact that the recipient of the complainant’s personal data had returned the data to the local authority, the DPC did not consider that any further action against the local authority was warranted in relation to the subject matter of the complaint.

The complainant, during a previous employment, asked the telecommunications company to link her personal mobile phone number to her (then) employer’s account. This enabled the complainant to avail of a discount associated with her (then) employer. While this step resulted in the name on the complainant’s account changing to that of her (then) employer, the complainant’s home address remained associated with the account and the complainant remained responsible for payment of any bills. Following termination of the employment relationship, the complainant contacted the telecommunications company to ask that it (i) restrict her former employer’s access to her mobile phone records; and (ii) separate the account from that of her former employer. Following this request, an account manager took a number of steps in the mistaken belief that this would result in the separation of the complainant’s account from that of her former employer. The complainant, however, became aware that, subsequent to her request, her former employer continued to access her account records. On foot of further inquiries from the complainant, the telecommunications company discovered its error and the complainant’s account was eventually separated from that of her former employer.

The complainant subsequently submitted a complaint to the telecommunications company. Having investigated the complaint, the company informed the complainant that it did not have a record of the original account restriction request. In the circumstances, the complainant referred a complaint to this office.

During our investigation, the telecommunications company acknowledged that the initial action taken by its account manager was insufficient as it did not separate the complainant’s account from that of her former employer and neither did it prevent her former employer from accessing her e-billing records. The company further acknowledged that its records were incomplete when it investigated the complainant’s complaint. It confirmed, in this regard, that it had since located the complainant’s initial restriction/separation request.

The issues for determination, therefore, were whether the telecommunication company, as data controller:

1. implemented appropriate security measures, having regard to Sections 2(1)(d) and 2C(1) of the acts in order to protect the complainant’s personal data against unauthorised access by, and disclosure to, a third party (i .e . the complainant’s former employer); and
2. kept the complainant’s data accurate, complete and up to date, as required by Section 2(1)(b) of the Acts.

This office found that the telecommunications company did not implement appropriate security measures to protect the complainant’s personal data from unauthorised access by, and disclosure to, her former employer. This was self-evident from the fact that the complainant’s former employer continued to access her e-billing records despite the initial actions taken by the telecommunications company.

This office further noted the obligation, set out in Section 2C(2) of the Acts, for a data controller to “… take all reasonable steps to ensure that — (a) persons employed by him or her … are aware of and comply with the relevant security measures aforesaid …”. This office found that the telecommunications company had not complied with its obligations in this regard. Again, this was self-evident from the fact that the account manager who initially actioned the complainant’s request was operating on the mistaken belief that the actions taken were sufficient to achieve separation of the complainant’s account from that of her former employer.

This office also considered the fact that, at the time when the complainant referred her complaint to the telecommunications company, the company could not locate her initial account restriction request . The result of this was that the outcome of the company’s own investigation into the individual’s complaint was incorrect. Accordingly, and notwithstanding the subsequent rectification of the position, this office found that the telecommunications company failed to comply with its obligations under Section 2(1)(b) of the Acts in circumstances where the complainant’s records, at the relevant time, were inaccurate, incomplete and not up to date.