Case Studies 2010
In April 2009, we received a large number of complaints against Ice Broadband (also known as Ice Communications Ltd) concerning the disclosure of personal data as a result of an email issued by Ice Broadband. The email was entitled 'Disconnection Notice' and was sent to over three hundred customers. Among other things, the email stated that the customer's account was in arrears and that, unless contact was made within twenty four hours, their service may be cancelled and their account may be passed to its legal department. Ice Broadband included all of the email addresses openly in the 'To' field of the email, thereby disclosing the email addresses (and therein the identity of the recipients in many cases) and the content of the email to every customer to whom it was sent. Apart from complaining about the disclosure of their personal data, some customers expressed further annoyance that they had been sent the email at all since their accounts were not in arrears.
We began our investigation into this matter by immediately contacting Ice Broadband. We instructed the company to issue an email of apology to all affected customers. On receipt of our request, Ice Broadband immediately issued an email of apology to all those affected by the disclosure. My Office then sought a full report from Ice Broadband on the cause of the incident. We asked the company to outline the steps it had taken to ensure that such a disclosure would not recur. Approximately six weeks later we received an incident report from Ice Broadband in which it provided some detail on the cause of the incident and the steps taken to prevent a recurrence. However, the report contained some information which appeared to conflict with our understanding of the subject matter of the original email. As a result, we sought clarification on some aspects of the incident report. We also informed Ice Broadband of our obligation to attempt to amicably resolve complaints and we asked it to inform us of any proposals it wished to put forward to amicably resolve the complaints we had received. However, despite a number of reminders, Ice Broadband failed to respond to our letters. As a result, in October 2009 an Information Notice was served on Ice Broadband under Section 12 of the Data Protection Acts. It required Ice Broadband to provide certain information within twenty one days. We received an acknowledgement of receipt of the Notice from Ice Broadband's Customer Service Manager. However, Ice Broadband failed to comply with the requirements of the Information Notice as it did not provide the information sought.
We received a separate complaint in July 2009 from one of the customers affected by the disclosure concerning a request she had made to Ice Broadband under Section 3 of the Acts. A Section 3 request obliges a data controller to inform the requester whether it holds any of their personal data and if so, to provide the requester with a description of that data and the purposes for which it is kept. The data controller must comply with the Section 3 request within twenty one days. In this case, Ice Broadband failed to respond to the Section 3 request. We commenced a separate investigation of this complaint. We wrote to Ice Broadband on the matter. However, it again failed to respond to our investigation despite three letters having been issued. Consequently, we served an Enforcement Notice on Ice Broadband under Section 10 of the Acts requiring it to comply with the Section 3 request within twenty one days. However, Ice Broadband failed to comply with the requirements of the Enforcement Notice.
As Ice Broadband had committed offences by failing to comply with the requirements of two separate legal notices served on it, we decided to prosecute the company. We served a summons on Ice Broadband to appear before the Dublin Metropolitan District Court on two charges. At the initial court hearing in March 2010, counsel for Ice Communications Ltd applied for an adjournment. He gave an undertaking to the court that the company would comply with the requirements of the Enforcement Notice and that it would provide the information sought in the Information Notice before the next court date. The court granted the adjournment and it fixed a hearing date for May 2010. On the same day as the initial court hearing, a liquidator was appointed to Ice Communications Ltd. At the end of April 2010, we received a letter from Ice Broadband in response to the information sought in the Information Notice. Around the same time, Ice Broadband wrote to the customer who had made the Section 3 request and it provided her with the information she had sought.
A full hearing took place in the Dublin Metropolitan District Court in May 2010. At the end of the hearing, the judge indicated that he believed that the company had committed a technical breach of the Acts and he found that the facts of the case against Ice Broadband were proven. In his summing up remarks, the judge said that the company's managing director had buried her head in the sand in relation to the whole issue and he acknowledged that the Data Protection Commissioner 'had broken his back' in his efforts to obtain information from the company for the purposes of his investigations. In light of the fact that the company was now in liquidation, the judge indicated that he had to be realistic and impose a practical, common sense sentence. For that reason, he indicated that he would adjourn sentencing until the following day. He asked the managing director and the CEO of Ice Broadband to produce two personal cheques on the following day; one cheque was to cover our legal costs and a further cheque to the value of €1,000 was to be made payable to a charity of the court's choice. The cheques were handed to the court on the following day and the judge then applied the Probation Act in relation to the offences committed.
This case serves to demonstrate the lack of cooperation which we sometimes experience when investigating complaints. In truth, the investigation of these complaints should have been straightforward. A serious breach of the data protection rights of over three hundred people took place. The company should have responded with an immediate apology to the affected customers, an examination of the causes of the incident, an evaluation of the extent of the incident, remedial action to prevent such an incident from happening again and, finally, a full incident report to our Office. In this case, all of this could have been completed within 48 hours of the incident. Instead, the investigation was frustrated by the company to such an extent that we had to serve legal notices (which is something we do very sparingly) and, when the company failed to comply, we had to bring prosecutions. As a result, a matter which should have been dealt with over a couple of days following the incident took over a year to bring to a conclusion. The blame for that long process and the consequent consumption of our Office's resources lies solely with Ice Broadband. Had it engaged meaningfully with us on a cooperative basis at the outset, the issuing of two legal notices, one summons and the subsequent court proceedings could all have been avoided.
We continued to use our powers of prosecution to ensure that consumers are not inundated with unsolicited marketing text messages to their mobile phones. A person's mobile phone is now almost an extension of the person and unwanted messages can be extremely intrusive. Regulation 13 of S.I. No. 535 of 2003 (as amended) provides that marketing text messages may not be sent to any individual unless that individual has consented to the receipt of such messages. Furthermore, it also prohibits the sending of marketing text messages without the inclusion of a cost- free opt-out facility which would enable the recipient to object to receiving further messages. It provides for penalties of up to €5,000 per message sent for each separate offence, or up to €250,000 on indictment or 10% of annual turnover if greater than this amount. A number of the cases that we prosecuted in 2010 are described below.
Free Spirit Hair & Beauty Salon Ltd
In 2009 we received two complaints concerning unsolicited direct marketing text messages promoting special offers from branches of Free Spirit Hair & Beauty Salon Ltd. One of the complainants had been a customer and the second complainant had made a treatment reservation which she later cancelled. Both individuals informed the Office that they had not consented to receiving marketing messages. Some of the marketing messages sent to these complainants did not contain an opt-out facility.
We contacted the branches concerned at the IFSC and at Citywest. Neither branch was able to provide evidence that the complainants had consented to receiving marketing text messages. On that basis we were satisfied that offences had been committed by both branches of Free Spirit Hair & Beauty Salon Ltd and we decided to prosecute those offences. This was not the first occasion on which this company had come to our attention. In 2006, during the course of our investigation of a separate complaint, we drew the company's attention to the law with regard to electronic marketing.
In January 2010, in the Dublin District Court, FS Citywest Limited and Free Spirit Hair and Beauty Salon Ltd pleaded guilty in respect of one offence each under Regulation 13(1)(b) of S.I. No. 535 of 2003 (as amended) in respect of the sending of a direct marketing text message without consent. They also pleaded guilty to one offence each under Regulation 13(8) of S.I. No. 535 of 2003 (as amended) for not providing a valid opt-out address on those marketing messages. The Judge accepted the guilty pleas and imposed penalties of €250 for each offence. The Judge also ordered the defendants to pay our costs.
