Principles
Cases
Lindqvist
(Approximation of laws)
[2003] EUECJ C-101/01 [2004] 2 WLR 1385, [2003] ECR I-12971, [2004] Info TLR 1, ECLI:EU:C:2003:596, [2004] CEC 117, [2004] QB 1014, EU:C:2003:596, [2004] 1 CMLR 20, [2004] All ER (EC) 561, [2003] EUECJ C-101/01, C-101/01
IMPORTANT LEGAL NOTICE – The source of this judgment is the web site of the Court of Justice of the European Communities. The info
By order of 23 February 2001, received at the Court on 1 March 2001, the Göta hovrätt (Göta Court of Appeal) referred to the Court for a preliminary ruling under Article 234 EC seven questions concerning inter alia the interpretation of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
Those questions were raised in criminal proceedings before that court against Mrs Lindqvist, who was charged with breach of the Swedish legislation on the protection of personal data for publishing on her internet site personal data on a number of people working with her on a voluntary basis in a parish of the Swedish Protestant Church.
Legal background
Community legislation
Directive 95/46 is intended, according to the terms of Article 1(1), to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data.
Article 3 of Directive 95/46 provides, regarding the scope of the directive:
1. This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.
2. This Directive shall not apply to the processing of personal data:
– in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union and in any case to processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law,
– by a natural person in the course of a purely personal or household activity.
Article 8 of Directive 95/46, entitled The processing of special categories of data, provides:
1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
2. Paragraph 1 shall not apply where:
(a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject’s giving his consent; or
(b) processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorised by national law providing for adequate safeguards; or
(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or
(d) processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or
(e) the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims.
3. Paragraph 1 shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy.
4. Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority.
5. Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards are provided under national law, subject to derogations which may be granted by the Member State under national provisions providing suitable specific safeguards. However, a complete register of criminal convictions may be kept only under the control of official authority.
Member States may provide that data relating to administrative sanctions or judgements in civil cases shall also be processed under the control of official authority.
6. Derogations from paragraph 1 provided for in paragraphs 4 and 5 shall be notified to the Commission.
7. Member States shall determine the conditions under which a national identification number or any other identifier of general application may be processed.
Article 9 of Directive 95/46, entitled Processing of personal data and freedom of expression, provides:
Member States shall provide for exemptions or derogations from the provisions of this Chapter, Chapter IV and Chapter VI for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.
Article 13 of Directive 95/46, entitled Exemptions and restrictions, provides that Member States may adopt measures restricting the scope of some of the obligations imposed by the directive on the controller of the data, inter alia as regards information given to the persons concerned, where such a restriction is necessary to safeguard, for example, national security, defence, public security, an important economic or financial interest of a Member State or of the European Union, or the investigation and prosecution of criminal offences or of breaches of ethics for regulated professions.
Article 25 of Directive 95/46, which is part of Chapter IV entitled Transfer of personal data to third countries, reads as follows:
1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.
3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.
4. Where the Commission finds, under the procedure provided for in Article 31(2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.
5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.
6. The Commission may find, in accordance with the procedure referred to in Article 31(2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.
Member States shall take the measures necessary to comply with the Commission’s decision.
At the time of the adoption of Directive 95/46, the Kingdom of Sweden made the following statement on the subject of Article 9, which was entered in the Council minutes (document No 4649/95 of the Council, of 2 February 1995):
The Kingdom of Sweden considers that artistic and literary expression refers to the means of expression rather than to the contents of the communication or its quality.
The European Convention for the Protection of Human Rights and Fundamental Freedoms signed at Rome on 4 November 1950 (the ECHR), provides, in Article 8, for a right to respect for private and family life and, in Article 10, contains provisions concerning freedom of expression.
The national legislation
Directive 95/46 was implemented in Swedish law by the Personuppgiftslag (SFS 1998:204) (Swedish law on personal data, the PUL).
The main proceedings and the questions referred
In addition to her job as a maintenance worker, Mrs Lindqvist worked as a catechist in the parish of Alseda (Sweden). She followed a data processing course on which she had inter alia to set up a home page on the internet. At the end of 1998, Mrs Lindqvist set up internet pages at home on her personal computer in order to allow parishioners preparing for their confirmation to obtain information they might need. At her request, the administrator of the Swedish Church’s website set up a link between those pages and that site.
The pages in question contained information about Mrs Lindqvist and 18 colleagues in the parish, sometimes including their full names and in other cases only their first names. Mrs Lindqvistalso described, in a mildly humorous manner, the jobs held by her colleagues and their hobbies. In many cases family circumstances and telephone numbers and other matters were mentioned. She also stated that one colleague had injured her foot and was on half-time on medical grounds.
Mrs Lindqvist had not informed her colleagues of the existence of those pages or obtained their consent, nor did she notify the Datainspektionen (supervisory authority for the protection of electronically transmitted data) of her activity. She removed the pages in question as soon as she became aware that they were not appreciated by some of her colleagues.
The public prosecutor brought a prosecution against Mrs Lindqvist charging her with breach of the PUL on the grounds that she had:
– processed personal data by automatic means without giving prior written notification to the Datainspektionen (Paragraph 36 of the PUL);
– processed sensitive personal data (injured foot and half-time on medical grounds) without authorisation (Paragraph 13 of the PUL);
– transferred processed personal data to a third country without authorisation (Paragraph 33 of the PUL).
Mrs Lindqvist accepted the facts but disputed that she was guilty of an offence. Mrs Lindqvist was fined by the Eksjö tingsrätt (District Court) (Sweden) and appealed against that sentence to the referring court.
The amount of the fine was SEK 4 000, which was arrived at by multiplying the sum of SEK 100, representing Mrs Lindqvist’s financial position, by a factor of 40, reflecting the severity of the offence. Mrs Lindqvist was also sentenced to pay SEK 300 to a Swedish fund to assist victims of crimes.
As it had doubts as to the interpretation of the Community law applicable in this area, inter alia Directive 95/46, the Göta hovrätt decided to stay proceedings and refer the following questions to the Court for a preliminary ruling:
(1) Is the mention of a person – by name or with name and telephone number – on an internet home page an action which falls within the scope of [Directive 95/46]? Does it constitute the processing of personal data wholly or partly by automatic means to list on a self-made internet home page a number of persons with comments and statements about their jobs and hobbies etc.?
(2) If the answer to the first question is no, can the act of setting up on an internet home page separate pages for about 15 people with links between the pages which make it possible to search by first name be considered to constitute the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system within the meaning of Article 3(1)?
If the answer to either of those questions is yes, the hovrätt also asks the following questions:
(3) Can the act of loading information of the type described about work colleagues onto a private home page which is none the less accessible to anyone who knows its address be regarded as outside the scope of [Directive 95/46] on the ground that it is covered by one of the exceptions in Article 3(2)?
(4) Is information on a home page stating that a named colleague has injured her foot and is on half-time on medical grounds personal data concerning health which, according to Article 8(1), may not be processed?
(5) [Directive 95/46] prohibits the transfer of personal data to third countries in certain cases. If a person in Sweden uses a computer to load personal data onto a home page stored on a server in Sweden – with the result that personal data become accessible to people in third countries – does that constitute a transfer of data to a third country within the meaning of the directive? Would the answer be the same even if, as far as known, no one from the third country had in fact accessed the data or if the server in question was actually physically in a third country?
(6) Can the provisions of [Directive 95/46], in a case such as the above, be regarded as bringing about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the EU and are enshrined in inter alia Article 10 of the European Convention on the Protection of Human Rights and Fundamental Freedoms?
Finally, the hovrätt asks the following question:
(7) Can a Member State, as regards the issues raised in the above questions, provide more extensive protection for personal data or give it a wider scope than the directive, even if none of the circumstances described in Article 13 exists?
The first question
By its first question, the referring court asks whether the act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data wholly or partly by automatic means within the meaning of Article 3(1) of Directive 95/46.
Observations submitted to the Court
Mrs Lindqvist submits that it is unreasonable to take the view that the mere mention by name of a person or of personal data in a document contained on an internet page constitutes automatic processing of data. On the other hand, reference to such data in a keyword in the meta tags of an internet page, which makes it possible to create an index and find that page using a search engine, might constitute such processing.
The Swedish Government submits that the term the processing of personal data wholly or partly by automatic means in Article 3(1) of Directive 95/46, covers all processing in computer format, in other words, in binary format. Consequently, as soon as personal data are processed by computer, whether using a word processing programme or in order to put them on an internet page, they have been the subject of processing within the meaning of Directive 95/46.
The Netherlands Government submits that personal data are loaded onto an internet page using a computer and a server, which are essential elements of automation, so that it must be considered that such data are subject to automatic processing.
The Commission submits that Directive 95/46 applies to all processing of personal data referred to in Article 3 thereof, regardless of the technical means used. Accordingly, making personal data available on the internet constitutes processing wholly or partly by automatic means, provided that there are no technical limitations which restrict the processing to a purely manual operation. Thus, by its very nature, an internet page falls within the scope of Directive 95/46.
Reply of the Court
The term personal data used in Article 3(1) of Directive 95/46 covers, according to the definition in Article 2(a) thereof, any information relating to an identified or identifiable natural person. The term undoubtedly covers the name of a person in conjunction with his telephone coordinates or information about his working conditions or hobbies.
According to the definition in Article 2(b) of Directive 95/46, the term processing of such data used in Article 3(1) covers any operation or set of operations which is performed upon personal data, whether or not by automatic means. That provision gives several examples of such operations, including disclosure by transmission, dissemination or otherwise making data available. It follows that the operation of loading personal data on an internet page must be considered to be such processing.
It remains to be determined whether such processing is wholly or partly by automatic means. In that connection, placing information on an internet page entails, under current technical and computer procedures, the operation of loading that page onto a server and the operations necessary to make that page accessible to people who are connected to the internet. Such operations are performed, at least in part, automatically.
The answer to the first question must therefore be that the act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data wholly or partly by automatic means within the meaning of Article 3(1) of Directive 95/46.
The second question
As the first question has been answered in the affirmative, there is no need to reply to the second question, which arises only in the event that the first question is answered in the negative.
The third question
By its third question, the national court essentially seeks to know whether processing of personal data such as that described in the first question is covered by one of the exceptions in Article 3(2) of Directive 95/46.
Observations submitted to the Court
Mrs Lindqvist submits that private individuals who make use of their freedom of expression to create internet pages in the course of a non-profit-making or leisure activity are not carrying out an economic activity and are thus not subject to Community law. If the Court were to hold otherwise, the question of the validity of Directive 95/46 would arise, as, in adopting it, the Community legislature would have exceeded the powers conferred on it by Article 100a of the EC Treaty (now, after amendment, Article 95 EC). The approximation of laws, which concerns the establishment and functioning of the common market, cannot serve as a legal basis for Community measures regulating the right of private individuals to freedom of expression on the internet.
The Swedish Government submits that, when Directive 95/46 was implemented in national law, the Swedish legislature took the view that processing of personal data by a natural person which consisted in publishing those data to an indeterminate number of people, for example through the internet, could not be described as a purely personal or household activity within the meaning of the second indent of Article 3(2) of Directive 95/46. However, that Government does not rule out that the exception provided for in the first indent of that paragraph might cover cases in which a natural person publishes personal data on an internet page solely in the exercise of his freedom of expression and without any connection with a professional or commercial activity.
According to the Netherlands Government, automatic processing of data such as that at issue in the main proceedings does not fall within any of the exceptions in Article 3(2) of Directive 95/46. As regards the exception in the second indent of that paragraph in particular, it observes that the creator of an internet page brings the data placed on it to the knowledge of a generally indeterminate group of people.
The Commission submits that an internet page such as that at issue in the main proceedings cannot be considered to fall outside the scope of Directive 95/46 by virtue of Article 3(2) thereof, but constitutes, given the purpose of the internet page at issue in the main proceedings, an artistic and literary creation within the meaning of Article 9 of that Directive.
t takes the view that the first indent of Article 3(2) of Directive 95/46 lends itself to two different interpretations. The first consists in limiting the scope of that provision to the areas cited as examples, in other words, to activities which essentially fall within what are generally called the second and third pillars. The other interpretation consists in excluding from the scope of Directive 95/46 the exercise of any activity which is not covered by Community law.
The Commission argues that Community law is not limited to economic activities connected with the four fundamental freedoms. Referring to the legal basis of Directive 95/46, to its objective, to Article 6 EU, to the Charter of fundamental rights of the European Union proclaimed in Nice on 18 December 2000 (OJ 2000 C 364, p. 1), and to the Council of Europe Convention of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data, it concludes that that directive is intended to regulate the free movement of personal data in the exercise not only of an economic activity, but also of social activity in the course of the integration and functioning of the common market.
It adds that to exclude generally from the scope of Directive 95/46 internet pages which contain no element of commerce or of provision of services might entail serious problems of demarcation. A large number of internet pages containing personal data intended to disparage certain persons with a particular end in view might then be excluded from the scope of that directive.
Reply of the Court
Article 3(2) of Directive 95/46 provides for two exceptions to its scope.
The first exception concerns the processing of personal data in the course of an activity which falls outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union, and in any case processing operations concerning public security, defence, State security (including the economic well-being of the State when the processing operation relates to State security matters) and the activities of the State in areas of criminal law.
As the activities of Mrs Lindqvist which are at issue in the main proceedings are essentially not economic but charitable and religious, it is necessary to consider whether they constitute the processing of personal data in the course of an activity which falls outside the scope of Community law within the meaning of the first indent of Article 3(2) of Directive 95/46.
The Court has held, on the subject of Directive 95/46, which is based on Article 100a of the Treaty, that recourse to that legal basis does not presuppose the existence of an actual link with free movement between Member States in every situation referred to by the measure founded on that basis (see Joined Cases C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk and Others [2003] ECR I-0000, paragraph 41, and the case-law cited therein).
A contrary interpretation could make the limits of the field of application of the directive particularly unsure and uncertain, which would be contrary to its essential objective of approximating the laws, regulations and administrative provisions of the Member States in order to eliminate obstacles to the functioning of the internal market deriving precisely from disparities between national legislations (Österreichischer Rundfunk and Others, cited above, paragraph 42).
Against that background, it would not be appropriate to interpret the expression activity which falls outside the scope of Community law as having a scope which would require it to be determined in each individual case whether the specific activity at issue directly affected freedom of movement between Member States.
The activities mentioned by way of example in the first indent of Article 3(2) of Directive 95/46 (in other words, the activities provided for by Titles V and VI of the Treaty on European Union and processing operations concerning public security, defence, State security and activities in areas of criminal law) are, in any event, activities of the State or of State authorities and unrelated to the fields of activity of individuals.