Crunch Fitness Limited
In 2008 we received a complaint regarding marketing text messages from Crunch Fitness Ltd. The complainant stated that she had no previous relationship with Crunch Fitness, that she had not given them her mobile phone number and that she had never consented to the receipt of marketing text messages from them. She informed us that she had contacted Crunch Fitness to find out how it had obtained her mobile phone number. She was told that the number had been collected in February 2008 when an individual had taken a tour of one of its gyms and had supplied the mobile number as a contact number. This was confirmed to us by Crunch Fitness. The company also confirmed that the individual who toured the gym was not the complainant. The text message also lacked a valid opt-out mechanism.
Crunch Fitness admitted that it had no opt-out facility in the message and indicated that, in future, an opt-out would be included in all direct marketing text messages. At this point, in May 2008, Crunch Fitness informed us that the complainant's mobile phone number had been removed from its marketing database. In line with our usual policy on such matters we noted their assurances and issued a warning.
The complainant contacted us again in December 2008 to inform us that she had received a further marketing text message from Crunch Fitness. Again, this message did not include any opt-out mechanism. In response, Crunch Fitness indicated that it had erroneously re-sent a message from March 2008. This resulted in the complainant receiving a further marketing message with no opt-out facility. On this basis we initiated prosecution proceedings.
In January 2010 the case came before Dublin Metropolitan District Court where Crunch Fitness Premier Limited pleaded guilty in respect of one offence under Regulation 13(1)(b) of SI 535 of 2003 for the sending of a direct marketing text message without consent. The Judge accepted the guilty plea and imposed a fine of €500. The Judge also ordered the defendant to pay our costs. We have not had any subsequent valid complaints in relation to the company.
The Black Dog Communications Limited
In May 2009 we received a complaint from the mother of a thirteen year old girl who had received unsolicited marketing text messages from The Black Dog Communications Limited. As a result of clicking on a link in one of those unsolicited text messages, the child inadvertently joined a premium rate subscription service.
The complainant informed my Office that her daughter had previously entered a competition by text message in a teenage magazine. She assumed that this was the source of the premium rate subscription service. However, when she contacted the magazine, she was told that its competitions are stand-alone and did not involve joining a premium rate subscription service. She said that the magazine also assured her that information collected through its competitions is not disclosed to third parties.
When we investigated the complaint we found that The Black Dog Communications Limited had obtained the child's mobile phone number as a result of her entry to the competition in the magazine. This information gave rise to further questions as to how The Black Dog Communications Limited obtained customer information which was the property of a separate company. We subsequently established that both The Black Dog Communications Limited and the magazine used the technical platform of the same service provider to send and receive text messages for their respective services/competitions. A monthly report provided to The Black Dog Communications Limited by the service provider contained, in error, the mobile phone details of the entrants to the competition run by the magazine. The Black Dog Communications Limited placed those mobile phone numbers on its promotional database without checking to ensure that the numbers concerned had opted in to its database and without checking the basis for the consent.
We initiated prosecution proceedings and the case came before the Dublin Metropolitan District Court in February 2010. The Blackdog Communications Limited entered a guilty plea in relation to one offence under Regulation 13(1)(b) of SI 535 of 2003 (as amended). Having heard the evidence, the Court was satisfied that the case against The Blackdog Communications Limited had been proven. Instead of recording a conviction and imposing a fine, the Judge applied the Probation Act on condition that The Blackdog Communications Limited make a donation of €3,000 to the GOAL charity for the Haiti Appeal and that it make a contribution to our prosecution costs. The Judge emphasised that the Court record would show that the facts relating to the offence were established and that that record would be available to the Court should the defendant come before it on any future occasion. We have not had any subsequent valid complaints in relation to the company.
Making marketing calls to the line of a subscriber whose telephone number is recorded on the National Directory Database (NDD) opt-out register is an offence under Regulation 13(4)(b) of Statutory Instrument 535 of 2003 (as amended).
In April 2009 the marketing activities of Fairco Limited, a supplier of windows and doors, came to our attention when we received a complaint regarding a marketing call made by the company. The call was made to an individual who had exercised his right to have his preference not to be telephoned for marketing purposes recorded on the NDD.
By way of explanation, Fairco Limited informed us that while going through its database of past customers its operator dialled the wrong number and it apologised for its mistake. It provided us with details of the intended number. Unfortunately for Fairco, that number was also on the opt-out list of the NDD not to receive marketing telephone calls. In view of this we were not in a position to accept their explanation. In addition, this was the second time that this company had come to the attention of my Office. We initiated a prosecution in respect of the offence.
In March 2010, at Dublin Metropolitan District Court, Fairco Limited pleaded guilty in respect of one charge relating to the making of an unsolicited marketing telephone call to an individual without consent in April 2009 in contravention of Regulation 13(4)(b) of S.I. 535 of 2003 (as amended). The Court recorded a conviction, imposed a fine of €300 in relation to the offence and directed that our legal costs be paid.
During 2009 we received three complaints against a telecommunications company, Pure Telecom Ltd, regarding marketing calls made by the company to individuals who had exercised the right to have their preference not to be telephoned for marketing purposes recorded on the NDD opt-out register.
By way of explanation of two of these incidents, the company informed us that it had to reconfigure its firewall to allow access to new IP addresses following its move to new premises. The company stated that some of the older software had not been updated with the new addresses and therefore they were unable to connect correctly to the section of the database that held the most up to date NDD information. According to the company, for this reason these older systems were checking an out of date NDD list while the newer software was reading from the latest list (rhe NDD opt-out list is updated on a fortnightly basis and is circulated to marketers who are licensed to use it). This resulted in calls being made to numbers on the opt-out register. In another case, the company stated that it had obtained the phone number through a customer referral and that an off-shore telemarketing company working on its behalf had made the marketing call in that instance. The off-shore company had not checked the phone number against the NDD opt-out register resulting in a call for marketing purposes. We took the view that these explanations demonstrated procedural and system failures within Pure Telecom Ltd with regard to its telemarketing activities. We were satisfied that offences had been committed and decided to prosecute Pure Telecom Ltd in respect of those offences as, in line with our policy for prosecutions, the company had previously come to our attention
In May 2010, at Dublin Metropolitan District Court, Pure Telecom Ltd pleaded guilty in respect of three charges relating to the making of unsolicited marketing telephone calls to individuals without consent, in contravention of Regulation 13(4)(b) of S.I. 535 of 2003 (as amended). The Court recorded a conviction, imposed a total fine of €1,250 and directed that Pure Telecom Ltd pay our costs.
In our Annual Report for 2008, we reported on complaints received from individuals regarding marketing emails from Tesco. In all cases, the complainants had registered for on-line shopping with Tesco and soon afterwards they began receiving marketing emails. Using the unsubscribe facility provided by Tesco, the complainants tried to stop further marketing emails being sent to them, but to no avail. Following our intervention, Tesco identified and fixed errors in its unsubscribe system. The complaints were resolved by means of an amicable resolution involving an apology and a goodwill gesture to each complainant.
In 2009 I was disappointed to learn that email marketing by Tesco emerged yet again as a source of complaint to our Office. We received a number of complaints from individuals who had attempted to unsubscribe from receiving further marketing emails. However, Tesco persisted in emailing them with promotional offers. One complainant reported that he had used the unsubscribe facility on the marketing emails several times and, when this did not yield results, he emailed Tesco's Customer Services requesting an opt-out. While several emails were exchanged between Customer Services and the complainant, Tesco continued to send marketing emails and we received a complaint. Another complainant experienced similar difficulties. He also attempted to unsubscribe using the facility provided on the marketing emails and, when these attempts failed, he sent an email to Customer Services reporting his efforts to unsubscribe. He informed Tesco that he was reporting the matter to our Office. Despite this, Tesco continued to send him marketing emails.
At the initial stage of our investigation we succeeded in having the email addresses of the complainants opted out of further marketing contact. It took some considerable time for Tesco to establish the cause of the failure to follow-up unsubscribe requests. Eventually, Tesco reported that the task of unsubscribing customers had been moved from Cardiff to India and that, following the move, the process had failed in some instances. In addition, Tesco reported that a separate problem arose when it introduced a new website platform. An error in the management of customer preference questions resulted in a failure to record those customers who had unsubscribed from email communication on the database.
On the basis of our investigation we were satisfied that offences under SI 535 of 2003 (as amended) had been committed. As this was the second occasion on which Tesco had come to our attention for breaching the instrument, we decided to prosecute. The matter came before the Dublin Metropolitan District Court in mid-2010. Tesco entered guilty pleas on four charges related to the sending of marketing emails to individuals who had requested not to receive such emails. The Court recorded a conviction on two charges and it took the other two charges into consideration. Penalties of €1,000 were imposed in respect of each of two charges. The Court awarded our legal costs to us. In addition, Tesco undertook to suspend all email marketing in Ireland until the errors in its opt out systems were corrected. One month later, Tesco reported to us that a solution had been found and implemented.
Unsolicited or spam email is one of the scourges of modern communications. It is something that affects all email users in their homes, at work or in their businesses. Most spam email comes from distant parts of the world, predominantly from outside of Ireland and the EU. Because of its origins, we do not have power to take action against the offenders. However, we investigate all complaints about unsolicited marketing emails sent by Irish based entities and, as this case study shows, we will not hesitate to use our powers to prosecute offenders if such action is warranted.
Case study 5: Individuals prosecuted for sending unsolicited marketing text messages
In addition to the other cases outlined in this report, we took prosecution proceedings against two individuals for sending unsolicited marketing text messages without including opt-out mechanisms in those messages. This was the first time that we pursued a prosecution in relation to an individual. The case has established an important precedent that Regulation 13 of SI 535 of 2003 (as amended) with regard to unsolicited communications applies not only to marketing companies but also to individuals, acting as data controllers, who are involved in marketing activity.
The Poker Room, operating from an address in Tallaght, first came to our attention in March 2008 when a member of the public lodged a complaint about persistent marketing text messages over a period of months. Despite replying to the text messages using the word 'stop,' he continued to receive marketing messages on his mobile phone. He informed the Office that he had no prior knowledge of this entity and that he had not supplied his phone number to it. During our investigation of the complaint we established the identity of the owner of the mobile phone number which was used to send the text messages. We wrote to that individual, informed him of the complaint, explained to him the law which applies to electronic marketing and sought his response. We received a reply soon afterwards indicating that the complainant's phone number had been removed from the marketing database and stating that the sender did not know that an opt-out facility was required in each text message. We then sent a formal warning to the individual that, in the event of any further complaints of this nature, we would consider a prosecution. We supplied a copy of our guidance material on electronic marketing. On receipt of that letter, the individual concerned phoned the Office to say that he was trying to make his marketing databases compliant. He undertook to include an opt-out mechanism in all future marketing text messages.
About six weeks later we were contacted by the same complainant to advise us that further text messages were being sent to his phone from The Poker Room. We also received a complaint from another member of the public indicating that he was receiving unwanted text messages from The Poker Club. He explained that he had attended The Poker Club a few months previously and that he had given his phone number when signing up to participate in its games. He indicated that he had attempted to opt out by replying with the word 'stop' but this did not yield a result. He called in person to the venue where he asked at the reception desk that his phone number should be removed from the marketing list. After writing down his phone number and giving it to the gentleman working at the desk, he was informed that it would be taken off the mailing list immediately. Despite his efforts the text messages continued to arrive. He then lodged his complaint with us. At this point we had two valid complaints and we wrote to the same individual in relation to them. Our correspondence went unanswered. We then conducted a search on the Company Registration Office records from which we established that The Poker Room at The Square, Tallaght was a partnership business owned by two named individuals. One of the two business owners was the individual that previously engaged with us on foot of the first complaint. We wrote to the business at its registered address but we received no response to that correspondence.
We received a third complaint in 2009 from a doctor who was receiving unsolicited marketing text messages from The Poker Room in Tallaght and The Poker Room in Celbridge. She stated that she had not supplied her phone number to any such business. Similarly, the first complainant told us that he was now getting text messages advertising the Celbridge venue and that he had received a text message indicating that poker games at the Tallaght venue were being discontinued. During our investigations we found an internet posting by one of the business owners notifying the public that the Tallaght venue had closed and that all business had moved to Celbridge. We directed our investigations to the Celbridge venue and to the individual whose postings appeared on the internet. In a final effort, we wrote separately to the two business owners by registered post in January 2010. We received no response.
In light of the previous warning that we had issued in April 2008 regarding marketing text messages promoting The Poker Room and taking account of the fact that, despite extensive efforts on our part, The Poker Room and its business owners had failed to cooperate with our statutory investigation, we decided to prosecute the two business owners in their individual capacities. The defendants pleaded not guilty when the case came before the Dublin Metropolitan District Court in July 2010 and a trial date was set. A full hearing took place in November 2010. The Court heard evidence from two of the complainants and from our Office. Both business owners gave evidence in their defence. One of the business owners told the Court that he had ceased to be involved in the business from around the middle of 2008 and he denied that he was responsible for the text messages which were the subject of the charges before the court. The Court accepted this and dismissed the charges against that individual. In relation to the case against the other individual, the Court ruled that the prosecution had proven its case in relation to ten of twelve charges. The Court recorded a conviction on one charge of sending an unsolicited marketing text message in contravention of Regulation 13(1)(b) of S.I. 535 of 2003 (as amended) and it imposed a fine of €1,000. The Court also recorded a conviction on one charge of sending a marketing text message without a valid address to which the recipient might send an opt-out request in contravention of Regulation 13(8) and it imposed a fine of €1,000. The court stated that all remaining eight charges were taken into consideration. The defendant was also ordered to make a contribution of €4,000 to our legal costs.
We were satisfied with the outcome of this case. Despite the failure of the business owners concerned to cooperate with our investigations, we persevered and ultimately brought them to justice in relation to the offences that had been committed. We afforded The Poker Room a chance to bring its marketing activities into compliance in 2008. Unfortunately it chose to take what appeared to be the easy option and to do nothing about its marketing database and procedures. The decision to ignore our warning in 2008 of future prosecutions cost one of its owners dearly in terms of penalties, legal costs and most of all, a criminal record.
In our 2008 Annual Report, we commented on the volume of complaints which had been received against UPC - then known as Chorus NTL. We had conducted a broad-based inspection of UPC on foot of the high level of complaints received. We issued a number of recommendations to the company as part of an audit report. We noted that the company had then taken a number of steps to improve its data protection compliance. However, we pointed out that there was no room for complacency and signalled that we would pay close attention to any further complaints against UPC to ensure that there was no slippage in terms of compliance.
I am disappointed to report once again that UPC remained the subject of regular complaint in 2010, especially with regard to direct marketing. In particular, the company's telephone marketing activities have been brought to our attention several times since the 2008 Annual Report. Following the investigation of a complaint received in October 2008 concerning a marketing telephone call, we warned UPC that any further such infringements would give rise to a prosecution. Despite the warning, further complaints were received. Following the investigation of two of them, we commenced prosecution proceedings against UPC in the Dublin Metropolitan District Court.