It must therefore be considered that the activities mentioned by way of example in the first indent of Article 3(2) of Directive 95/46 are intended to define the scope of the exception provided for there, with the result that that exception applies only to the activities which are expressly listed there or which can be classified in the same category (ejusdem generis).
Charitable or religious activities such as those carried out by Mrs Lindqvist cannot be considered equivalent to the activities listed in the first indent of Article 3(2) of Directive 95/46 and are thus not covered by that exception.
As regards the exception provided for in the second indent of Article 3(2) of Directive 95/46, the 12th recital in the preamble to that directive, which concerns that exception, cites, as examples of the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, correspondence and the holding of records of addresses.
That exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people.
The answer to the third question must therefore be that processing of personal data such as that described in the reply to the first question is not covered by any of the exceptions in Article 3(2) of Directive 95/46.
The fourth question
By its fourth question, the referring court seeks to know whether reference to the fact that an individual has injured her foot and is on half-time on medical grounds constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46.
In the light of the purpose of the directive, the expression data concerning health used in Article 8(1) thereof must be given a wide interpretation so as to include information concerning all aspects, both physical and mental, of the health of an individual.
The answer to the fourth question must therefore be that reference to the fact that an individual has injured her foot and is on half-time on medical grounds constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46.
The fifth question
By its fifth question the referring court seeks essentially to know whether there is any transfer [of data] to a third country within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored on an internet site on which the page can be consulted and which is hosted by a natural or legal person (the hosting provider) who is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country. The referring court also asks whether the reply to that question would be the same if no one from the third country had in fact accessed the data or if the server where the page was stored was physically in a third country.
Observations submitted to the Court
The Commission and the Swedish Government consider that the loading, using a computer, of personal data onto an internet page, so that they become accessible to nationals of third countries, constitutes a transfer of data to third countries within the meaning of Directive 95/46. The answer would be the same if no one from the third country had in fact accessed the data or if the server where it was stored was physically in a third country.
The Netherlands Government points out that the term transfer is not defined by Directive 95/46. It takes the view, first, that that term must be understood to refer to the act of intentionally transferring personal data from the territory of a Member State to a third country and, second, that no distinction can be made between the different ways in which data are made accessible to third parties. It concludes that loading personal data onto an internet page using a computer cannot be considered to be a transfer of personal data to a third country within the meaning of Article 25 of Directive 95/46.
The United Kingdom Government submits that Article 25 of Directive 95/46 concerns the transfer of data to third countries and not their accessibility from third countries. The term transfer connotes the transmission of personal data from one place and person to another place and person. It is only in the event of such a transfer that Article 25 of Directive 95/46 requires Member States to ensure an adequate level of protection of personal data in a third country.
Reply of the Court
Directive 95/46 does not define the expression transfer to a third country in Article 25 or any other provision, including Article 2.
In order to determine whether loading personal data onto an internet page constitutes a transfer of those data to a third country within the meaning of Article 25 of Directive 95/46 merely because it makes them accessible to people in a third country, it is necessary to take account both of the technical nature of the operations thus carried out and of the purpose and structure of Chapter IV of that directive where Article 25 appears.
Information on the internet can be consulted by an indefinite number of people living in many places at almost any time. The ubiquitous nature of that information is a result inter alia of the fact that the technical means used in connection with the internet are relatively simple and becoming less and less expensive.
Under the procedures for use of the internet available to individuals like Mrs Lindqvist during the 1990s, the author of a page intended for publication on the internet transmits the data making up that page to his hosting provider. That provider manages the computer infrastructure needed to store those data and connect the server hosting the site to the internet. That allows the subsequent transmission of those data to anyone who connects to the internet and seeks access to it. The computers which constitute that infrastructure may be located, and indeed often are located, in one or more countries other than that where the hosting provider is established, without its clients being aware or being in a position to be aware of it.
It appears from the court file that, in order to obtain the information appearing on the internet pages on which Mrs Lindqvist had included information about her colleagues, an internet user would not only have to connect to the internet but also personally carry out the necessary actions to consult those pages. In other words, Mrs Lindqvist’s internet pages did not contain the technical means to send that information automatically to people who did not intentionally seek access to those pages.
It follows that, in circumstances such as those in the case in the main proceedings, personal data which appear on the computer of a person in a third country, coming from a person who has loaded them onto an internet site, were not directly transferred between those two people but through the computer infrastructure of the hosting provider where the page is stored.
It is in that light that it must be examined whether the Community legislature intended, for the purposes of the application of Chapter IV of Directive 95/46, to include within the expression transfer [of data] to a third country within the meaning of Article 25 of that directive activities such as those carried out by Mrs Lindqvist. It must be stressed that the fifth question asked by the referring court concerns only those activities and not those carried out by the hosting providers.
Chapter IV of Directive 95/46, in which Article 25 appears, sets up a special regime, with specific rules, intended to allow the Member States to monitor transfers of personal data to third countries. That Chapter sets up a complementary regime to the general regime set up by Chapter II of that directive concerning the lawfulness of processing of personal data.
The objective of Chapter IV is defined in the 56th to 60th recitals in the preamble to Directive 95/46, which state inter alia that, although the protection of individuals guaranteed in the Community by that Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection, the adequacy of such protection must be assessed in the light of all the circumstances surrounding the transfer operation or set of transfer operations. Where a third country does not ensure an adequate level of protection the transfer of personal data to that country must be prohibited.
For its part, Article 25 of Directive 95/46 imposes a series of obligations on Member States and on the Commission for the purposes of monitoring transfers of personal data to third countries in the light of the level of protection afforded to such data in each of those countries.
In particular, Article 25(4) of Directive 95/46 provides that, where the Commission finds that a third country does not ensure an adequate level of protection, Member States are to take the measures necessary to prevent any transfer of personal data to the third country in question.
Chapter IV of Directive 95/46 contains no provision concerning use of the internet. In particular, it does not lay down criteria for deciding whether operations carried out by hosting providers should be deemed to occur in the place of establishment of the service or at its business address or in the place where the computer or computers constituting the service’s infrastructure are located.
Given, first, the state of development of the internet at the time Directive 95/46 was drawn up and, second, the absence, in Chapter IV, of criteria applicable to use of the internet, one cannot presume that the Community legislature intended the expression transfer [of data] to a third country to cover the loading, by an individual in Mrs Lindqvist’s position, of data onto an internet page, even if those data are thereby made accessible to persons in third countries with the technical means to access them.
If Article 25 of Directive 95/46 were interpreted to mean that there is transfer [of data] to a third country every time that personal data are loaded onto an internet page, that transfer would necessarily be a transfer to all the third countries where there are the technical means needed to access the internet. The special regime provided for by Chapter IV of the directive would thus necessarily become a regime of general application, as regards operations on the internet. Thus, if the Commission found, pursuant to Article 25(4) of Directive 95/46, that even one third country did not ensure adequate protection, the Member States would be obliged to prevent any personal data being placed on the internet.
Accordingly, it must be concluded that Article 25 of Directive 95/46 is to be interpreted as meaning that operations such as those carried out by Mrs Lindqvist do not as such constitute a transfer [of data] to a third country. It is thus unnecessary to investigate whether an individual from a third country has accessed the internet page concerned or whether the server of that hosting service is physically in a third country.
The reply to the fifth question must therefore be that there is no transfer [of data] to a third country within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored with his hosting provider which is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country.
The sixth question
By its sixth question the referring court seeks to know whether the provisions of Directive 95/46, in a case such as that in the main proceedings, bring about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the European Union and are enshrined in inter alia Article 10 of the ECHR.
Observations submitted to the Court
Citing inter alia Case C-274/99 P Connolly v Commission [2001] ECR I-1611, Mrs Lindqvist submits that Directive 95/46 and the PUL, in so far as they lay down requirements of prior consent and prior notification of a supervisory authority and a principle of prohibiting processing of personal data of a sensitive nature, are contrary to the general principle of freedom of expression enshrined in Community law. More particularly, she argues that the definition of processing of personal data wholly or partly by automatic means does not fulfil the criteria of predictability and accuracy.
She argues further that merely mentioning a natural person by name, revealing their telephone details and working conditions and giving information about their state of health and hobbies, information which is in the public domain, well-known or trivial, does not constitute a significant breach of the right to respect for private life. Mrs Lindqvist considers that, in any event, the constraints imposed by Directive 95/46 are disproportionate to the objective of protecting the reputation and private life of others.
The Swedish Government considers that Directive 95/46 allows the interests at stake to be weighed against each other and freedom of expression and protection of private life to be thereby safeguarded. It adds that only the national court can assess, in the light of the facts of each individual case, whether the restriction on the exercise of the right to freedom of expression entailed by the application of the rules on the protection of the rights of others is proportionate.
The Netherlands Government points out that both freedom of expression and the right to respect for private life are among the general principles of law for which the Court ensures respect and that the ECHR does not establish any hierarchy between the various fundamental rights. It therefore considers that the national court must endeavour to balance the various fundamental rights at issue by taking account of the circumstances of the individual case.
The United Kingdom Government points out that its proposed reply to the fifth question, set out in paragraph 55 of this judgment, is wholly in accordance with fundamental rights and avoids any disproportionate restriction on freedom of expression. It adds that it is difficult to justify an interpretation which would mean that the publication of personal data in a particular form, that is to say, on an internet page, is subject to far greater restrictions than those applicable to publication in other forms, such as on paper.
The Commission also submits that Directive 95/46 does not entail any restriction contrary to the general principle of freedom of expression or other rights and freedoms applicable in the European Union corresponding inter alia to the right provided for in Article 10 of the ECHR.
Reply of the Court
According to the seventh recital in the preamble to Directive 95/46, the establishment and functioning of the common market are liable to be seriously affected by differences in national rules applicable to the processing of personal data. According to the third recital of that directive the harmonisation of those national rules must seek to ensure not only the free flow of such data between Member States but also the safeguarding of the fundamental rights of individuals. Those objectives may of course be inconsistent with one another.
On the one hand, the economic and social integration resulting from the establishment and functioning of the internal market will necessarily lead to a substantial increase in cross-border flows of personal data between all those involved in a private or public capacity in economic and social activity in the Member States, whether businesses or public authorities of the Member States. Those so involved will, to a certain extent, need to have access to personal data to perform their transactions or carry out their tasks within the area without internal frontiers which the internal market constitutes.
On the other hand, those affected by the processing of personal data understandably require those data to be effectively protected.
The mechanisms allowing those different rights and interests to be balanced are contained, first, in Directive 95/46 itself, in that it provides for rules which determine in what circumstances and to what extent the processing of personal data is lawful and what safeguards must be provided for. Second, they result from the adoption, by the Member States, of national provisions implementing that directive and their application by the national authorities.
As regards Directive 95/46 itself, its provisions are necessarily relatively general since it has to be applied to a large number of very different situations. Contrary to Mrs Lindqvist’s contentions, the directive quite properly includes rules with a degree of flexibility and, in many instances, leaves to the Member States the task of deciding the details or choosing between options.
It is true that, in many respects, the Member States have a margin for manoeuvre in implementing Directive 95/46. However, there is nothing to suggest that the regime it provides for lacks predictability or that its provisions are, as such, contrary to the general principles of Community law and, in particular, to the fundamental rights protected by the Community legal order.
Thus, it is, rather, at the stage of the application at national level of the legislation implementing Directive 95/46 in individual cases that a balance must be found between the rights and interests involved.
In that context, fundamental rights have a particular importance, as demonstrated by the case in the main proceedings, in which, in essence, Mrs Lindqvist’s freedom of expression in her work preparing people for Communion and her freedom to carry out activities contributing to religious life have to be weighed against the protection of the private life of the individuals about whom Mrs Lindqvist has placed data on her internet site.
Consequently, it is for the authorities and courts of the Member States not only to interpret their national law in a manner consistent with Directive 95/46 but also to make sure they do not rely on an interpretation of it which would be in conflict with the fundamental rights protected by the Community legal order or with the other general principles of Community law, such as inter alia the principle of proportionality.
Whilst it is true that the protection of private life requires the application of effective sanctions against people processing personal data in ways inconsistent with Directive 95/46, such sanctions must always respect the principle of proportionality. That is so a fortiori since the scope of Directive 95/46 is very wide and the obligations of those who process personal data are many and significant.
It is for the referring court to take account, in accordance with the principle of proportionality, of all the circumstances of the case before it, in particular the duration of the breach of the rules implementing Directive 95/46 and the importance, for the persons concerned, of the protection of the data disclosed.
The answer to the sixth question must therefore be that the provisions of Directive 95/46 do not, in themselves, bring about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the European Union and are enshrined inter alia in Article 10 of the ECHR. It is for the national authorities and courts responsible for applying the national legislation implementing Directive 95/46 to ensure a fair balance between the rights and interests in question, including the fundamental rights protected by the Community legal order.
The seventh question
By its seventh question, the referring court essentially seeks to know whether it is permissible for the Member States to provide for greater protection for personal data or a wider scope than are required under Directive 95/46.
Observations submitted to the Court
The Swedish Government states that Directive 95/46 is not confined to fixing minimum conditions for the protection of personal data. Member States are obliged, in the course of implementing that directive, to attain the level of protection dictated by it and are not empowered to provide for greater or less protection. However, account must be taken of the discretion which the Member States have in implementing the directive to lay down in their domestic law the general conditions for the lawfulness of the processing of personal data.
The Netherlands Government submits that Directive 95/46 does not preclude Member States from providing for greater protection in certain areas. It is clear, for example, from Article 10, Article 11(1), subparagraph (a) of the first paragraph of Article 14, Article 17(3), Article 18(5) and Article 19(1) of that directive that the Member States may make provision for wider protection. Moreover, the Member States are free to apply the principles of Directive 95/46 also to activities which do not fall within its scope.
The Commission submits that Directive 95/46 is based on Article 100a of the Treaty and that, if a Member State wishes to maintain or introduce legislation which derogates from such a harmonising directive, it is obliged to notify the Commission pursuant to Article 95(4) or 95(5) EC. The Commission therefore submits that a Member State cannot make provision for more extensive protection for personal data or a wider scope than are required under the directive.
Reply of the Court
Directive 95/46 is intended, as appears from the eighth recital in the preamble thereto, to ensure that the level of protection of the rights and freedoms of individuals with regard to the processing of personal data is equivalent in all Member States. The tenth recital adds that the approximation of the national laws applicable in this area must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community.
The harmonisation of those national laws is therefore not limited to minimal harmonisation but amounts to harmonisation which is generally complete. It is upon that view that Directive 95/46 is intended to ensure free movement of personal data while guaranteeing a high level of protection for the rights and interests of the individuals to whom such data relate.