In 2009 we received a complaint from a UPC customer regarding a marketing telephone call that he had received on 1 July 2009 from UPC in relation to broadband services. The complainant supplied us with a copy of an email that he had sent to UPC in April 2009 requesting that the company use his phone number for contact relating to his account only and not for sales calls. He also supplied a copy of a reply he received in May 2009 from UPC notifying him that the company had complied with his request and that his account had been flagged for exclusion from marketing calls. If a telephone subscriber has notified a marketer that he/she does not consent to the receipt of marketing calls on their line it is an offence under Regulation 13(4)(a) of SI No. 535 of 2003 (as amended) for the marketer to make any further such calls to that subscriber's line. UPC admitted that the marketing call had been made as stated by the complainant. UPC explained that, due to human error by a customer service agent, the customer's details were not properly removed from the marketing database. On receiving an opt-out request, an agent must put an indicator on the system by ticking the relevant options. In this case, the agent selected an incorrect option and only removed the customer's address from postal marketing. The agent failed to remove the customer's account from telephone marketing and consequently it remained on the telephone marketing list. Following our investigation, we were satisfied that an offence had been committed and we decided to prosecute that offence.
In early September 2009 we received a complaint from a UPC customer who stated that he had received a marketing call from UPC on 27 August 2009 in regard to digital television and high speed broadband services. The UPC customer supplied a copy of an email which he had sent to UPC in April 2009 stating that he did not wish to be contacted for marketing purposes in the future. We investigated the complaint. UPC acknowledged that it made the marketing call on the date in question. We established that a staff member at UPC had not passed the customer's email regarding his marketing opt-out to the responsible UPC department. UPC stated that this was a once-off occurrence and that the individual staff member responsible had been reprimanded and retrained. We were satisfied following our investigation that an offence had been committed and I decided to prosecute that offence.
The cases came before the Dublin Metropolitan District Court on the same day in April 2010. The Court accepted UPC's guilty pleas to each offence. The Judge imposed a penalty of €500 for each of the two offences and directed that UPC pay our costs in respect of the prosecutions.
In May 2009 we received a complaint from an individual concerning the alleged failure of his employer, Mulcahy Gorman Mulcahy Accountants (MGM), to comply in full with an access request he submitted in February 2009. In support of his complaint, the data subject provided copies of documents that contained his personal data and that appeared to have been generated on the computer system of MGM. These documents were not provided to him in response to his access request.
We commenced an investigation by writing to MGM informing it that we had received a complaint from one of its employees in relation to an alleged failure to comply with an access request. We received a reply from the solicitors for MGM who informed us that its client had furnished the data subject with his personal file. The letter sought clarification and guidance on the type of documentation sought by the data subject. We informed the solicitors for MGM of the type of information the data subject was requesting and we reminded them of the obligation to comply fully with the access request. Following protracted correspondence with the solicitors for MGM, we did not receive confirmation of full compliance with the access request. Therefore we issued a final warning letter to MGM's solicitors informing them that enforcement proceedings would commence if its client did not respond in full to the data subject's access request. Prior to commencing enforcement proceedings, we received some personal data relating to the data subject from the solicitors for MGM. However, having compared this data to the data previously supplied to us by the complainant, it appeared that all the personal data to which the data subject was entitled had still not been furnished to him. In order to progress the matter and to ensure compliance with the Acts, we provided the solicitors for MGM with a list of the documentation which had been provided to us by the data subject and we requested that it comply with the access request within one week. Despite our best efforts, MGM failed to provide the data subject with all of his personal data within that timeframe.
In view of this unsatisfactory situation and the failure of MGM to meet its statutory obligation to respond in full to the complainant's access request, we concluded that MGM appeared to be paying insufficient attention to the data protection rights of the individual concerned. Accordingly, authorised officers, using the powers conferred on them by Section 24 of the Data Protection Acts, entered and inspected the premises of MGM for the purpose of obtaining information that was necessary for the investigation of this complaint. During the unannounced inspection they found all but three of the documents which had been identified by the data subject as missing from the response to his access request. In the course of the investigation the data subject had provided us with some documents which he had received from MGM as part of his access request. It appeared that parts of these documents had been redacted and the data subject believed that the redacted parts contained his personal data. The authorised officers examined these documents during the inspection at MGM and found that the redacted parts of these documents did contain the personal data of the data subject and should have been provided to him in unedited form as part of his access request. The documents in question were emails sent between senior managers in the company and contained personal data concerning the data subject. We also found a further six documents containing personal data relating to the data subject which had not been released under the access request, the existence of which were unknown to the data subject.
At the end of the inspection, MGM gave the authorised officers a verbal undertaking that copies of all of the documents would be forwarded to the data subject within the following days. Despite this undertaking and despite numerous communications between our Office and MGM, the documentation was not voluntarily supplied to the data subject. We therefore served an Enforcement Notice on MGM requiring it to supply the outstanding personal data to the data subject. The Enforcement Notice was complied with within days of being served.
The events leading to instructions to authorised officers to conduct an inspection of the premises of MGM suggested that the company had a limited understanding of its duties under data protection law. When an individual makes an access request to a data controller there is a statutory obligation on the data controller to provide that individual with all of his/her personal data, subject to limited exceptions. In this case MGM failed to provide the data subject with some of his personal data without providing him with any reason for this decision. Our approach to complaints, as provided for under the Acts, is to try to reach an amicable resolution. However, as demonstrated in this case, if a data controller fails to cooperate fully with an investigation we will not hesitate to use our statutory powers.We received a complaint in October 2009 from a solicitor, acting on behalf of a data subject, against a commercial premises located in Co. Cork. The complaint concerned the alleged gross misuse of CCTV footage at the premises. The solicitors informed us that the commercial premises had no signage in place to inform the public of the presence of CCTV and of its purpose. The complaint also alleged that on 1 October 2009 the data subject visited the premises and purchased some items. The staff member on duty was known to the data subject who spent some time speaking with him. The member of staff received a letter from the company that runs the premises dated 5 October 2009. The letter concerned a number of work performance issues relating to 1 October, including the fact that the staff member had spent time chatting with the data subject. The letter stated that the manager of the premises had examined footage from the security cameras at the premises. The employee concerned gave a copy of the letter to the data subject. That letter was passed on to my Office with the complaint.
Recognisable images captured by CCTV systems are personal data. Therefore they are subject to the provisions of the Data Protection Acts 1988 & 2003. To satisfy the fair obtaining principle of the Data Protection Acts with regard to the use of CCTV cameras, those people whose images are captured on camera must be informed about the identity of the data controller and the purpose(s) of processing the data. This can be achieved by placing easily-read signs in prominent positions. A data controller needs to be able to justify obtaining and using personal data by means of a CCTV system.
The subject of our investigation of this complaint was the capture and subsequent processing of the data subject's image on CCTV without his knowledge or consent. In its initial response to our investigation, the company informed us that it uses CCTV cameras in its commercial premises for security purposes. It also confirmed that CCTV was operating in this particular store without being properly notified to those visiting the store. It informed us that it was undertaking a review of the signage used in all of its stores throughout the country. It also apologised for any distress or inconvenience caused to the data subject by capturing his image on CCTV without having informed him by means of appropriate notices in the store.
The first breach of the Data Protection Acts occurred when the data subject's image was captured on a CCTV camera located in a commercial premises that did not have appropriate signage in place. The second breach occurred when the company processed the data subject's image for a non-security matter (i.e. to address a work performance issue). We pointed out to the company that, regardless of whether there was signage in the shop to inform members of the public that CCTV cameras were in operation and their purpose, the processing of the data subject's image for a non-security matter was a breach of the Acts.
The Acts provide that, in the first instance, we must try to arrange an amicable resolution to a matter that is the subject of a complaint. The company agreed to seek an amicable resolution of the complaint. To that end it proposed to offer the data subject a letter of apology and a monetary goodwill gesture. The solicitor for the data subject subsequently confirmed his client's acceptance of the amicable resolution proposed. The company's letter of apology included confirmation to the data subject that his personal data had been erased and that the store in question now had a clearly displayed notice that CCTV was in operation.
Substantial guidance is available on our website in relation to the use of CCTV in a business or workplace. We encourage all data controllers, particularly those who may already have such recording systems in place, to familiarise themselves with this guidance.