It is true that Directive 95/46 allows the Member States a margin for manoeuvre in certain areas and authorises them to maintain or introduce particular rules for specific situations as a large number of its provisions demonstrate. However, such possibilities must be made use of in the manner provided for by Directive 95/46 and in accordance with its objective of maintaining a balance between the free movement of personal data and the protection of private life.
On the other hand, nothing prevents a Member State from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included within the scope thereof, provided that no other provision of Community law precludes it.
In the light of those considerations, the answer to the seventh question must be that measures taken by the Member States to ensure the protection of personal data must be consistent both with the provisions of Directive 95/46 and with its objective of maintaining a balance between freedom of movement of personal data and the protection of private life. However, nothing prevents a Member State from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included in the scope thereof provided that no other provision of Community law precludes it.
Costs
100. The costs incurred by the Swedish, Netherlands and United Kingdom Governments and by the Commission and the EFTA Surveillance Authority, which have submitted observations to the Court, are not recoverable. Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court.
On those grounds,
THE COURT,
in answer to the questions referred to it by the Göta hovrätt by order of 23 February 2001, hereby rules:
1. The act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data wholly or partly by automatic means within the meaning of Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
2. Such processing of personal data is not covered by any of the exceptions in Article 3(2) of Directive 95/46.
3. Reference to the fact that an individual has injured her foot and is on half-time on medical grounds constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46.
4. There is no transfer [of data] to a third country within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored on an internet site on which the page can be consulted and which is hosted by a natural or legal person who is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country.
5. The provisions of Directive 95/46 do not, in themselves, bring about a restriction which conflicts with the general principles of freedom of expression or other freedoms and rights, which are applicable within the European Union and are enshrined inter alia in Article 10 of the European Convention for the Protection of Human Rights and Fundamental Freedoms signed at Rome on 4 November 1950. It is for the national authorities and courts responsible for applying the national legislation implementing Directive 95/46 to ensure a fair balance between the rights and interests in question, including the fundamental rights protected by the Community legal order.
6. Measures taken by the Member States to ensure the protection of personal data must be consistent both with the provisions of Directive 95/46 and with its objective of maintaining a balance between freedom of movement of personal data and the protection of private life. However, nothing prevents a Member State from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included in the scope thereof provided that no other provision of Community law precludes it.
Data Protection Commissioner Case Studies (Pre-GDPR)
Direct Marketing
Prosecution of Dermaface Linited for Marketing Offences
In August 2016 we received a complaint from a former customer of Dermaface Limited after she received an unsolicited marketing email. The complainant had previously been informed in 2014 on foot of a previous complaint about unsolicited marketing emails that Dermaface Limited had removed her details from its marketing list. Our investigation sought an explanation from Dermaface Limited. It informed us that the marketing email which was the subject of the latest complaint was sent through the clinic’s software system which it had purchased. It claimed that the new system contacted patients and former patients who had previously been opted out of receiving marketing communications from it. It admitted that the complainant was one of those patients/ former patients who had been sent a marketing email. It sent an apology to the complainant.
Following an investigation in 2011 of a complaint from a different individual who received numerous marketing text messages from Dermaface Limited, the Data Protection Commissioner had issued a warning to the company. The Commissioner decided, therefore, to prosecute the company in respect of the latest offence.
At Dublin Metropolitan District Court on 28 November 2016 Dermaface Limited pleaded guilty to one charge of sending an unsolicited marketing email without consent. In lieu of a conviction and fine, the Court ordered the defendant to contribute €300 to Our Lady’s Children’s’ Hospital Crumlin by 12 December, 2016. The Court also indicated that it expected the company to discharge the prosecution costs incurred by the Data Protection Commissioner and it adjourned the matter for two weeks. At the adjourned hearing the defendant produced proof of payment of the charitable donation and the Data Protection Commissioner’s costs. The Court struck out the charge.
Prosecution of Trailfinders Ireland Limited for Marketing Offences
A complaint was lodged with us in June 2016 by an individual who received unsolicited marketing emails at that time from Trailfinders Ireland Limited despite having been informed previously that her email address had been removed from the company’s marketing database in August 2015. In its response to our investigation, the company acknowledged that the offending emails were sent in error. It explained that it had received a written communication about a customer care issue from the complainant a few days prior to the sending of the marketing emails and that its Customer Care team had updated her case concerning that particular issue. This update triggered an automated process which inserted the complainant’s email address into its marketing database. Trailfinders Ireland Limited apologised for the system error and it said that it should not have happened in any circumstances.
On foot of a previous complaint in 2015 against Trailfinders Ireland Limited from the same complainant concerning unsolicited marketing emails to which she had not consented, the Data Protection Commissioner had issued a warning to the company in January 2016. Following our investigation of the second complaint, the Data Protection Commissioner decided to prosecute the company.
At Dublin Metropolitan District Court on 28 November, 2016 Trailfinders Ireland Limited pleaded guilty to two charges of sending unsolicited marketing emails without consent. In lieu of a conviction and fine, the Court ordered the defendant to contribute €500 to the Simon Community by 12 December 2016 and it adjourned the matter for two weeks. The company agreed to discharge the prosecution costs incurred by the Data Protection Commissioner. At the adjourned hearing the defendant produced proof of payment of the charitable donation and the Court struck out the charges.
Prosecution of Coopers Marquees Limited for Marketing Offences
In September 2015 we received a complaint from an individual about a marketing email which she received a few weeks earlier from Coopers Marquees Limited. The same individual had previously complained to us in January 2014 after she received a marketing email from that company which, she stated, she had not consented to receiving. During the course of our investigation of the first complaint, the company undertook to remove the individual’s email address from its marketing database. We concluded that complaint by issuing a warning to the company that the Data Protection Commissioner would likely prosecute it if it re-offended.
In response to our investigation of the second complaint, we were informed that a new marketing executive for the company used an old version of the marketing database for a marketing campaign. This resulted in the sending of the offending marketing email to the email address of the individual whose details had been removed for over a year. The company accepted that it did not have consent to contact the individual concerned by email and it claimed that there was human error on the part of the new staff member which caused the email to be sent. The Data Protection Commissioner decided to prosecute the company.
At Virginia District Court on 7 June, 2016 Coopers Marquees Limited pleaded guilty to one charge of sending an unsolicited email without consent. The Court ordered a contribution in the amount of €300 as a charitable donation to Mullagh Scout Troop and it indicated that it would apply the Probation of Offenders Act in lieu of a conviction. The defendant company agreed to make a contribution towards the prosecution costs of the Data Protection Commissioner.
Prosecution of The Irish Times Limited for Marketing Offences
On 28 April 2015 we received a complaint from an individual who received an unsolicited marketing email earlier that day from The Irish Times Limited in the form of a “Get Swimming” newsletter. He explained that he signed up for the “Get Swimming” newsletter some months previously and he told us that he opted out after the receipt of the third or fourth issue by using the unsubscribe instruction at the bottom of the newsletter. However, he claimed that The Irish Times Limited continued to send him the “Get Swimming” newsletter each week thereafter and he continued to unsubscribe using the unsubscribe instruction. He informed us that he also emailed Customer Care in The Irish Times Limited on 21 April 2015 asking to be removed from the newsletter and warning that if not, he would report the matter to the Data Protection Commissioner. Customer Care responded on the same day stating that they would remove him from the newsletter immediately. However, he received a further newsletter one week later.
In response to our investigation, The Irish Times Limited stated that this was a once-off issue that arose from a human error in configuring the unsubscribe process, which had subsequently been fixed. It confirmed that sixty-four other users were affected. It informed us that a procedure had been put in place to prevent a recurrence.
The Data Protection Commissioner had previously issued a warning to The Irish Times Limited in November 2012 following the investigation of a complaint from a different individual in relation to marketing emails which he continued to receive after he had opted out of the receipt of such emails.
The Data Protection Commissioner decided to prosecute the company. At Dublin Metropolitan District Court on 4 April 2016, The Irish Times Limited pleaded guilty to one charge of sending an unsolicited marketing email without consent. The Court ordered the payment of €3,000 in the form of a charitable donation to Pieta House and it adjourned the matter for seven weeks. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner. At the adjourned hearing the defendant produced proof of payment of the charitable donation and the Court struck out the charge.
Prosecution of Coopers Marquees Limited for Marketing Offences
In September 2015 we received a complaint from an individual about a marketing email which she received a few weeks earlier from Coopers Marquees Limited. The same individual had previously complained to us in January 2014 after she received a marketing email from that company which, she stated, she had not consented to receiving. During the course of our investigation of the first complaint, the company undertook to remove the individual’s email address from its marketing database. We concluded that complaint by issuing a warning to the company that the Data Protection Commissioner would likely prosecute it if it re-offended.
In response to our investigation of the second complaint, we were informed that a new marketing executive for the company used an old version of the marketing database for a marketing campaign. This resulted in the sending of the offending marketing email to the email address of the individual whose details had been removed for over a year. The company accepted that it did not have consent to contact the individual concerned by email and it claimed that there was human error on the part of the new staff member which caused the email to be sent. The Data Protection Commissioner decided to prosecute the company.
At Virginia District Court on 7 June, 2016 Coopers Marquees Limited pleaded guilty to one charge of sending an unsolicited email without consent. The Court ordered a contribution in the amount of €300 as a charitable donation to Mullagh Scout Troop and it indicated that it would apply the Probation of Offenders Act in lieu of a conviction. The defendant company agreed to make a contribution towards the prosecution costs of the Data Protection Commissioner.
Prosecution of James Cowley Private Investigator
James Cowley was charged with sixty-one counts of breaches of the Data Protection Acts, 1988 & 2003. All charges related to breaches of Section 22 of the Data Protection Acts for obtaining access to personal data without the prior authority of the data controller by whom the data is kept and disclosing the data to another person. The personal data was kept by the Department of Social Protection. The personal data was disclosed to entities in the insurance sector – the State Claims Agency, Zurich Plc and Allianz Plc.
On 13 June 2016, at Dublin Metropolitan District Court, James Cowley pleaded guilty to thirteen sample charges. He was convicted on the first four charges and the Court imposed a fine of €1,000 in respect of each of these four charges. The remaining nine charges were taken into consideration in the sentence imposed.
The investigation in this case uncovered access by the defendant to social welfare records held on databases in the Department of Social Protection. To access these records, the defendant used a staff contact who was known to him. Mr. Cowley then used the information he obtained for the purposes of compiling private investigator reports for his clients. These activities continued for a number of years up to September 2015 when our investigation team first made contact with him about its concerns in relation to his processing of personal data.
Disclosure of Personal Data to a Third Party in Response to a Subject Access Request
An ex-employee of Stobart Air made a complaint in August 2015 to us regarding the unlawful disclosure of their redundancy details to another member of staff following an access request made by that person to the company. The complainant also informed us they had equally received third party personal information in response to a subject access request that they themselves had made to the company in May 2015.
Stobart Air, on commencement of our investigation, confirmed to us that a breach of the complainant’s data had occurred in November 2014. It stated that it had not initially notified the complainant of the breach when it first learned of it as it was unaware of the data protection guidelines that advise the reporting of disclosures to the data subjects involved where the disclosure involves a high risk to the individual’s rights and requesting the third party in receipt of the information to destroy or return the data involved.
The complainant in this case declined an offer of amicable resolution and requested a formal decision of the Commissioner. In her decision the Commissioner found that Stobart Air had, in including the complainant’s personal data in a letter to ex-employees, had carried out unauthorised processing and disclosure of the complainant’s personal data. This had contravened Section 2A(1) of the Data Protection Acts, 1988 and 2003, by processing the complainant’s personal information without the complainant’s consent or another legal basis under the Data Protection Acts 1988 and 2003 for doing so.
Stobart Air identified itself that it had inadequate training and safeguards around data protection in place which it has since sought to rectify.
In a separate complaint received by the DPC in September 2015, we were notified that Stobart Air had disclosed financial data of a third party to the complainant in response to a subject access request. We proceeded to remind Stobart Air of its obligations as a data controller and Stobart Air identified a number of individuals who had been affected by these issues. Stobart Air subsequently notified all affected third parties of the breach of their personal data. However, in trying to comply by notifying the affected individuals, Stobart Air disclosed the complainant’s data, by divulging the fact that the complainant was the recipient of this data, in a letter notifying the individuals whose data was originally disclosed.
Stobart Air had no legal basis to disclose the complainant’s personal data to the third parties involved nor did it have consent of the individual affected. The disclosure of the complainant’s identity to the individuals affected by the original breach was unnecessary in the circumstances and in contravention of Section 2A(1) of the Data Protection Acts 1998 and 2003.
Data Breach at Retail and Online Service Provider
In July 2016, we received a breach report from an organisation providing retail and online services.
The organisation was victim of a “brute force” attack, whereby over a two-week period, the attackers tried various username/password combinations, with some combinations successfully being used to gain access to user accounts. When these accounts were accessed, the attackers attempted to withdraw user balances. These withdrawals were enabled by the attacker having the ability to add new payment methods. It was also possible for the attacker to access the personal data associated with the account.
On assessing the breach, we identified that the organisation had deficiencies in the measures it had taken to secure users’ personal data including:
Insufficient measures on password policy and user authentication;
Insufficient control measures to validate changes to a user’s account; and
Insufficient control measures on the retention of dormant user accounts.
We considered that the organisation contravened Section 2(1)(d) of the Data Protection Acts 1988 and 2003 by failing to take appropriate security measures against unauthorised access to, or unauthorised alteration, disclosure or destruction of, its users’ personal data.
Recommendations were issued to the organisation that it take steps to mitigate the deficiencies identified or face enforcement action. The organisation subsequently informed us that it had taken the following steps based on our recommendations:
Implementation of passwords which require more than one factor
Implementation of a comprehensive data retention policy
This case highlights the need for organisations to ensure that they have appropriate technical organisational and security measures in place to prevent loss of data through “brute force” or reuse of password attacks. In this scenario, the use of appropriate access and authentication controls, such as multifactor authentication, network rate limiting and logon alerts, could have mitigated the risks. Further, poor retention policies provide an “attack vector” for hackers such as that used as a means of entry in this breach.
Prosection of Yourtel for Marketing Offences
We received a complaint in December 2014 from an individual who received marketing telephone calls from Yourtel Limited, a telephone service provider which entered the Irish market in 2013, after he had instructed the company during a previous call not to call him again. The complainant informed us that the calls related to an offer to switch telephone service providers.
In February 2015 a separate complaint was received on behalf of another individual who received marketing telephone calls from Yourtel Limited after the company had been instructed during a similar marketing call on Christmas Eve 2014 not to call his number again. The marketing calls to this individual also concerned switching telephone service provider.
During our investigation of these complaints Yourtel Limited acknowledged the making of the marketing telephone calls. It claimed that it blocked the telephone numbers from receiving further marketing calls on the occasion of the last call in each case when it was informed by the individuals concerned that they did not wish to be contacted again for marketing purposes. It did not accept in either case that it continued to call the individuals after they had instructed Yourtel Limited not to call them again.
The Data Protection Commissioner decided to prosecute the offences as Yourtel Limited had come to our attention previously in 2014 on foot of a complaint about the making of a marketing telephone call to a telephone number which stood recorded on the National Directory Database (NDD) Opt Out Register. Following the investigation of that complaint, we warned the company that it would likely face prosecution if it committed further offences under Regulation 13 of SI 336 of 2011 (known as the ePrivacy Regulations) at any future time.
At Dublin Metropolitan District Court on 21 January 2016 Yourtel Limited pleaded guilty to two charges of making unsolicited marketing telephone calls after the two individuals it called had notified the company that they did not consent to the receipt of such calls. The Court convicted the company on both charges and it imposed two fines of €2,500 each. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner.
Prosecution of Glen Collection Investments Limited and One of its Directors
The investigation in this case established that the defendant company obtained access to records held on computer databases in the Department of Social Protection over a lengthy period of time and that a company director used a family relative employed in the Department of Social Protection to access the records. The defendant company had been hired by a Dublin-based firm of solicitors to trace the current addresses of bank customers that the respective banks were interested in pursuing in relation to outstanding debts. Having obtained current address information or confirmed existing addresses of the bank customers concerned from the records held by the Department of Social Protection, the defendant company submitted trace reports containing this information to the firm of solicitors which acted for the banks. The case came to light on foot of a complaint which we received in February 2015 from a customer of AIB bank who alleged that an address associated with him and which was known only to the Department of Social Protection was disclosed by that department to an agent working on behalf of AIB bank.
The Data Protection Commissioner decided to prosecute both the company and the director in question, Mr Michael Ryan. Glen Collection Investments Limited was charged with seventy-six counts of breaches of the Data Protection Acts, 1988 & 2003. Sixty-one charges related to breaches of Section 19(4) of the Data Protection Acts for processing personal data as a data processor while there was no entry recorded for the company in the public register which is maintained by the Data Protection Commissioner under Section 16(2) of the Data Protection Acts. Fifteen charges related to breaches of Section 22 of the Data Protection Acts for obtaining access to personal data without the prior authority of the data controller by whom the data is kept and disclosing the data to another person.
Mr. Michael Ryan, a director of Glen Collection Investments Limited, was separately charged with seventy-six counts of breaches of Section 29 of the Data Protection Acts, 1988 & 2003 for his part in the offences committed by the company. This Section provides for the prosecution of company directors where an offence by a company is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of the company directors or other officers.
The cases against Glen Collection Investments Limited and its director were called in Tuam District Court in January, May and July of 2016 before the defendants eventually entered guilty pleas on 10 October 2016. While the defendant company was legally represented in court on all occasions, the Court issued a bench warrant for the arrest of the company director, Mr Ryan, on 10 May 2016 after he had twice failed to appear. The bench warrant was executed at Tuam District Court on 10 October, 2016 prior to the commencement of that day’s proceedings.
At Tuam District Court on 10 October 2016 Glen Collection Investments Limited pleaded guilty to twenty-five sample charges – thirteen in relation to offences under Section 22 and twelve in relation to offences under Section 19(4). The company was convicted on the first five counts with the remainder taken into consideration. The court imposed five fines of €500 each. Mr. Ryan pleaded guilty to ten sample charges under Section 29. He was convicted on all ten charges and the court imposed ten fines of €500 each. In summary, the total amount of fines imposed in relation to this prosecution was €7,500.
Prosecution of Shop Direct Ireland Limited T/A Littlewoods Ireland for Marketing Offences
In January 2015 we received a complaint against Shop Direct Ireland Limited T/A Littlewoods Ireland from an individual who received an unsolicited marketing email after she opted out of marketing from the company. The individual, who was a customer of Littlewoods Ireland, complained further a few weeks later when she received a marketing email promoting offers for Mother’s Day from Littlewoods Ireland. We had previously issued a warning to Littlewoods Ireland in December 2014 following the investigation of a complaint received from the same complainant with regard to unsolicited marketing emails which she had received after she opted out of receiving marketing. That previous complaint led to an investigation which found that the customer had not been given the opportunity to opt out of marketing from Littlewoods when she opened her account. (She had been given the opportunity to opt out from third party marketing only – an option which she availed of). Arising from our investigation of that complaint, Littlewoods Ireland informed us that the customer’s email address was opted out of direct marketing from 7 March, 2014.
During the investigation of the 2015 complaints the solicitors acting for Littlewoods Ireland informed us that, following the conclusion of the previous complaint in December 2014, Littlewoods Ireland carried out a review of the customer’s account. It found that while she was correctly opted out of email marketing, she was not opted out of third party marketing. It then took steps to opt the customer out of third party marketing. When the update to the third party marketing preference was applied to the customer’s account in January 2015 a null value was applied to the email marketing field. The intention in applying this null value was to signify that no change was to be made to this field. However, the application of this value had the unintended consequence of opting the customer back into email marketing. Subsequently, as a result of this incorrect update, two marketing emails were sent to the customer in January 2015 and March 2015.
The Data Protection Commissioner decided to prosecute the company. At Dublin Metropolitan District Court on 4 April 2016 Shop Direct Ireland Limited T/A Littlewoods Ireland pleaded guilty to one charge of sending an unsolicited marketing email without consent. The Court ordered the payment of €5,000 in the form of a charitable donation to Pieta House and it adjourned the matter for seven weeks. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner. At the adjourned hearing the defendant produced proof of payment of the charitable donation and the Court struck out the charge.
Various Prosecutions – Marketing Offences
GENERAL
Four Star Pizza (Ireland) Limited
This Office received a number of complaints from individuals regarding unsolicited text messages sent by Four Star Pizza (Ireland) Limited without the consent of the recipients and in some cases without the inclusion of an opt-out facility. The majority of the complainants informed us that they began to receive the unsolicited marketing text messages after placing orders in different Four Star Pizza stores. We had previously formally warned Four Star Pizza (Ireland) Limited that, if further offences were committed, the Commissioner would take prosecution action.
In response to our investigations of the complaints, Four Star Pizza (Ireland) Limited admitted that it had not obtained valid consent to send marketing text messages to the complainants. It was clear that, despite the warning issued to Four Star Pizza (Ireland) Limited, it had not put adequate procedures in place to ensure compliance with the marketing regulations. The Commissioner decided to proceed to prosecution.
At Dublin District Court on 10 June 2013, Four Star Pizza (Ireland) Limited pleaded guilty to six charges under Regulation 13(1) of SI 336 of 2011 for the sending of unsolicited marketing text messages without consent. The Court applied the Probation of Offenders Act and ordered that Four Star Pizza (Ireland) Limited pay €4,000 to Temple Street Children’s Hospital in lieu of a conviction. The Office’s prosecution costs were also recouped from the defendant.
Levet Limited T/A Fast Fit
This Office received a complaint in relation to the sending of unsolicited text messages by Levet Limited T/A Fast Fit. The Office had previously sent a formal warning to Levet Limited T/A Fast Fit in relation to its marketing operations.
In response to our investigations, Fast Fit admitted it did not have any evidence that it had obtained valid consent to send marketing text messages to the individual concerned. The Commissioner decided to prosecute Levet Limited T/A Fast Fit.
At the Dublin District Court on 22 April 2013, Levet Limited T/A Fast Fit pleaded guilty to one charge of sending an unsolicited marketing text message. The Court ordered the defendant to contribute €2,000 to the Jack and Jill Foundation and it applied the Probation of Offenders Act. The defendant agreed to pay the Office’s prosecution costs.
Wexford Arts Centre
We received a complaint from an individual regarding an unsolicited marketing text message he received from Wexford Arts Centre. This message did not contain an opt-out mechanism for the recipient to opt out of the marketing database. In response to our investigation, Wexford Arts Centre informed us that, due to a combination of human error and technical difficulties, the marketing text message did not contain an opt-out. It told us that it had now removed the phone number from its database. On this basis, Wexford Arts Centre was issued with a formal warning with regard to its future marketing activities.
The same individual subsequently made a new complaint to this Office as he received yet another unsolicited marketing text message from Wexford Arts Centre despite being informed his number had been removed three months earlier. On this occasion, Wexford Arts Centre informed us that it had removed this individual’s phone number but, due to human error, those changes had not saved correctly. The Commissioner decided to prosecute Wexford Arts Centre in relation to two offences:- failure to include an opt-out facility in a marketing text message (in respect of the first complaint) and sending an unsolicited marketing text message without consent (in respect of the second complaint).
At Wexford District Court on 22 July 2013, Wexford Arts Centre Limited entered a guilty plea in relation to both charges. The Court convicted Wexford Arts Centre Limited on one charge, it took the second charge into consideration and it imposed a fine of €500. The Court also ordered the defendant to pay €1,000 to this Office in respect of its prosecution costs.
Patrick Fox Hypnotherapy Limited
This Office received a complaint from an individual regarding an unsolicited marketing text message received from Patrick Fox Hypnotherapy Limited, a hypnotherapy clinic in Co. Meath. The marketing text message did not include an opt-out facility for the recipient to remove their number from the marketing database. The complainant informed us that she attended the clinic over three years previously and that she subsequently requested that her mobile number be deleted from its marketing contact list. We had previously sent a warning to Patrick Fox Hypnotherapy Ltd following a complaint from another individual. In that previous case, the complainant informed us that she received a marketing text message after placing an advertisement (unrelated to hypnotherapy services) containing her phone number in a local newspaper in the West of Ireland. That individual had no previous dealings with Patrick Fox Hypnotherapy Clinic.
In response to our investigation of the current complaint, Patrick Fox Hypnotherapy Clinic informed us that the text message in question was not intended as a marketing text message. However, it was clear to this Office that the message was marketing in nature as it offered discounts and promoted its range of treatments. The Commissioner decided to prosecute the case in light of the company’s failure to heed the formal warning.
At Trim District Court on 26 September 2013, Patrick Fox Hypnotherapy Limited pleaded guilty in relation to the sending of an unsolicited marketing text message. The Court imposed a conviction and a fine of €1,000 on Patrick Fox Hypnotherapy Limited in relation to the sending of an unsolicited marketing text message without consent and it ordered the defendant to pay prosecution costs of €2,009.
Lex Software Limited T/A Legal and General Software
This Office received two complaints with regard to unsolicited marketing emails received from Lex Software Limited T/A Legal and General Software. One of the complainants had made a complaint to this Office about the same entity previously, having received unsolicited marketing emails from it in 2011. On that occasion Lex Software Limited T/A Legal and General Software was issued with a formal warning from us with regard to compliance in its future marketing activities.
In relation to the two current complaints, Lex Software Limited T/A Legal and General Software informed us that the complainants received unsolicited marketing emails due to human error. The Commissioner decided to prosecute the offences.
At Dublin District Court on 14 October 2013, a guilty plea was entered by the company on two charges – one for sending an unsolicited marketing email without consent and the second for failing to include in a marketing email a mechanism for opting out. The Court imposed a conviction in relation to both offences and it imposed fines of €200 on each offence. The defendant also covered this Office’s prosecution costs.
Hanford Commercial Limited T/A The Maldron Hotel, Wexford
A complaint was received in this Office from an individual who informed us that he received an unsolicited marketing text message on his company mobile phone from Hanford Commercial Limited T/A The Maldron Hotel, Wexford. This occurred despite this Office being assured, on foot of a previous complaint from the same person three years previously, that the mobile phone number was removed from the company’s database.
In response to our investigation, Hanford Commercial Limited T/A The Maldron Hotel, Wexford informed us that this error occurred due to a technical error whereby a manual block put on the complainant’s number in 2010 did not carry through to a new account it had set up with its text service provider, Zamano. The Commissioner decided to prosecute Hanford Commercial Limited T/A The Maldron Hotel, Wexford for an offence under Regulation 13(4) of SI 336 of 2011.
On 14 October, 2013 at Dublin District Court, Hanford Commercial Limited T/A The Maldron Hotel, Wexford pleaded guilty to the sending of an unsolicited marketing text message to the complainant’s company mobile phone. The Court convicted Hanford Commercial Limited T/A The Maldron Hotel, Wexford and it imposed a fine of €200. The prosecution costs were recovered by this Office from the defendant company.
Cherryhill Inns Limited T/A The Oliver Plunkett Bar, Cork
A complaint was received from an individual who received an unsolicited marketing email from Cherryhill Inns Limited T/A The Oliver Plunkett. The same individual had cause to complain to this Office regarding unsolicited marketing text messages she received from the same company over a year previously which she could not opt out of. In that previous instance, the company informed us that the complainant had signed up to receiving marketing messages and it produced a ‘sign up’ sheet which had her details entered on it. Having examined the sheet, the complainant informed us that she did not enter her details on it and that the handwriting on it was not hers. During that investigation the company agreed to remove the individual’s contact details and it was issued with a formal warning by this Office with regard to compliance in its future marketing operations.
It was clear from the investigation of the current complaint from the same person that the company did not properly remove her contact details from its database. The Commissioner decided to prosecute the company. At Cork District Court on 22 October, 2013 Cherryhill Inns Limited T/A The Oliver Plunkett pleaded guilty to three charges relating to the sending of an unsolicited marketing text message without consent, the sending of an unsolicited marketing email without consent and the sending of an unsolicited marketing text message without an opt out mechanism. The Court applied the Probation of Offenders Act conditional upon a charitable donation of €750 being made to the Cork Simon Community in respect of each of the three charges. Prosecution costs were recovered from the defendant.
Bord Gáis Éireann
We received a complaint from an individual regarding an unsolicited marketing email he received from Bord Gáis Éireann. This Office had previously issued Bord Gáis Éireann with a warning following the investigation of a complaint concerning unsolicited marketing phone calls made to an individual without his consent.
In response to our investigation, Bord Gáis Éireann informed us that, due to a manual error, an incorrect data file was used to send out the marketing email and, as a result, over nine hundred customers who had previously opted out of marketing communications were affected.
On 22 October 2013 at Cork District Court, Bord Gáis Éireann pleaded guilty to sending an unsolicited marketing email. The Court applied the Probation of Offenders Act conditional upon a charitable donation of €750 being made by the company to The Society of St. Vincent de Paul. Prosecution costs were recovered from the defendant.