In November 2009, we received a complaint concerning the operation of CCTV by a local housing association in a small village, Culfadda in the west of Ireland. The complainant informed us that there were three CCTV cameras in operation in the village, one of which was located in the vicinity of a housing development for the elderly and the other two at private dwellings. The complainant alleged that all three cameras were monitoring public areas of the village.
We contacted the housing association and informed it of its obligations under the Acts in respect of CCTV usage. Recognisable images captured by CCTV cameras constitute personal data and, as such, are subject to the provisions of the Data Protection Acts, 1988 and 2003. Any data controller who uses CCTV needs to be able to justify obtaining and using personal data by means of the CCTV system. We provided the housing association with a copy of our guidance material on the use of CCTV. We asked it to outline how the processing of the images obtained from the CCTV cameras complied with the Acts and to give details of any signage that was in place informing individuals that CCTV was in operation. In response we were informed that the purpose of the cameras was to provide security for both the housing development for the elderly and for the village. The housing association asserted that the cameras only monitored public areas of the village and we were provided with more specific details about the operation of the CCTV system. According to the housing association, while the CCTV cameras had been installed, they were not yet operational. However, once planning permission for the poles had been approved by the local authority it was intended that the cameras would become operational. The housing association also stated that the housing development for the elderly was built by the housing association and was managed by it. We informed the housing association that, provided it was in compliance with the requirements of the Acts in relation to the operation of CCTV at the housing development for the elderly for which it had management responsibility, it could operate the CCTV system in respect of the exterior of those houses for security purposes. However, all other CCTV cameras recording footage from areas of Culfadda which were not part of the housing development for the elderly could not be operated by the housing association. The housing association was also informed that, in the event that it obtained planning permission for the erection of the cameras in the village, this would not legitimise use of the CCTV system from a data protection perspective.
To ensure compliance with the Acts, we served an Enforcement Notice on the housing association. This is a legal notice requiring the housing association to cease or not to commence operating a CCTV system in the general areas of the village. It also required the housing association to comply with the provisions of the Data Protection Acts, 1988 and 2003, in respect of the operation of the CCTV cameras in the vicinity of the housing development for the elderly. We subsequently received an assurance from the legal representatives of the housing association that it would comply with the requirements of the Enforcement Notice. They informed us that the housing association proposed to apply in due course to the Department of Justice & Law Reform to operate the CCTV under the Code of Practice for Community Based CCTV Systems scheme provided for in the Garda Act 2005. It would be surprising if such approval was granted to a small village with relatively little history of crime; to do so would raise serious questions as to the proportionality of the measure.
In late 2009, we received a number of separate complaints from employees of Boran Plastic Packaging Ltd located at Millennium Park, Naas. These complaints concerned the alleged use by management of CCTV on the factory floor for the purpose of monitoring staff and the use of a biometric system for recording employees' time and attendance. As both CCTV and biometric systems process personal data, their use is governed by the Data Protection Acts. We decided that the most effective course of investigation was to carry out an unannounced inspection at the premises in question to establish the facts.
In November 2009 two authorised officers carried out an unannounced inspection. While we use such powers sparingly, this is a useful means of establishing compliance with the Data Protection Acts. In general, authorised officers are treated courteously and receive full cooperation in the course of such inspections. Unfortunately that was not the case on this occasion. From the outset of the inspection the factory manager made every effort to frustrate the work of the authorised officers. It was made clear to them that their presence on the site was not welcome. Such was the level of discourtesy displayed towards the authorised officers in the performance of their functions that they considered issuing a caution against the factory manager with a view to formally charging him with obstruction - a criminal offence under Section 24 of the Data Protection Acts. However, the level of cooperation increased as the inspection continued. During the inspection Boran Plastic Packaging Limited denied that one of the purposes of the CCTV was to monitor staff. The company informed us that the main purpose of the CCTV system related to security and health and safety. On inspection of the factory, my authorised officers noted the location of the CCTV cameras. Based on information provided during the inspection, they noted that the individual who had access to monitor the CCTV images was a non-staff member. The individual in question was a member of the owner's family and had off-site access to real-time CCTV views. It was also clear from our inspection that the company had no data protection policies in place in relation to the use of CCTV and biometrics. Following the inspection, the investigation progressed in the normal manner.
In our subsequent communications with the company we found Boran Plastic Packaging Ltd to be cooperative with our investigation. As a result of our extensive engagements with the company in the following weeks, it drew up a comprehensive data protection policy document. This document includes, among other things, its policy on the use of CCTV and biometrics in the workplace. The company's CCTV policy includes confirmation that there will be no live monitoring of images captured on CCTV and that recorded images will be viewed only following the rare occasions when an a security breach, employee personal protection or health and safety incident occurs. In relation to our concerns about access to the CCTV system, the company confirmed that access had now been restricted to two members of staff who had on-site access only. At our instruction, its policy on the use of the biometric system includes the provision that, should an employee have a legitimate privacy concern or any other concern in relation to the biometric hand scanner, they can contact a specific member of staff in the HR Department about their concerns. My Office informed the company that, if a legitimate privacy concern about the use of the biometric system is expressed by any employee to the HR Department, that employee has a right to opt out of using the system. We made it clear the onus is on the company to offer such an employee an alternative means of recording time and attendance. We informed Boran Plastic Packaging Ltd that, if it was to refuse such an employee the right to opt-out, he/she would have a right to make a complaint to our Office. Boran Plastic Packaging Ltd also confirmed that staff would be informed of the availability of a copy of its data protection policy documents.
The proliferation of CCTV and biometric systems in workplaces, without due regard to the data protection rights of employees and others, is a matter of great concern. Elsewhere in this Annual Report and in previous Annual Reports we have commented at length on these issues.
This case study also highlights the difficulties which my authorised officers face from time to time in carrying out their statutory functions. In most cases they receive cooperation from data controllers and their staff. We acknowledge that for a data controller or data processor an unannounced inspection can be a trying and anxious experience. However, for our part, we tend not to conduct such inspections unless we have solid reasons based on complaints about breaches of the Data Protection Acts. Whatever the reason for the inspection, data controllers, data processors and their employees would be well-advised to cooperate fully with authorised officers. Authorised officers, in the exercise of their functions, have considerable powers conferred on them by law. Any obstruction or impediment placed in the way of the exercising of those powers is an offence and we will have no hesitation in prosecuting any individual, data controller or data processor who commits such an offence.
Case study 11: Lawful use of CCTV cameras by an employer
We received a complaint in September 2010 from solicitors acting on behalf of a data subject. The complaint stated that CCTV cameras were installed in the data subject's workplace without her knowledge and that the purpose of the cameras was to identify disciplinary issues relating to staff. The complaint also stated that CCTV evidence was obtained and used to dismiss the data subject for gross misconduct.
Recognisable images captured by CCTV systems are personal data. Therefore they are subject to the provisions of the Data Protection Acts. To satisfy the fair obtaining principle of the Data Protection Acts with regard to the use of CCTV cameras, those people whose images are captured on camera must be informed about the identity of the data controller and the purpose(s) of processing the data. This can be achieved by placing easily-read signs in prominent positions. A data controller must be able to justify obtaining and using personal data by means of a CCTV system.
With regard to the installation of covert CCTV cameras, our position is that the use of recording mechanisms to obtain data without an individual's knowledge is generally unlawful. Covert CCTV surveillance is normally only permitted on a case-by-case basis where the information is kept for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. This provision automatically implies an actual involvement of An Garda Síochána or an intention to involve An Garda Síochána. Covert surveillance must be focused and of short duration and only specific (and relevant) individuals/locations should be recorded. If no evidence is obtained within a reasonable period, the surveillance should cease.
If the surveillance is intended to prevent crime, overt cameras may be a more appropriate measure, and less invasive of individual privacy.