Kearys of Cork
A complaint was received in the Office from an individual who received an unsolicited marketing text message from Kearys of Cork which did not include an opt-out option. The complainant said that he attended Kearys of Cork to have a car door fixed but he had not signed up to receive any promotional messages. This Office had previously warned Kearys of Cork with regard to its marketing operations following the investigation of two complaints. In that warning we made it clear that we considered that the company had not obtained valid consent to send marketing communications to these individuals and we instructed it to perform a cleansing exercise on its marketing database to ensure that it was fully compliant with the marketing regulations.
In response to our current investigation, Kearys of Cork informed us that it was under the assumption that, since the complainant was an existing customer, that there was no issue in contacting him. It was apparent that the company had not taken appropriate remedial action following our previous warning with regard to obtaining valid marketing consents from customers and, accordingly, the Commissioner decided to prosecute the latest case.
On 22 October at Cork District Court, Kearys of Cork pleaded guilty to the sending of an unsolicited marketing text message. The Court applied the Probation of Offenders Act upon condition that the company make a charitable donation of €750 to the Cork Simon Community. Prosecution costs were recovered from the defendant.
TELECOMMUNICATIONS SECTOR
Eircom Ltd
We received complaints from two individuals who received unsolicited marketing phone calls from Eircom. The first complainant informed us that he had not been a customer of Eircom for many years and that he had opted out of marketing communications from the company. He made a complaint to Eircom directly and was informed that his details were removed from the telesales area and that it would not be contacting him again. Despite this assurance, Eircom phoned him for marketing purposes again, prompting him to complain to this Office. Of particular concern to us was the fact that the complainant received a further marketing phone call from Eircom several weeks after the commencement of our investigation. In fact, during the course of our investigation, we had asked Eircom on three separate occasions prior to the making of the latest call to confirm that the complainant’s number was removed from the marketing database.
Separately, a complaint was received from an individual who received a marketing phone call from an agent of Eircom on her landline number which was opted out of marketing on the NDD Opt-Out Register. On the same day, the agent called in person to her home as he was working as part of a “Feet on the Street” team. Eircom initially informed our investigation that it had no record of the call taking place. We subsequently traced the calling mobile phone number and we found that it was registered to the sales agent concerned.
In both cases, we were satisfied that Eircom did not have consent to make marketing phone calls to the individuals concerned and the Commissioner decided to prosecute Eircom for offences under Regulations 13(5)(a) and 13(5)(b) of SI 336 of 2011. Eircom pleaded guilty to two charges at Dublin District Court on 2 December, 2013. The Court imposed two convictions and it fined the company €1,500 on both charges. The company agreed to pay the prosecution costs incurred by this Office.
Meteor Mobile Communications Ltd (T/A Meteor)
This was the second successive year that Meteor was prosecuted by the Data Protection Commissioner for marketing offences. Having successfully prosecuted Meteor on 3 December, 2012 (see Case Study 12 in Annual Report 2012) a further offence was committed by Meteor on the following day by the sending of an unsolicited marketing text message to a customer whose mobile phone had been confirmed as having been opted out in November 2012. The individual also produced a copy of his original contract showing that he had opted out of receiving SMS marketing communications from Meteor.
The second case also involved a customer being sent unsolicited marketing text messages. In this case, the customer opted out of marketing in October 2012 and he received confirmation of his opt out from Meteor in November 2012. Despite that, he subsequently received three marketing text messages from Meteor. At the Dublin District Court on 2 December 2013, Meteor pleaded guilty to three charges of breaching Regulation 13(1) of SI 336 of 2011. The Court imposed three convictions and it fined the company €3,000 in respect of each of three charges. The company agreed to pay the prosecution costs incurred by this Office.
Telefónica Ireland Limited T/A O2
Two complaints were made to this Office in January 2013 from customers of O2 who received marketing text messages from O2 despite being opted out of marketing communications. During the course of our investigation of these complaints, O2 admitted that, due to an incorrect application of its consent for marketing rules, over 78,000 customers were sent marketing text messages in contravention of their marketing preferences.
In a separate complaint, an individual reported that he had received a marketing email in December 2012 from O2 to his email address which had been opted out of marketing communications from the company in April 2011. O2 informed our investigation that the agent who dealt with the opt-out request had processed the request on only one of two accounts held by the customer and that this led to him receiving a subsequent marketing email. At the Dublin District Court on 2 December, 2013 the company entered a guilty plea in respect of three charges for offences under Regulation 13(1) of SI 336 of 2011. In lieu of convictions, the Court ordered the defendant to make charitable donations of €2,000 to the Irish Wheelchair Association, €2,000 to the Children’s Hospital, Crumlin and €2,000 to Pieta House. The company agreed to pay the prosecution costs incurred by this Office.
Vodafone
We received several complaints against Vodafone in 2012 and 2013. One customer reported to us in November 2012 that he had received a marketing phone call on his mobile phone despite it having been opted out of receiving marketing calls. The same customer had previously complained to us in February 2012 about receiving marketing calls from Vodafone and during the course of that investigation Vodafone confirmed to us in April 2012 that the customer’s mobile number was now opted out. During the course of our investigation of this customer’s current complaint, Vodafone admitted that its agent was negligent in applying the opt-out reference table when constructing a marketing campaign and this led to marketing calls being made to over 2,000 customers who had previously opted out of marketing.
A customer complained to us that he received marketing text messages even though his mobile phone was not opted-in to marketing. He explained that he was a Vodafone customer for landline and broadband services only and not for mobile phone services. He informed us that he had an issue with his landline on one occasion and he gave his mobile number to Vodafone in order to have an engineer contact him. Vodafone informed us that it had opted-in the mobile phone number to marketing. It confirmed that it opted the number out of marketing on 22 May, 2012. Despite this, the individual received a further marketing text message in June 2012. Vodafone explained that this occurred because the campaign team used an outdated table.
We received a complaint in October 2012 from a Vodafone customer who received marketing phone calls to his mobile phone during that month despite having received confirmation by email from Vodafone in September 2012 that his account had been unsubscribed from all marketing calls. During our investigation, Vodafone initially denied that the calls were made. We extended our investigation and we established from the service provider used by Vodafone that the calls were made as alleged by the complainant. Despite this, Vodafone continued to deny that any breach of the Regulations had occurred. Our investigation established that five offences had been committed in this case.
In May 2013, we received a complaint from an individual who continued to receive marketing phone calls to his mobile phone even though he had written confirmation issued to him by Vodafone in September 2012 that his details were removed from its marketing database. After a four months delay, Vodafone informed our investigation that the letter issued in September 2012 confirming the opt-out preference was noted on the system by the agent who did not follow up on the opt-out action.
At the Dublin District Court on 2 December, 2013 Vodafone pleaded guilty to eleven charges – nine concerned breaches of Regulation 13(6) of SI 336 of 2011 in respect of unsolicited marketing phone calls to mobile phone and two concerned breaches of Regulation 13(1) in relation to unsolicited marketing text messages. The Court convicted Vodafone on seven charges and imposed fines of €3,000 on each charge. The Court applied the Probation of Offenders Act on four charges conditional on the defendant making donations of €3,000 to each of the following charities:- Irish Wheelchair Association, Laura Lynn Foundation, Children’s Hospital Crumlin and Pieta House. The company agreed to pay the prosecution costs incurred by this Office.
Unlawful obtaining and use of email addresses for marketing purposes by The Zone Extreme Activity Centre
I received a complaint regarding a marketing email sent by The Zone Extreme Activity Centre. The means by which the activity centre obtained the email address of the complainant as well as the email addresses of many other people was a matter of concern to my Office and is worthy of detailing in this case study as a lesson to those involved in marketing. The circumstances were as follows:
An entity previously received an email from a now defunct company which mistakenly included a list of recipient email addresses in the “To” field, rather than in the “BCC” field. That entity then forwarded on these email addresses to the activity centre with the message “I just found this email that (Name removed) sent me last Christmas and they stupidly had all the email addresses on their mailing list in the TO bar?. Guess there yours now??”. The activity centre subsequently used the email addresses to send an unsolicited marketing email promoting a Christmas party at the centre. Included at the bottom of the marketing email was an email thread containing the full details of all of the email addresses. In the process of issuing the marketing email complete with the email thread, the activity centre then further disclosed this personal data, which included both personal and business email addresses, to everyone to whom the email was sent.
It was clear in this case that the personal data in the form of email addresses was not obtained fairly by the activity centre from the other entity. This was also abundantly clear to the activity centre given that the method of obtaining the messages was fully disclosed to it by the original email recipient. This personal data was then processed unlawfully by the activity centre in the sending of the marketing emails to the list of email addresses it had no consent to send marketing emails to in the first place. In addition, by supplying the email addresses to the activity centre without the consent of the individuals concerned, the other party also unlawfully processed the personal data.
In response to our investigation, The Zone Extreme Activity Centre stated that it was their intention to contact the businesses on the email list to ask if they would mind receiving a marketing email about the Christmas Party in the centre. It accepted that the email should never have been sent out and that it had no authority to do so. My Office also wrote to the other party who had forwarded the list of email addresses to the activity centre. In its response, that party stated that it understood that the email list it forwarded would be cleaned and verified by the activity centre before any marketing emails were sent out. It stated that its intention when sending on the email list to the activity centre was a friendly one and it did not sell this list or pass it on to anyone else.
We insisted that any holdings of the email list in question by the activity centre and by the other party be destroyed. We issued a formal warning to the activity centre to the effect that if we received any further complaints regarding its marketing operations, prosecution action may be taken against it in the event that offences were found to be committed.
This case highlights a growing concern whereby businesses are sometimes careless in the way they handle bulk emails and expose the email addresses to all recipients. As can be seen from this case, an entity took advantage of an open email list and proceeded to use it for its own marketing purposes, clearly in contravention of the Regulations.
Free Spirit Hair & Beauty Salon Ltd / Crunch Fitness Limited /
The Black Dog Communications Limited prosecuted for sending marketing text messages
We continued to use our powers of prosecution to ensure that consumers are not inundated with unsolicited marketing text messages to their mobile phones. A person’s mobile phone is now almost an extension of the person and unwanted messages can be extremely intrusive. Regulation 13 of S.I. No. 535 of 2003 (as amended) provides that marketing text messages may not be sent to any individual unless that individual has consented to the receipt of such messages. Furthermore, it also prohibits the sending of marketing text messages without the inclusion of a cost- free opt-out facility which would enable the recipient to object to receiving further messages. It provides for penalties of up to €5,000 per message sent for each separate offence, or up to €250,000 on indictment or 10% of annual turnover if greater than this amount. A number of the cases that we prosecuted in 2010 are described below.
Free Spirit Hair & Beauty Salon Ltd
In 2009 we received two complaints concerning unsolicited direct marketing text messages promoting special offers from branches of Free Spirit Hair & Beauty Salon Ltd. One of the complainants had been a customer and the second complainant had made a treatment reservation which she later cancelled. Both individuals informed the Office that they had not consented to receiving marketing messages. Some of the marketing messages sent to these complainants did not contain an opt-out facility.
We contacted the branches concerned at the IFSC and at Citywest. Neither branch was able to provide evidence that the complainants had consented to receiving marketing text messages. On that basis we were satisfied that offences had been committed by both branches of Free Spirit Hair & Beauty Salon Ltd and we decided to prosecute those offences. This was not the first occasion on which this company had come to our attention. In 2006, during the course of our investigation of a separate complaint, we drew the company’s attention to the law with regard to electronic marketing.
In January 2010, in the Dublin District Court, FS Citywest Limited and Free Spirit Hair and Beauty Salon Ltd pleaded guilty in respect of one offence each under Regulation 13(1)(b) of S.I. No. 535 of 2003 (as amended) in respect of the sending of a direct marketing text message without consent. They also pleaded guilty to one offence each under Regulation 13(8) of S.I. No. 535 of 2003 (as amended) for not providing a valid opt-out address on those marketing messages. The Judge accepted the guilty pleas and imposed penalties of €250 for each offence. The Judge also ordered the defendants to pay our costs.
Crunch Fitness Limited
In 2008 we received a complaint regarding marketing text messages from Crunch Fitness Ltd. The complainant stated that she had no previous relationship with Crunch Fitness, that she had not given them her mobile phone number and that she had never consented to the receipt of marketing text messages from them. She informed us that she had contacted Crunch Fitness to find out how it had obtained her mobile phone number. She was told that the number had been collected in February 2008 when an individual had taken a tour of one of its gyms and had supplied the mobile number as a contact number. This was confirmed to us by Crunch Fitness. The company also confirmed that the individual who toured the gym was not the complainant. The text message also lacked a valid opt-out mechanism.
Crunch Fitness admitted that it had no opt-out facility in the message and indicated that, in future, an opt-out would be included in all direct marketing text messages. At this point, in May 2008, Crunch Fitness informed us that the complainant’s mobile phone number had been removed from its marketing database. In line with our usual policy on such matters we noted their assurances and issued a warning.
The complainant contacted us again in December 2008 to inform us that she had received a further marketing text message from Crunch Fitness. Again, this message did not include any opt-out mechanism. In response, Crunch Fitness indicated that it had erroneously re-sent a message from March 2008. This resulted in the complainant receiving a further marketing message with no opt-out facility. On this basis we initiated prosecution proceedings.
In January 2010 the case came before Dublin Metropolitan District Court where Crunch Fitness Premier Limited pleaded guilty in respect of one offence under Regulation 13(1)(b) of SI 535 of 2003 for the sending of a direct marketing text message without consent. The Judge accepted the guilty plea and imposed a fine of €500. The Judge also ordered the defendant to pay our costs. We have not had any subsequent valid complaints in relation to the company.
The Black Dog Communications Limited
In May 2009 we received a complaint from the mother of a thirteen year old girl who had received unsolicited marketing text messages from The Black Dog Communications Limited. As a result of clicking on a link in one of those unsolicited text messages, the child inadvertently joined a premium rate subscription service.
The complainant informed my Office that her daughter had previously entered a competition by text message in a teenage magazine. She assumed that this was the source of the premium rate subscription service. However, when she contacted the magazine, she was told that its competitions are stand-alone and did not involve joining a premium rate subscription service. She said that the magazine also assured her that information collected through its competitions is not disclosed to third parties.
When we investigated the complaint we found that The Black Dog Communications Limited had obtained the child’s mobile phone number as a result of her entry to the competition in the magazine. This information gave rise to further questions as to how The Black Dog Communications Limited obtained customer information which was the property of a separate company. We subsequently established that both The Black Dog Communications Limited and the magazine used the technical platform of the same service provider to send and receive text messages for their respective services/competitions. A monthly report provided to The Black Dog Communications Limited by the service provider contained, in error, the mobile phone details of the entrants to the competition run by the magazine. The Black Dog Communications Limited placed those mobile phone numbers on its promotional database without checking to ensure that the numbers concerned had opted in to its database and without checking the basis for the consent.