In this case we requested the data subject's solicitors to provide us with a copy of all correspondence that was exchanged in relation to the matter. On examining this correspondence, we noted that the data subject's employer considered it necessary to install the covert CCTV cameras because some members of staff informed the employer that money had gone missing from their purses. We also noted the involvement of An Garda Síochána in the decision to install the covert cameras. We subsequently informed the data subject's solicitors that we did not consider that a basis arose in the Data Protection Acts to progress an investigation.
This case demonstrates the use of covert CCTV by a data controller in compliance with the Data Protection Acts. For personal data captured on covert CCTV to be fairly obtained and fairly processed under the Data Protection Acts, the installation of covert CCTV must involve An Garda Síochána or a clear intention to involve An Garda Síochána, as was the case in this instance.
During 2010 a customer of a large fitness chain contacted us. She reported that she attended the gym every day where she scanned a keyfob to record her attendance. Without any notice, the scan system was removed and she was told that in future she would be required to record her attendance using a new biometric system. She was asked to provide her fingerprint to facilitate use of the system. She was given no information about the processing of personal data involved in using the biometric system and she was given no opportunity to opt out. As a result of this and related reports from customers of the gym, we commenced a detailed and lengthy engagement with the fitness chain. It was clear that the organisation was not aware of the data protection issues arising from the use of its new biometric system until we made contact. It was also clear that frontline staff lacked the knowledge of data protection necessary to handle queries from concerned customers. We achieved a satisfactory outcome involving the removal of the mandatory requirement to use the biometric system and the provision of detailed information to customers about the processing of their data if they chose to use the system. For those customers who chose not to use the biometric system, a proximity card system was introduced. Consent is a critical consideration for the use of a biometric system. Customers should not normally be asked to use a biometric system unless they have given their consent and their consent must be informed; they must be given detailed information about the processing of their personal data before they decide whether to use the system. People must be told what their biometric data will be used for, who has access to it, what security measures are in place to protect it and how long it will be retained. They must receive assurances that their data will not be disclosed to third parties. Furthermore, those who choose to opt out must not be penalised. In this case the organisation attempted to impose a charge on customers who wanted a proximity card. We intervened to prevent this because a person may not be charged for exercising their legal right to opt out under the Data Protection Acts (we have no objection to the imposition of a small fee to cover the cost of supplying replacement cards to customers who lose or damage a proximity card).
In 2010 we continued to receive reports about the introduction of biometric systems in schools and other places of education to record student attendance. For example, it came to our attention that a large secondary school introduced such a system in January 2010. It announced the deployment of the system in a short note in its news bulletin. The notice was headed "Education (Welfare) Act, 2000" and stated that the provisions of that Act required it to promote school attendance. It went on to state that the board of management had invested in a biometric attendance system. No reference was made to data protection issues and there was nothing to suggest that students had any choice about using the system. Our guidance note on the use of biometric systems in educational institutions emphasises the requirements to obtain the signed consent of student users (and the consent of parents or guardians in the case of minors) and to give them a clear and unambiguous right to opt out of the system without penalty. When we contacted the school we were informed that attendance at the school implies acceptance by students and their parents of the school's policies and procedures. We responded that it was obvious that the informed consent of students and parents had not been obtained in line with our guidance and that, as a result, the continued use of the system was unlawful. We required the school to immediately seek the written consent of students and parents and to put an alternative system in place for those who do not consent or who subsequently withdraw consent. The matter was resolved to our satisfaction. I expect any educational establishment which has deployed a biometric system to keep a record of all written consents for as long as the relevant students are using the system. Authorised officers from my Office will examine the audit trail of consents in the event of an inspection.
Case study 13: Tracking Devices in Vehicles
During 2010 we received a number of complaints and general queries in relation to the deployment of tracking devices in vehicles such as cars and vans used for business purposes.
We received two separate complaints against a single company that installed tracking devices in company cars and in private cars used by their owners for business purposes connected with their employment. The complainants alleged that they felt they were being tracked and monitored 24 hours per day, 7 days per week as they had no means of switching off the tracking devices. The owner of the private car also expressed concern that his wife and children were being tracked when they were using the car outside of working hours. The user of the company car explained that he had use of the car for personal purposes outside of working hours and he complained that the tracking device created a huge intrusion into his private life.
In the course of our investigation of these complaints, we engaged at length with the company concerned and we met with them to discuss all of the data protection issues arising. We explained that the use of tracking systems in vehicles can give rise to data protection issues if they are not deployed in a manner that takes account of the legitimate privacy expectations of vehicle drivers, particularly when they are off-duty. Monitoring or tracking, including in-vehicle monitoring, must comply with the transparency requirements of the Data Protection Acts. Staff must be informed of the existence of the tracking equipment and of the purposes for which their personal data is processed. We established during the course of our investigation that, while privacy switches were fitted when the tracking devices were installed, the drivers were not shown how to use them.
The complaints were resolved to the satisfaction of the complainants and the company concerned on the basis of the following guidance from my Office. We expect any organisation deploying vehicle tracking devices to abide by these rules:
- If a company vehicle is permitted to be driven for personal use outside of working hours, a privacy switch must be fitted.
- If a privately owned vehicle is used for work purposes, a privacy switch must be fitted.
- The data controller is responsible for ensuring that drivers are given training on the operation of the privacy switch.
- The data controller must inform drivers of the purpose(s) for which the personal information processed by the tracking device will be used.
- The personal information processed by the tracking device may not be used for a purpose other than the stated purpose(s).
- Data controllers should devise and make available to drivers a policy on the use of tracking devices. This document should also set out the data controller's policy on the use of company vehicles for private use.
- New employees should be made aware of the existence of tracking devices on company vehicles and should be trained on the operation of the privacy switch.
- There is no requirement to fit a privacy switch if a company vehicle is used exclusively for work-related purposes, i.e. where no personal use of the vehicle is permitted.
Vehicle tracking devices are not staff tracking devices. Their key function is to track or monitor the location of the vehicles in which they are installed. Data controllers should not regard them as devices to track or monitor the behaviour or the whereabouts of drivers or other staff.
Case study 14: Hacking attack on SelfCatering.ie website
A bank made a data security breach notification to my Office in 2009 in relation to the credit cards of 1200 customers that had been compromised. SelfCatering.ie, an on-line holiday company, was identified as a common compromise point where all the cards had been used.
We contacted SelfCatering.ie and the Irish Payment Services Organisation (IPSO) to ascertain the full extent of the data security breach. It was determined that the timeframe during which the cards had been compromised was from May 2009 to June 2010. SelfCatering.ie informed us that an investigation had begun which involved a forensic examination of their computer systems. We requested a copy of the forensic examination report immediately on its completion. We also instructed SelfCatering.ie to cease processing personal data via its website until a reputable third party had certified that the website was secure for the processing of all personal data.
We obtained a copy of the forensic examination report for evaluation. It revealed that the website was not properly secured and had been subject to a SQL injection attack. The site did not comply with PCI (Payment Card Industry) security standards as required for handling on-line credit card transactions. The total number of credit cards that had been compromised was 9,500. The report revealed that 50,000 personal contact details held on the website may also have been compromised. It became evident during the course of my investigation that SelfCatering.ie believed that its hosting company was responsible for the security of its website. On that basis, the company had not ensured that the website was properly secured from external attacks through appropriate design and security measures.
We presented SelfCatering.ie with a list of issues to be addressed and a requirement for third party confirmation that these issues had been resolved, with particular emphasis on security measures. At our request, a prominent notice, the terms of which were agreed with our Office, was placed on the home page of the website to inform data subjects of the incident. This notice remained in place for 4 months. Those whose credit card details were affected were contacted directly by the relevant financial institutions.