We initiated prosecution proceedings and the case came before the Dublin Metropolitan District Court in February 2010. The Blackdog Communications Limited entered a guilty plea in relation to one offence under Regulation 13(1)(b) of SI 535 of 2003 (as amended). Having heard the evidence, the Court was satisfied that the case against The Blackdog Communications Limited had been proven. Instead of recording a conviction and imposing a fine, the Judge applied the Probation Act on condition that The Blackdog Communications Limited make a donation of €3,000 to the GOAL charity for the Haiti Appeal and that it make a contribution to our prosecution costs. The Judge emphasised that the Court record would show that the facts relating to the offence were established and that that record would be available to the Court should the defendant come before it on any future occasion. We have not had any subsequent valid complaints in relation to the company.
Prosecution of Fairco Ltd / Pure Telecom for calling numbers listed on the NDD opt-out register
Making marketing calls to the line of a subscriber whose telephone number is recorded on the National Directory Database (NDD) opt-out register is an offence under Regulation 13(4)(b) of Statutory Instrument 535 of 2003 (as amended).
In April 2009 the marketing activities of Fairco Limited, a supplier of windows and doors, came to our attention when we received a complaint regarding a marketing call made by the company. The call was made to an individual who had exercised his right to have his preference not to be telephoned for marketing purposes recorded on the NDD.
By way of explanation, Fairco Limited informed us that while going through its database of past customers its operator dialled the wrong number and it apologised for its mistake. It provided us with details of the intended number. Unfortunately for Fairco, that number was also on the opt-out list of the NDD not to receive marketing telephone calls. In view of this we were not in a position to accept their explanation. In addition, this was the second time that this company had come to the attention of my Office. We initiated a prosecution in respect of the offence.
In March 2010, at Dublin Metropolitan District Court, Fairco Limited pleaded guilty in respect of one charge relating to the making of an unsolicited marketing telephone call to an individual without consent in April 2009 in contravention of Regulation 13(4)(b) of S.I. 535 of 2003 (as amended). The Court recorded a conviction, imposed a fine of €300 in relation to the offence and directed that our legal costs be paid.
Pure Telecom
During 2009 we received three complaints against a telecommunications company, Pure Telecom Ltd, regarding marketing calls made by the company to individuals who had exercised the right to have their preference not to be telephoned for marketing purposes recorded on the NDD opt-out register.
By way of explanation of two of these incidents, the company informed us that it had to reconfigure its firewall to allow access to new IP addresses following its move to new premises. The company stated that some of the older software had not been updated with the new addresses and therefore they were unable to connect correctly to the section of the database that held the most up to date NDD information. According to the company, for this reason these older systems were checking an out of date NDD list while the newer software was reading from the latest list (rhe NDD opt-out list is updated on a fortnightly basis and is circulated to marketers who are licensed to use it). This resulted in calls being made to numbers on the opt-out register. In another case, the company stated that it had obtained the phone number through a customer referral and that an off-shore telemarketing company working on its behalf had made the marketing call in that instance. The off-shore company had not checked the phone number against the NDD opt-out register resulting in a call for marketing purposes. We took the view that these explanations demonstrated procedural and system failures within Pure Telecom Ltd with regard to its telemarketing activities. We were satisfied that offences had been committed and decided to prosecute Pure Telecom Ltd in respect of those offences as, in line with our policy for prosecutions, the company had previously come to our attention
In May 2010, at Dublin Metropolitan District Court, Pure Telecom Ltd pleaded guilty in respect of three charges relating to the making of unsolicited marketing telephone calls to individuals without consent, in contravention of Regulation 13(4)(b) of S.I. 535 of 2003 (as amended). The Court recorded a conviction, imposed a total fine of €1,250 and directed that Pure Telecom Ltd pay our costs.
Tesco prosecuted for email marketing
In our Annual Report for 2008, we reported on complaints received from individuals regarding marketing emails from Tesco. In all cases, the complainants had registered for on-line shopping with Tesco and soon afterwards they began receiving marketing emails. Using the unsubscribe facility provided by Tesco, the complainants tried to stop further marketing emails being sent to them, but to no avail. Following our intervention, Tesco identified and fixed errors in its unsubscribe system. The complaints were resolved by means of an amicable resolution involving an apology and a goodwill gesture to each complainant.
In 2009 I was disappointed to learn that email marketing by Tesco emerged yet again as a source of complaint to our Office. We received a number of complaints from individuals who had attempted to unsubscribe from receiving further marketing emails. However, Tesco persisted in emailing them with promotional offers. One complainant reported that he had used the unsubscribe facility on the marketing emails several times and, when this did not yield results, he emailed Tesco’s Customer Services requesting an opt-out. While several emails were exchanged between Customer Services and the complainant, Tesco continued to send marketing emails and we received a complaint. Another complainant experienced similar difficulties. He also attempted to unsubscribe using the facility provided on the marketing emails and, when these attempts failed, he sent an email to Customer Services reporting his efforts to unsubscribe. He informed Tesco that he was reporting the matter to our Office. Despite this, Tesco continued to send him marketing emails.
At the initial stage of our investigation we succeeded in having the email addresses of the complainants opted out of further marketing contact. It took some considerable time for Tesco to establish the cause of the failure to follow-up unsubscribe requests. Eventually, Tesco reported that the task of unsubscribing customers had been moved from Cardiff to India and that, following the move, the process had failed in some instances. In addition, Tesco reported that a separate problem arose when it introduced a new website platform. An error in the management of customer preference questions resulted in a failure to record those customers who had unsubscribed from email communication on the database.
On the basis of our investigation we were satisfied that offences under SI 535 of 2003 (as amended) had been committed. As this was the second occasion on which Tesco had come to our attention for breaching the instrument, we decided to prosecute. The matter came before the Dublin Metropolitan District Court in mid-2010. Tesco entered guilty pleas on four charges related to the sending of marketing emails to individuals who had requested not to receive such emails. The Court recorded a conviction on two charges and it took the other two charges into consideration. Penalties of €1,000 were imposed in respect of each of two charges. The Court awarded our legal costs to us. In addition, Tesco undertook to suspend all email marketing in Ireland until the errors in its opt out systems were corrected. One month later, Tesco reported to us that a solution had been found and implemented.
Unsolicited or spam email is one of the scourges of modern communications. It is something that affects all email users in their homes, at work or in their businesses. Most spam email comes from distant parts of the world, predominantly from outside of Ireland and the EU. Because of its origins, we do not have power to take action against the offenders. However, we investigate all complaints about unsolicited marketing emails sent by Irish based entities and, as this case study shows, we will not hesitate to use our powers to prosecute offenders if such action is warranted.
Email marketing error causes data protection breach
In September of 2008 four complaints were received by my Office regarding the sending of a marketing email by a company, in which the email addresses were visible to each of the recipients. The complainants also advised that they had not consented to receiving the email in question. It was also brought to my attention that the email did not contain an ‘unsubscribe’ option which would have enabled the recipients to record their preferences not to receive any further marketing communications. It was also a matter of concern to me that one of the complainants advised me that he had previously contacted the company to request removal of his email address, and despite that, he subsequently received the email which was the subject of the complaints to my Office.
The company notified me, following its own receipt of a complaint, that it had sent a marketing email which contained 1400 email addresses. These addresses were disclosed in the carbon copy field (cc) in error, as opposed to listing the addresses in the blind carbon copy field (bcc), which would have ensured that the personal email addresses of the individual recipients would not have been visible. Once it had realised the error, the company advised me that it recalled all the emails and shut down its server. However, as the complaints to my Office raised a number of other concerns regarding the electronic marketing practices of this company, I decided that an investigation of the matters raised by the complainants was warranted.
In the investigation of these complaints, my Office sought an explanation from the company as to why it sent the marketing email to the recipients without their consent and without the inclusion of a cost free opt out facility. The company responded that one of its databases was used in error. It explained that a new member of staff used an old database of consumer enquiries in error and also failed to protect the email address details of the individual contacts on the database. Furthermore, the company did not have sufficient monitoring of its email marketing to provide an opt-out at the point of collection of contact details or to unsubscribe recipients effectively when requested to do so. Following my examination of the response from the company, I was satisfied that it had committed offences by sending the unsolicited email to the recipients without their consent and also without including an unsubscribe option in the email.
On foot of the four complaints to my Office, and in an effort to correct the deficiencies in its marketing operations, the company retained the services of a specialist digital communication service provider to manage its databases and email activity to ensure that there could be no recurrence of these issues in the future. The company also strengthened its policy around database use and it introduced a new anti-spam policy. As a gesture of goodwill, it offered the complainants free passes to an upcoming social event and a letter of apology for the inconvenience caused to them. Furthermore, it also made a charitable donation of €500 to a well-known charity. The four complainants were satisfied to resolve their complaints on that basis. Given that this company had not come to my attention before, I was satisfied that a prosecution against the company was not warranted at that time based on my normal policy in such matters. I am happy to report that my Office has received no further complaints regarding the company’s marketing practices since the investigation of these complaints.
BuyAsYouFly and a failure to respect opt-outs from direct marketing by email
I received a complaint from a data subject regarding direct marketing emails she had received from BuyAsYouFly.com. The complainant provided my Office with copies of several of the marketing emails that she had received from the company as well as copies of her attempts to unsubscribe. It was clear from an initial examination of this material that she had followed the ‘opt out’ instructions contained in the emails but, in spite of that, she continued to receive the unwanted emails. I was particularly concerned about the number and frequency of emails that she continued to receive after her efforts to unsubscribe. On examination of the complaint, it appeared that the company was committing offences by failing to record the opt-out preference of the complainant and by continuing to send the complainant direct marketing emails, contrary to the provisions of S.I. 535 of 2003.
My Office commenced an investigation of this matter. We requested that BuyAsYouFly immediately delete the complainant’s email address from its marketing database. We also sought an explanation as to why her unsubscribe requests were not respected by the company.
BuyAsYouFly responded by advising that it had suffered a serious systems error which resulted in loss of data. As a result the company unintentionally continued to use an older version of its database. The company removed the complainant’s email address from its database and it agreed to suspend outbound emails until its unsubscribe lists were fully reconciled with the database. It conveyed an apology to the complainant and, as a gesture of goodwill, it offered the complainant a gift to the value of €100 from its online shop. This was accepted by the complainant as an amicable resolution of her complaint.
I was satisfied with the corrective measures taken by BuyAsYouFly to resolve this complaint and to prevent any recurrence. This case highlights the obligations imposed on marketers to ensure that they respect the preferences of the general public who do not wish to receive marketing communications. This is even more important when the person makes efforts to refuse the receipt of further communications.
A web design company is requested to delete a marketing database
I received a complaint from a data subject about the receipt of an unsolicited marketing email from Matrix Internet, a company advertising website design services. Disappointingly, this was the second time that this company had come to the attention of my Office concerning marketing emails sent to the same complainant. During a previous investigation, the company had given an undertaking that the complainant’s email address would be removed from its marketing database.
As a result of this complaint and given our previous encounter, my Office had serious concerns about the marketing activities of this company. We sought an immediate explanation as to how the complainant’s details had remained on its marketing database. In response, the company apologised and it explained that an internal error had resulted in the email address of the complainant being listed twice on the marketing database. The company had removed only one of those entries and, as a result, the complainant had continued to receive marketing emails.
I was encouraged by the company’s swift response and co-operation with my Office’s investigation. However, in light of what had happened to the complainant’s personal data, it was clear that it was necessary to request the company to delete its entire marketing database. I considered that this was the only certain method of protecting other individuals on the company’s marketing database from exposure to the receipt of unsolicited marketing emails. The company agreed to the request to delete its marketing database. In addition, the company undertook to cease marketing activity until such time as it had put in place a more appropriate system for carrying out marketing operations and managing ‘opt out’ requests. After a period of three months, the company reported that it was in a position to recommence marketing activities as it had, in the intervening period, introduced a new system to ensure that its marketing systems were compliant with the requirements of data protection legislation. The complainant was satisfied with this outcome. Since then my Office has received no further complaints against this company.
This complaint resulted in the deletion, at my request, of a data controller’s marketing database. In terms of remedial action to protect the public from unsolicited marketing, a request for the deletion of a marketing database is not insignificant and it can result in a large loss of marketing targets for the data controller concerned.
Ryanair – Remedial action taken for customers to unsubscribe from marketing
I received a complaint in September 2007 from a data subject who was finding it difficult to unsubscribe from the receipt of marketing material from Ryanair. She had booked a flight with the airline previously and had opted-in to the receipt of marketing material but she had now changed her mind and wanted to opt-out from Ryanair’s marketing database. The data subject sent me copies of some of the marketing material which she had received by email from the company as well as copies of her attempts to unsubscribe by email to Ryanair.
On examining the matter closely, my Office found that Ryanair had provided an opt-out facility at the end of its marketing email messages, as marketers are required to do under Regulation 13(7) of SI 535 of 2003. It invited recipients who wished to unsubscribe to send a blank email to an email address which began with the word ‘leave’ and which consisted of a string of over seventy characters comprising a varied mix of letters and digits. The data subject, in this case, had failed to unsubscribe as she had not realised that the word ‘leave’ formed part of the email address. In my view, this was a mistake which could easily be made as the text used in the unsubscribe section of Ryanair’s email was not entirely clear and it provided no advice to customers.
Regulation 13(7) of SI 535 also requires marketers to provide customers with an opportunity to object to the receipt of further marketing in an easy manner. My Office asked Ryanair to explain how the provision of such a complex email address could be regarded as an easy manner of unsubscribing from its marketing database. The company, in reply, indicated that normally people ‘copy and paste’ the email address into a replying email. It also informed my Office that when a customer successfully submits an unsubscribe request, Ryanair sends back an email to the customer asking them to confirm by return email that they wished to unsubscribe. In effect, the company required customers to send two emails in order to unsubscribe. My Office noted that customers were not given any advice to the effect that they should copy and paste the email address in order to successfully submit the original unsubscribe email to the company nor were they advised that they would be required to submit a follow-up confirmation email. In the circumstances, we considered that customers had not been given an opportunity to opt-out in an easy manner and we asked Ryanair to take immediate steps to introduce a more user-friendly and easy unsubscribe facility for all recipients of its email marketing communications.