This case was an example of a data controller using technology that it was unable to properly manage and obtaining personal data that it was unable to appropriately secure. My concern is that such problems are probably more widespread. Organisations intending to collect personal data on-line must take responsibility for ensuring that their websites are appropriately secure before accepting any on-line customers.
Case study 15: Compromise of a GAA database
In 2010 my Office investigated a data breach incident involving personal data of members of the Gaelic Athletic Association (GAA). In the course of the incident a database was compromised that contained the names and addresses of 500,000 members, the dates of birth of 289,000 members, mobile phone numbers for 107,000 members, landline numbers for 64,000 members and email addresses for 30,000 members (all numbers are approximate). In the case of 544 members, the database contained references to medical conditions. The database was hosted by Servasport Ltd., a service provider based in Northern Ireland contracted by the GAA for that purpose. Servasport confirmed that unauthorised access was gained to the database. At time of writing, this access is the subject of an ongoing criminal investigation by the Police Service of Northern Ireland (PSNI).
My Office received full co-operation from the GAA in the course of our investigation. The GAA informed all clubs of the incident and put in place a dedicated information line for any GAA members with concerns or who wished to establish whether their data was involved. The GAA wrote directly to any person whose health data was affected. As the incident has a cross-border element, we continue to liaise closely with our colleagues in the Information Commissioner's Office in Belfast as well as the PSNI.
The database in question was established to ensure a safe means of transmitting membership data. Unfortunately, in this case, it serves to illustrate the vulnerability of large centralised databases to inappropriate access. We sought to reassure those affected that there was no evidence that the data in question would be used for an illegal purpose or could be used to perpetrate identity theft on its own. However, affected GAA members should continue to be cautious in relation to any unsolicited contacts they receive through the post, over the phone or particularly via email that refer to their GAA membership and that seek to elicit further personal information.
Case study 16: Employee obtains data from customer file for his own use
In March 2010 we received a complaint regarding an alleged inappropriate access to customer personal information by an employee of Aviva (an insurance company). The complainant informed us that, in March 2010, he was telephoned by an individual who accused him of scratching his car on the previous evening while parking in University College Dublin. As the complainant knew nothing of this incident, he asked the caller how he had obtained his phone number. He was informed by the caller that he had noticed that the car was insured with Aviva and, as he worked for that company, he had sourced the phone number from the Aviva system. The caller stated that he had left a business card on the car windscreen. When the data subject checked, he found the business card with the name of the individual concerned and his job title.
We commenced our investigation of this complaint by writing to Aviva, drawing their attention to the obligation to keep personal data for specified, explicit and lawful purposes and use it only in ways compatible with these purposes. On this basis, we asked Aviva to outline the circumstances in which the complainant's personal data was processed in the manner outlined in his complaint. In its response Aviva assured us that it has very stringent procedures in place regarding the safeguarding of customers' personal data from unauthorised access and the protection of this data from processing for purposes other than for which it was collected. In relation to the specifics of this complaint, Aviva investigated the matter and raised it with the employee concerned. The employee confirmed that he accessed the policyholder's data for the purpose of contacting him to discuss the incident and to see if he wished to settle the matter directly with him. Aviva acknowledged that the incident should have been pursued in the normal manner through its claims procedure. If the correct procedure had been followed, the complainant's personal information would have been accessed by claims personnel and used to alert him of the allegation. Aviva informed us that the staff member in question had been made aware in no uncertain terms of the seriousness of the incident. In addition, the issues raised by this complaint was used to draw the attention of other staff members to the importance of complying with data protection obligations.
In an effort to amicably resolve this complaint, Aviva issued a letter to the complainant explaining what had occurred and apologising for the distress and inconvenience caused. The company also offered the complainant a voucher for €100 towards his next renewal premium. The complainant accepted this amicable resolution.
This complaint raised a serious data protection issue. Organisations are entrusted with a huge amount of personal data which they have a responsibility to keep safe and secure. The message that customer personal information can only be accessed on a "need to know" basis must be continually reinforced. While safeguards are required to protect customer data from disclosure to third parties outside the organisation, similar protection must be afforded to protect the data from internal misuse. This theme is raised again elsewhere in this report in relation to insurance companies. We must also acknowledge that we received full co-operation from Aviva in this matter and the company takes its data protection responsibilities seriously.
Case study 17: Inappropriate disclosure of medical research data
In March 2010 we were contacted by a lady who had received a telephone call from a university student asking if her husband would be interested in participating in a survey. The survey related to a disease suffered by her husband. As her husband was not at home at the time of the call, the lady suggested to the caller that she phone again at another time. On the following evening the lady answered the phone again to a different student about the same matter. On this occasion she questioned the caller about how he had obtained information about her husband's medical condition. She was informed that the student's lecturer had obtained the data from an affiliated hospital where her husband attended as a patient. She contacted our Office about her concerns in relation to the disclosure of her husband's sensitive medical information.
From the outset of our investigation we received full cooperation from the hospital and from the university. The incident was treated seriously by both entities and it was accepted by all sides that a breach of the Data Protection Acts had occurred.
The hospital has a strong commitment to clinical research with a view to improving care for patients. This can involve collaboration with other institutions including colleagues in its affiliated university. Typically in this type of collaborative research, the research team from the University work closely with a multidisciplinary team in the hospital for the duration of the research proposal. This study had the full support of the clinical staff and every effort was made to facilitate recruitment of patients for the study. The normal procedure for clinical research is to recruit patients through advertising or during their normal clinic attendances. In this case, a decision was made to extract data from the hospital database and contact patients directly by telephone to arrange to meet them with a view to obtaining informed consent. This process change should have been brought to the attention of the relevant Ethics Committees. However, due to a misinterpretation of the approval and the researchers' obligations under the Data Protection Acts, the Ethics Committees were not informed.
The breach of the Data Protection Acts took place when a qualified clinical researcher at the university was given printed copies of patient data from the hospital database relating to the disease under research. After initial attempts to contact patients at scheduled clinics, a decision was taken by the clinical research team to contact the patients directly.
Action Taken Following Breach
On becoming aware of the breach the hospital immediately began an investigation. The patient recruitment process was halted and the data was returned. A review of the hospital's research ethics approval processes, data protection policies and communication procedures took place in the course of the investigation. It has established guidelines and policies for ethical approval of research proposals involving patients. The review prompted an update of the application procedure to include more detailed requirements for researchers in regard to recruitment, data collation and data protection issues. In future, the hospital will ensure that applicants are informed of their obligations and insist on attendance at appropriate good practice in clinical research courses. The hospital will also include a section dedicated to awareness of data protection issues in their regular workshops for researchers.
Following our investigation we are satisfied that a much greater focus will be applied to compliance with the Data Protection Acts in the course of such research projects. As the data controller in this instance, the hospital took full responsibility for the breach from the outset. It wrote to all of the affected patients to acknowledge the breach, to explain what had occurred and to apologise for it. The behaviour of the hospital in responding to this issue was impeccable and reassure me of its commitment to data protection and its determination to learn from this experience.
Case study 18: Unlawful disclosure of previous army career information
In September 2009 we received a complaint from a Civil Defence employee alleging that the Defence Forces had disclosed personal information regarding his previous army career in 1982 to a Civil Defence Officer in Co. Louth. The Civil Defence Officer allegedly circulated the information to other parties in a handwritten memo. The complainant supplied us with a copy of the handwritten memo which included comments relating to his army career. This memo was signed by the Civil Defence Officer.
There were two components to our investigation of this matter as it involved two separate data controllers and allegations of separate breaches of the Data Protection Acts against each of them. The breaches involved the alleged unlawful obtaining and processing by the Civil Defence Officer of information relating to the data subject and the alleged disclosure of the data subject's personal information to the Civil Defence Officer by the Defence Forces.