I am happy to report that Ryanair cooperated fully with my Office’s investigation of this complaint and it promptly took on board our concerns regarding the opt-out facility. We subsequently received confirmation from the company that it had simplified the unsubscribe process by providing a link in the marketing email which the customer could simply click on to unsubscribe without the need to enter the long email address. It also removed the requirement for a customer to submit a follow-up email to confirm their wish to unsubscribe. These changes significantly eased the process of unsubscribing from Ryanair’s marketing database and I welcome them.
The legitimate marketing of customers through the use of email is a common practice, if somewhat devalued by the sheer volume of such material which individuals receive. It is critical that marketers who use this tool comply fully with the requirements of SI 535 of 2003. This case shows the need for marketers to provide an opt-out facility on each marketing message which is simple and easy to use. It is my firm position that customers should not be required to send more than one email to a marketer in order to unsubscribe from that marketer’s database. Any additional requirements placed on customers are unacceptable and contravene Regulation 13(7) of SI 535.
On-line shoppers receive unsolicited marketing from Tesco
I received complaints from individuals regarding direct marketing emails which they had received from Tesco. In all cases, the complainants had registered for online shopping with Tesco. Soon afterwards they began receiving direct marketing emails. Before complaining to my Office the individuals had tried to unsubscribe from Tesco’s marketing list by using the ‘unsubscribe’ facility provided in the marketing email. Despite their attempts to unsubscribe they continued to receive further marketing emails.
The legal requirements concerning the use of electronic mail for directing marketing purposes is set out in SI 535 of 2003. Marketers may send email for direct marketing purposes to an individual subscriber where:
a) they have obtained that subscriber’s contact details in the course of a sale of a product or service to him/her;
b) the direct marketing material they are sending is in respect of their similar products and services;
and
c) during every communication, the subscriber is given a simple, cost-free means of refusing the use of his/her contact details for marketing purposes.
The ‘unsubscribe’ facility provided by Tesco to its customers failed in this instance and the individuals concerned continued to receive unwanted marketing material in contravention of the legal requirement.
My Office investigated the matter with Tesco and we sought immediately to have the email addresses of the complainants removed from the company’s marketing database. We also asked for an explanation for the failure of the ‘unsubscribe’ facility. Tesco initially responded by advising that the email addresses of the complainants had been removed from the marketing lists at our request. Despite this assurance, the complainants continued to receive further direct marketing emails from the company. My Office informed Tesco of our disappointment with this turn of events and we stated that these latest breaches demonstrated a serious deficiency in the capacity of the company’s marketing system to respect out-out preferences. We asked Tesco to seriously consider steps to amicably resolve the complaints.
Tesco further investigated the matter and found an issue with one of the methods that customers use to unsubscribe from its marketing emails. It immediately set about fixing the issue and while this was being done it directed customers to visit the website directly to unsubscribe. With regard to the previous assurance given that the individual complainants had been unsubscribed at the request of my Office, Tesco found that an error had been made in the manual process involved in unsubscribing them from the database. It corrected this error immediately. In light of the inconvenience caused, Tesco apologised to the individuals concerned and offered each of them gift vouchers as a goodwill gesture. This was accepted as an amicable resolution of their complaints. I was satisfied with the steps taken by Tesco to resolve this matter to the satisfaction of all concerned.
Marketers have a responsibility to ensure that their systems are continuously capable of unsubscribing those customers who wish to record such a preference in response to the receipt of a marketing email or text message. In that regard, I recommend that regular testing be carried out to ensure that the opt-out facility is functioning without fault. Ideally, such testing should be incorporated as a standard procedure in advance of scheduled marketing campaigns.
I received a complaint from a data subject about an alleged disclosure of personal information concerning his medical condition by a data controller. The data subject was involved in an insurance action with a third party in relation to an eye injury. The third party’s insurance company requested the data subject to attend a consultant ophthalmic surgeon for an assessment at his private surgery in Limerick. The consultant was also a consultant ophthalmic surgeon at the Mid-Western Regional Hospital in Limerick. The data subject had previously attended another consultant ophthalmic surgeon at the Mid-Western Regional Hospital as a public patient in relation to his eye injury.
The complaint was two fold. The first aspect related to the alleged release of the data subject’s hospital chart by the Mid-Western Regional Hospital to the consultant ophthalmic surgeon acting on behalf of the insurance company in his private practice. It was alleged that this took place without the data subject’s consent. The second aspect of the complaint related to the alleged unfair obtaining of the data subject’s hospital chart by the consultant ophthalmic surgeon.
The first point to be borne in mind in relation to this case was that the personal data in question, being medical records of the data subject, constituted ‘sensitive personal data’ as defined in the Acts. The central issue to be considered in this case, from a data protection point of view, was whether the HSE West, Mid-Western Regional Hospital complied in full with its obligations under the Acts.
Section 2 of the Acts deals with the collection, processing, keeping, use and disclosure of personal data. I was satisfied that no data protection issues arose in relation to sections 2(1)(a),(b), (c)(i), (c)(iii) or (c)(iv) of the Acts in relation to the Mid-Western Regional Hospital’s collection, processing, keeping and use of the data subject’s sensitive personal data. However, the disclosure of the data subject’s medical chart to the consultant ophthalmic surgeon had to be considered in the context of section 2(1)(c)(ii) of the Act. This section provides that personal data should not be further processed in a manner incompatible with the purpose for which it was collected. It was clear from my Office’s investigation that the consultant ophthalmic surgeon’s secretary at his private rooms contacted his secretary at the Mid-Western Regional Hospital to locate the data subject’s medical records relating to his eye condition. Following this contact, the secretary based at the hospital located the record and disclosed it to the consultant surgeon’s private surgery.
In assessing this issue from a data protection perspective, a clear distinction must be drawn between the consultant surgeon’s work within the HSE West, Mid-Western Regional Hospital as an employee of that hospital and his work carried out privately on behalf of an insurance company. The hospital’s disclosure of the medical records to the private rooms of the consultant surgeon undoubtedly involved the disclosure of those records from one data controller (the HSE West, Mid-Western Regional Hospital) to another (the consultant surgeon’s private surgery). It could not be regarded as information sharing within a single data controller because the consultant surgeon sought the data subject’s medical record from the hospital in his capacity as a separate data controller. In this instance he was not acting in his capacity as an employee of the HSE.
The medical record at the Mid-Western Regional Hospital in respect of the data subject was compiled in the course of his treatment for an eye condition. This was a specific, explicit and legitimate purpose. Any further use or disclosure of that medical record must be necessary for that purpose or compatible with the purpose for which the hospital collected and kept the data. The consultant surgeon was a separate data controller who sought this data for the purposes of an assessment of the data subject’s eye condition on behalf of an insurance company to facilitate their processing of an insurance claim. The processing of an insurance claim related to the data subject’s eye injury represented an entirely different purpose to the treatment of the data subject for an eye condition at the Mid-Western Regional Hospital.
There was also an obligation to meet the conditions set out in Section 2A of the Acts. These conditions included obtaining the consent of the data subject or deeming that the processing of the data was necessary for one of the following reasons:
· the performance of a contract to which the data subject is a party;
· in order to take steps at the request of the data subject prior to entering into a contract;
· compliance with a legal obligation, other than that imposed by contract;
· to prevent injury or other damage to the health of the data subject;
· to prevent serious loss or damage to property of the data subject;
· to protect the vital interests of the data subject where the seeking of the consent of the data subject is likely to result in those interests being damaged;
· for the administration of justice;
· for the performance of a function conferred on a person by or under an enactment;
· for the performance of a function of the Government or a Minister of the Government;
· for the performance of any other function of a public nature performed in the public interest; or
· for the purpose of the legitimate interests pursued by a data controller except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.
In this case, the data subject did not give his consent to the Mid-Western Regional Hospital for the processing of his personal data involving the disclosure of his medical record to the consultant surgeon. In the absence of consent, the data controller must be able to meet at least one of the eleven conditions set out above. In this instance, the hospital did not meet any of those conditions.
To process sensitive personal data, in addition to complying with Sections 2 and 2A of the Acts, at least one of a number of additional special conditions set out in Section 2B(1) of the Acts must be satisfied:
– the data subject must give explicit consent to the processing or
– the processing must be necessary for one of the following reasons:
· for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
· to prevent injury or other damage to the health of the data subject or another person, or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where consent cannot be given or the data controller cannot reasonably be expected to obtain such consent;
· it is carried out by a not-for-profit organisation in respect of its members or other persons in regular contact with the organisation;
· the information being processed has been made public as a result of steps deliberately taken by the data subject;
· for the administration of justice;
· for the performance of a function conferred on a person by or under an enactment;
· for the performance of a function of the Government or a Minister of the Government;
· for the purpose of obtaining legal advice, or in connection with legal proceedings, or for the purposes of establishing, exercising or defending legal rights;
· for medical purposes;
· for the purposes of political parties or candidates for election in the context of an election;
· for the assessment or payment of a tax liability; or
· in relation to the administration of a Social Welfare scheme.
As stated previously, the consent of the data subject, explicit or otherwise, was not obtained by the data controller for the processing of his personal data involving its disclosure by the Mid-Western Regional Hospital to the consultant surgeon. There are twelve conditions set out above, at least one of which must be met by a data controller in the absence of explicit consent before sensitive personal data can be processed. In this instance, the Mid-Western Regional Hospital did not meet any of those conditions.
I formed the opinion that the HSE West, Mid-Western Regional Hospital contravened Section 2(1)(c)(ii), Section 2A(1) and Section 2B(1)(b) of the Acts by processing the data subject’s sensitive personal data in a manner which was incompatible with the purpose for which it was obtained. This processing occurred when the consultant surgeon’s secretary at the Mid-Western Regional Hospital disclosed the data subject’s hospital medical file to his private practice secretary. In response to this incident the HSE West put in place improved controls for ensuring that requests for access to hospital files are justified and fully in line with the purpose for which health data is held. I welcome this.
I also considered whether the consultant surgeon had breached the requirements of the Acts by obtaining and using the file created in the Mid-Western Regional Hospital.
In light of my previous decision which found a number of contraventions of the Acts by the HSE West, it followed that the consultant surgeon unfairly obtained the data subject’s hospital file. However, it was also clear that this was done unintentionally and in good faith.
I accept that the lines can be blurred in some instances in the health sector between treatment provided by the public system and treatment provided by the private system (especially here in Ireland due to the public/private sector split). This can give rise to complexity in terms of data protection responsibilities as patient information flows between the public and private systems. However, no such complexity arises in relation to the transfer of personal data that is not related to the treatment of a patient (in this particular instance carried out on behalf of an insurance company). Organisations entrusted with personal data, and especially those holding sensitive personal data such as health information, have onerous responsibilities under the Data Protection Acts. These responsibilities reflect the position of trust afforded to such data controllers when they are given our personal data.
Disclosure of email addresses by a financial institution
In April 2008, I received a complaint from a data subject whose email address had been disclosed by a financial institution. The disclosure took place when the financial institution issued an email to 114 individuals with the email addresses of each of them visible to all recipients.
The background to this incident was that the data subject received several phishing emails. Having consulted the relevant financial institution’s website, he reported the matter using an email address provided by the financial institution for that purpose. Generally, phishing emails concerning banking services give the impression that they have been issued by a bank. They often request the recipient to log-on to their online banking service to confirm their security details by clicking the link in the email. If a person clicks on that link they are routed to a ‘spoof’ site which looks like the bank’s online service. The intention of the fraudster is that the recipient will be fooled into disclosing their confidential details to the ‘spoof’ site.
The matter of the disclosure of the data subject’s email address was raised by my Office with the financial institution. It explained that when an email is received by the team which handles reported instances of phishing a standard response is sent advising the user of additional precautions to take and providing related information. However, on a particular weekend in April 2008, an unprecedented number of emails were sent to the phishing alert email address. To respond to each email a business decision was made to send a single response to all customers using the “bcc” (blind copy) option in e-mail, which would have hidden all email addresses from the recipients. This bulk email failed because it was too large. To make the email more manageable for the mailbox, the user list was broken down into different outgoing emails. Due to a manual error, one of the emails was sent to 114 people using the “cc” option rather than the “bcc” option. This resulted in all 114 email addresses being visible to all recipients of the email.
The financial institution subsequently issued an email to the affected users to advise them of the incident and to apologise for the error. I am satisfied that the financial institution took prompt action to inform the affected parties that their email addresses had been disclosed. However, it is unfortunate that this disclosure occurred in the context of an email alert system that was established to prevent phishing.
All data controllers should take note of this incident and take steps to ensure that email addresses are not disclosed inadvertently. In particular, where an email is sent to a number of individuals it should be transmitted using the blind copy (‘bcc’) option in all situations which warrant it. It is the duty of data controllers to raise awareness amongst their employees about this issue and to foster a greater degree of care and responsibility in relation to the protection of personal data in the form of email addresses. However, I have some sympathy for data controllers where genuine mistakes occur in this area.
A marketing campaign sets up personalised website addresses and breaches the Acts
During the summer of 2008 I received three complaints from data subjects concerning a marketing postcard campaign launched by 123.ie to promote its home insurance product. The complainants had no previous business dealings with 123.ie and they expressed surprise at receiving personally addressed marketing mail from this source. An unusual aspect of this marketing campaign involved the creation of personalised URLs (website addresses). Each postcard included details of a personalised URL set up in the name of the recipient. When the recipients logged-on to their personalised website address they were invited to input their email address details and phone numbers.
The establishment of URLs using people’s names without obtaining their consent was a concern from a data protection perspective. In addition, there was no evidence that 123.ie had made any attempt to comply with the ‘fair processing’ requirements set out in section 2D of the Data Protection Acts. For that reason, my Office informed 123.ie that the establishment of personalised website addresses (or URLs) in this manner was a breach of the Acts. Printing the URL on a postcard and distributing it in the postal system was a disclosure of personal information and a further breach of the Acts. Furthermore, the collection of email addresses and phone numbers when the recipient logged on to the URL failed to meet the requirements of fair processing because no information was provided to those individuals about the purposes of collecting the information.
On receiving the complaints my Office immediately contacted 123.ie requesting that it disable the relevant personalised URLs. 123.ie cooperated with my Office on this matter and reverted without delay confirming that the URLs relating to each complainant had been disabled.
At the request of my Office 123.ie confirmed that:
· it would not undertake such a campaign again;
· that it had not used and would not use any of the information obtained from potential customers as a result of this campaign; and
· that it had disabled all URLs which incorporated individual names relating to this campaign.