As Louth County Council is the data controller for personal data processed by Louth Civil Defence, we contacted it in relation to the allegation that one of its Civil Defence Officers unlawfully obtained the data subject's personal data. In our initial communication to Louth County Council, we requested that it clarify the purpose for which the Civil Defence Officer obtained the data subject's personal data from the Defence Forces and provide us with the name of the person in the Defence Forces who disclosed this information.
Louth County Council informed us that a Civil Defence Officer received an anonymous telephone call and, on foot of that call, he deemed it appropriate to make enquiries as to the data subject's previous record in the Defence Forces. We were told that the Civil Defence Officer, remarkably, could not recall the name of the senior officer of the Defences Forces who actually supplied the information. Louth County Council stated that the Civil Defence Officer subsequently received a return telephone call from another member of the Defence Forces (whose name he was equally unable to recall) who supplied him with certain personal information relating to the data subject.
We contacted the Defence Forces on the basis of Louth County Council's response to our investigation. The Defence Forces informed us that it had conducted a search of the data subject's personnel file to check for any memo indicating that information had been disclosed to the Civil Defence Officer. We were informed that no such memo was found on the file. Without the name of the senior officer with whom the Civil Defence Officer communicated, the Defence Forces were not in a position to comment on the alleged disclosure.
To progress the investigation an authorised officer visited Defence Forces Headquarters to inspect the data subject's personnel file. On comparing the information on the data subject's personnel file with the information on the handwritten memo signed by the Civil Defence Officer, the authorised officer was satisfied that the information in the memo was sourced from the army personnel file. On this basis we concluded that the Defence Forces had breached Section 2 of the Acts by disclosing personal information without the data subject's knowledge or consent or other appropriate legal basis.
The Acts provide that our Office must try to reach an amicable resolution to a complaint in the first instance. The Defence Forces confirmed its interest in finding an amicable resolution. The data subject's complaint against the Defence Forces was amicably resolved when the Defence Forces issued a letter of apology to him. The Defence Forces expressed its regret for the release of his personal data in an unauthorised manner to a third party and it apologised unreservedly to him.
In relation to the complaint against Louth County Council, we were satisfied that Section 2 of the Acts was breached by the County Council when the Civil Defence Officer obtained and processed personal information relating to the data subject without his consent or knowledge. This complaint was amicably resolved when Louth County Council provided the data subject with a letter of apology in which it described the circumstances in which his information was obtained from the Defence Forces and acknowledged that the information should not have been sought or obtained. The Council described how the information was subsequently divulged by the Civil Defence Officer to others. The letter assured the data subject that he had not suffered any disadvantage as a result of the Council being in possession of the information. The Council confirmed that the hand-written memo and any copies of it in the possession of Louth County Council would be shredded.
We view this case as a serious breach of the data protection rights of the individual concerned. We are concerned that a personnel file dating from 1982, which was in the control of the state, was retrieved and thoroughly searched for comments made by superiors. This information was then disclosed by phone to an outside party without any regard for the rights of the individual concerned.
Case study 19: Housing association discloses personal data to a debt collection agent
In June 2010, we received two separate complaints alleging that Léim an Bhradáin Housing Association, Leixlip, Co. Kildare inappropriately disclosed personal information. The complainants alleged that an individual, who was not an employee of the housing association, had personal information relating to them when he called in person to their homes. The information included contact details and an outline summary of their rent payments to the housing association. The complainants were concerned that their personal information had been disclosed to an individual who was unknown to them and who appeared to have no affiliation to the housing association.
From time to time organisations need to engage the services of an agent to process personal data on their behalf. Such an agent is termed a 'data processor' under the Data Protection Acts. When a data controller engages the services of a data processor, it must take certain steps to ensure that adequate standards of data protection are maintained by the data processor. A data controller is permitted to engage a data processor only on the basis of a written contract (or equivalent) which includes appropriate security and other data protection safeguards. Informal or ad-hoc arrangements do not meet the requirements of the law with regard to the processing of personal data by third parties.
On receipt of notification from our Office that we had commenced an investigation into this matter, the solicitors for the housing association responded that the association had engaged a third party to call to various tenants to request that they deal with the issue of rent review and bring any arrears of rent up to date. They stated that no information was furnished by their client to this third party. They also questioned the motivation of the complainants on the basis that they owed rent arrears and had done so for some time. They conceded that no written contract existed between the housing association and the third party. We responded seeking clarification of how the third party was in a position to visit certain houses on the estate concerning rent arrears without having been supplied in advance with the details of the people who were in arrears. The solicitor for the data controller responded claiming that we had prejudged the matter and our comments amounted to an assertion made in advance of any determination in relation to the complaints. They requested that the investigator handling the case stand aside from the investigation and they threatened to issue proceedings against the Office if the investigation proceeded.
I cannot tolerate such behaviour as it amounts to an attempt to restrain the performance of my functions. We informed the solicitors that we would continue to perform our statutory functions in investigating the complaints and, in the absence of a response to questions posed as part of our investigation, we would use our legal powers to obtain the information required.
Following a further exchange of correspondence with the solicitors for Léim an Bhradáin Housing Association, the complaints were concluded. The data controller wrote to the complainants acknowledging the breach that occurred when they passed certain information to a third party. The housing association apologised for this and it assured the complainants that there would be no repeat of the incident.
The motivation behind the complaints was a recurring theme in the correspondence from the solicitors for the data controller, on the basis that both complainants were in substantial rent arrears. We only seek to establish if there is a legitimate data protection complaint; we cannot and do not question the motivation of complainants. We respect the right of data controllers to collect debts. However, the processing of personal data in the collection of debts must be carried out in compliance with the Data Protection Acts. The data protection rights of individuals cannot be disregarded simply because they are in debt.
In June 2010 we received two complaints against a property management company. The complaints alleged that the company disclosed the management fees owed by members. The complainants supplied us with a copy of a letter that issued from the company to its members. It enclosed a debtors list of members detailing the house number, the individual's first initial, surname and the amount of arrears in each case.
We wrote to the property management company asking that it outline the legal basis for sending this correspondence. The management company asserted that its Memos and Articles of Association provided for its members to have access to the company accounts and, therefore, to have access to creditor and debtor lists. On examining the text in the Articles of Association under the heading 'Accounts', we informed the company that it did not provide for the disclosure of management fees owed by individual members of the company. The text only provided the directors of the company with the right to decide on the availability of the accounts for inspection by members. We informed the company that the right to inspect the accounts was an entirely different matter to the circulation of details of management fee arrears to the company's members.
The company did not provide evidence that property owners consented to the circulation of personal information relating to the status of their management fees. In the absence of evidence of consent, we informed the company that it had breached the Data Protection Acts. The company provided us with letters of apology for each of the complainants to amicably resolve the complaints. In these letters the company acknowledged that it had breached the Data Protection Acts when it sent letters informing members that the complainants were in arrears with their subscriptions and gave an assurance that it would not happen again.
We expect property management companies to observe the law when processing the personal information of their members. In particular, they should note the following:
- Personal information in relation to individual property owners, as members of the management company, should not be circulated to other members of the management company unless the consent of the individuals concerned has been obtained.
- The entitlement of members of a management company to receive information in relation to the overall financial status of the company by means of annual audited financial reports (which is lawful) is an entirely different matter to the circulation by the company of details of management fees owed by individual members who have not consented to the circulation of their personal data (which is unlawful).
A Board of Directors or other executive body with legal responsibility for the management company has a legitimate basis for taking appropriate action on foot of an examination of a list of members whose management fees are in arrears. However, the broader disclosure of such a list to members who have no such legal responsibility breaches the "need to know" principle of the Data Protection Acts.
» Permanent Link