Prior to my Office’s receipt of the individual complaints referred to above, 123.ie informed my Office that it had discovered that minors had been targeted in its postcard campaign in error. 123.ie informed us that it worked with a creative agency (New Oceans) and a data agency (Data Ireland) in the execution of its postcard campaign. Data Ireland is a subsidiary of An Post. It subsequently emerged that the names and addresses of the minors targeted during this postcard campaign were originally drawn from the An Post Movers file. My Office is actively communicating with An Post on this matter to ensure that further breaches of the Acts do not occur in relation to the use of databases held by An Post and in particular where those databases contain the details of minors. My Office views the inappropriate use of the personal data of children as a particularly serious breach of the Data Protection Acts. .
Interactive Voice Technologies and unsolicited text messages
During the latter half of 2006 a mobile phone service provider informed me of the receipt of a number of unsolicited premium rate text messages by two of its customers relating to adult content subscription services. The messages were sent by Interactive Voice Technologies (IVT) and one of the recipients was a minor. Both recipients denied that they were existing or previous customers of IVT and they stated that they did not consent to receiving any of the messages.
When my Office investigated this matter, it was found that both mobile phone numbers had been recycled (this is the industry term to describe the re-use of a mobile number when it has been out of use for a period of time, usually one year). The numbers were allocated to the new users when they opened their mobile phone accounts. It was the new users who received the unsolicited text messages. We were told by IVT that both mobile numbers had entered its database when the original owners (before recycling) had subscribed to its service. Due to a technical error its systems did not detect that the numbers were recycled, resulting in both new users receiving content when the numbers were reactivated.
My Office communicated my concerns to IVT that its systems did not appear to be sufficiently robust to prevent adult content material being sent inadvertently to a recycled number. Furthermore, since neither individual could have legitimately consented to receiving the text messages, I considered that the messages were unsolicited for the purposes of direct marketing and in direct contravention of Regulation 13 of Statutory Instrument 535 of 2003. IVT argued that it was not its intention to send messages to the new users because, as far as its systems were concerned, it was still providing a service to the original customers.
My Office advised IVT, as the data controller, that it would have to take immediate corrective action to satisfy me that it was taking its data protection responsibilities seriously. I encouraged IVT to consider settling this matter by way of an amicable resolution. This was an appropriate solution for a company that has proved compliant with data protection requirements in all other respects. The company, having considered the matter, agreed to refund the charges incurred by both individuals in respect of the premium rate text messages and to offer their written apologies to both individuals. As a gesture of goodwill, IVT agreed to purchase two kidney dialysis machines for donation to Temple Street Children’s’ Hospital at a cost of over €27,000.
Given the issues surrounding the sending of adult content messages to recycled mobile phone numbers (including to the phone number of a minor) we referred these to the Communications Regulator(ComReg) for examination. I was subsequently advised by ComReg that it had been decided to extend the quarantine period for recycled numbers from six months to twelve months. Comreg also decided to request mobile network operators to advise service providers using their networks when a mobile phone number was placed in quarantine.
This case demonstrates the high risk associated with sending of marketing messages or premium rate services to mobile phone numbers which have been recycled. It is unacceptable that extra steps were not taken to ensure that adult content was not being sent to the mobile phone of a minor. Those engaged in the sending and promotion of adult content to mobile phones should take note of this case and ensure they take appropriate measures to comply, not only with their data protection obligations, but also with their obligations under other legislation. On an overall basis, I welcome the constructive approach to this issue and the amicable resolution. This is a good indicator of how seriously IVT took this issue.
News of the World: Limits of the Media Exemption
Breaches of data protection rights of individuals by publication of material in the media, as described in last year’s annual report, remained an issue during 2006. I made two separate decisions in the course of the year that newspapers had breached their obligations under the Data Protection Acts. One such case involved the Sunday World. The other, described below, involved the Irish edition of the News of the World. Both cases involved the publication of information about children of well-known individuals.
I received a complaint on behalf of a data subject, a well-known individual, arising from material published in the News of the World (Irish edition) in 2005. The complaint related to the subject matter of the material published and the manner in which it was obtained. The material published consisted of a photograph of the data subject and child while shopping, together with related text expressly identifying the data subject’s child by name and age, and referring to a third party’s perception as to how parent and child were getting along. The complainant alleged that consent was neither sought nor obtained prior to the taking of the photograph. The complainant further alleged that consent was not sought nor obtained prior to the publication of the material subsequently in the News of the World newspaper. In particular, the complainant alleged that the publication contravened Sections 2(1), 2A (1) and 22 of the Data Protection Acts. The complainant considered that their right to privacy outweighed any purported journalistic purpose or public interest in the publication of their photograph and accompanying text which was the subject of the complaint.
My Office commenced an investigation and wrote to the data controller, News of the World (Ireland). We sought its observations on the alleged contravention of the Acts, in particular in relation to the journalistic exemption contained in Section 22A. This Section provides a “public interest” exemption in respect of the processing of personal data for journalistic purposes. In response the newspaper highlighted that the data subject was a well-known personality who had been the subject of extensive media attention. It claimed that the data subject had, in the past, courted such attention. Given this background, it concluded that there was a public interest in revealing information about the data subject and the parent – child relationship, as illustrated by the photograph and accompanying text. It stated that the information revealed did not constitute sensitive personal data and that, therefore, the conclusion reached by the UK Courts in the case of Naomi Campbell V. MGN Limited – cited as the only authority to date dealing with this particular issue – was not relevant to the present case. It concluded that, in the circumstances, “the article amounted to a publication of journalistic material in the public interest?.that?fall(s) squarely within the exemption provided by Section 22A of the 1988 and 2003 Acts”.
The primary issue to be decided in this case was whether the public interest exemption under section 22A of the Acts in respect of processing of personal data for journalistic etc. purposes applied in respect of the publication of the photograph and text relating to the data subject and child. If the public interest in publication exemption applied, then there would be no breach of the provisions of the Data Protection Acts in this case.
I am obliged by Section 3 of the European Convention on Human Rights Act, 2003, to perform my functions in a manner compatible with the State’s obligations under the Convention’s provisions. Accordingly, in arriving at my conclusion on the applicability of the Section 22A exemption to the facts of the case, I had regard to the provisions of Articles 8 and 10 of the European Convention on Human Rights and any guidance that the EuropeanCourt of Human Rights (ECtHR) had provided on how the rights to privacy and freedom of expression should be balanced – the same balance that was at issue in relation to the applicability of Section 22A of the Acts.
In this regard, I noted the Decision of the ECtHR in the case of Von Hannover v. Germany (Application No. 59320/00) – the Princess Caroline case. The Court held that the German courts, in refusing to grant Princess Caroline of Monaco injunctions against newspapers taking and publishing photographs of her, had infringed her rights under Article 8 of the Convention. The photographs in question had shown Princess Caroline engaged in various activities such as shopping, playing sport and at the beach. The Court, noting that the material related exclusively to details of the applicant’s private life, considered that “the publication of the photos and articles in question, of which the sole purpose was to satisfy the curiosity of a particular readership regarding the details of the applicant’s private life, cannot be deemed to contribute to any debate of general interest to society despite the applicant being known to the public.” In that case, the Court considered that “anyone, even if they are known to the general public, must be able to enjoy a “legitimate expectation” of protection and of respect for their private life.”
While data protection law is not specifically dealt with in the Von Hannover Decision, this case was of assistance in helping me to come to a decision as to the appropriate balance between the public interest in freedom of expression and the individual’s right to protection of their personal data, as required by Section 22A of the Acts.
Section 22A(3) of the Acts provides that, in evaluating whether a publication would be in the public interest, regard may be had to codes of practice approved by the Data Protection Commissioner pursuant to the Acts. While no such code has been approved, it seemed appropriate, in reaching a determination, to take note of the newspapers’ own codes of practice. In making my assessment, I therefore took account of the National Newspapers of Ireland Code of Practice. In relation to children, the Code provides that they should not be identified unless there is a clear public interest in doing so. Relevant factors are identified as the age of the child, whether there is parental permission, and whether there are circumstances that make the story one of public interest, “or, if the person is a public figure or child of a public figure, whether or how the matter relates to his/her public person or office.” I also noted that the UK Press Complaints Commission Code of Practice provides that editors must not use the fam e of a parent as sole justification for publishing details of a child’s private life and that “in cases involving children under 16, editors must demonstrate an exceptional public interest to over-ride the normally paramount interest of the child”. I was of the view that these provisions represent a fair expression of how the principles of data protection legislation ought to be applied in relation to children and minors.
In coming to my decision, I also noted the allegation, which was not refuted by the data controller, that the photograph was taken without the consent of the data subject. I issued a Decision on this case under Section 10(1) (b) (ii) of the Acts. Among other things, I found that it did not appear to me that the public interest claimed by the data controller in publication of the material in question could be such as to justify setting aside the right to respect for a person’s private and family life.
I was of the view that the publication of the photograph and text relating to the data subject and child, and the manner of their interaction, could not be justified in terms of the public interest under section 22A. I considered that the material published breached the entitlements of a child to interact with its parent in a normal way without their relationship being made the subject of public comment through publication in a newspaper.
Having therefore concluded that the journalistic exemptions under section 22A did not apply in this case, I considered whether the processing of personal data involved in the obtaining and publication of the material complied with the other provisions of the Acts, especially sections 2 and 2A thereof. On the basis of my examination, my decision was that the personal data relating to the data subject and child was not obtained or processed fairly, as required under section 2(1) (a) and 2A of the Acts.
Caredoc: Failure to comply with an access request and appeal of an enforcement notice
I received a complaint from the parents of a child that Caredoc (a medical facility in Carlow) had failed to comply with an access request under Section 4 of the Acts for access to the child’s personal data.
My Office received the complaint in January 2006 and commenced an investigation. We established that the child had attended Caredoc in May 2004 and that the access request was made by the solicitor for the child’s family in August 2005. Prior to the complaint being submitted to my Office, Caredoc’s solicitors informed the legal representative for the child’s family that the access request raised matters of serious importance to their clients and that they wished to be absolutely sure of their position prior to making a formal reply.
During the course of my Office’s investigation, we exchanged correspondence on several occasions with Caredoc’s solicitors. We posed a number of key questions on the matter, none of which were answered to the satisfaction of my Office. At one point we were advised that the access request had thrown up a serious difficulty with which Caredoc was trying to come to terms. Caredoc’s solicitors acknowledged that their client owed statutory obligations on foot of the Data Protection Acts but stated that their client also owed a number of other conflicting obligations which needed to be reconciled properly with all the persons concerned before they were in a position to comply with the access request. In later correspondence, my Office was told that the request had raised a fundamental problem for Caredoc concerning the information gathered by them both physically and electronically and that the opinion of Senior Counsel was required. This was accepted in good faith on the basis that such advice would be forthcoming promptly. In a further letter, Caredoc’s solicitors informed my Office that genuine difficulties had arisen as a result of the circumstances thrown up by the access request and that Caredoc was anxious not to have any adverse precedents set in relation to the confidentiality issue as between doctor and patient. Throughout the investigation, my Office continued to remind Caredoc of its obligations to comply with the access request and we advised them that failure to proceed to release the information was a contravention of Section 4(1) of the Acts. At the end of June 2006, having exchanged a large volume of correspondence and with no prospect of the legal advice emerging, my Office gave Caredoc’s solicitors a final opportunity to respond to the key questions which we had raised with them. They failed to respond and I subsequently served an Enforcement Notice on Caredoc in July 2006 pursuant to Section 10 of the Acts.
There were a number of reasons for my decision to serve an Enforcement Notice on Caredoc. From the information available to me, I believed that information collected by Caredoc on the date in question likely constituted sensitive personal data within the meaning of the Acts. I believed that Caredoc had not complied with an access request and was, therefore, in contravention of Section 4(1) of the Acts. Furthermore, I believed that, given the passage of time and the continued failure of the data controller or their legal representatives to engage substantively with my Office, an Enforcement Notice was required to ensure compliance.
The Enforcement Notice required Caredoc, within a period of twenty one days, to provide the solicitor of the child’s family with the personal data relating to the attendance of the child at Caredoc’s facility in Carlow in May 2004. In line with their legal entitlements, pursuant to Section 26 of the Acts, Caredoc appealed to the Circuit Court against the requirement specified in the Enforcement Notice. The appeal was listed for hearing in Carlow Circuit Court in December 2006. At the Court hearing, Caredoc withdrew the appeal and agreed to supply the personal data sought.
I was very satisfied with the outcome of this case. Firstly, it ensured that the patient in question received access to their full medical records. Secondly, the case was significant for my Office as I used my full legislative powers to compel the provision of the records in question when Caredoc had repeatedly delayed in doing so. Thirdly, the case was all the more acute as it related to sensitive medical information which a patient has a right to access except in certain very limited circumstances. Finally, the patient in question was a minor and the access request was made on his behalf by his mother.
Bank of Ireland marketing of 12 and 13 year old school children
I received a number of complaints during 2003 relating to marketing activity by Bank of Ireland in schools where 12 and 13 year olds had received presentations by Bank staff and were offered the opportunity of opening an account. The complaints centered on the lack of parental consent, details on parents being sought, the procedure by which the teacher confirmed the identity of students and the fact that when an account was closed at the request of a parent, the details were still retained by the Bank for 6 years.
In last year’s Annual Report, I referred to section 2A(1) of the Data Protection Acts which state that consent cannot be obtained from a person who, by reason of age, is likely to be unable to appreciate the nature and effect of such consent. I was pleased to note that before I had to make a determination on the matter during 2004, the Bank changed its policy and now focuses this marketing activity on Transition Year Students and classes which are taking Banking as part of the school curriculum.
In regard to the form for identifying students, this was necessary in order that the Bank may comply with its anti-money laundering identification obligations pursuant to the Criminal Justice Act, 1994. Following discussions with me, these procedures were revised by Bank of Ireland, and a new application form was introduced for second level students who wish to open a bank account. The revised form specifically provides for the student’s consent to this verification and states –
“To enable the Bank to comply with its obligations to establish my identity, I give permission to the Bank to contact my school to verify the accuracy of the information I have given on this form against that supplied to my school. For the benefit of my school, I confirm that my school may act upon this authorisation as if it were specifically addressed to my school.”
The revised form makes clear to students that if they wish to open an account, they are authorising their teachers to confirm their identity to Bank of Ireland. The revised form does not request information about the parents of the student. I was satisfied that the new procedures comply with Data Protection requirements in that teachers who confirm the identity of the students for the Bank, will be doing so with the authorisation of individual students who have capacity under the Acts to give consent.
In regard to the retention of data, I was advised that the Bank is obliged under anti-money laundering identification obligations pursuant to the Criminal Justice Act, 1994, to hold account opening documentation for six years, even where any money in the account has been withdrawn and the account is closed. Accordingly, in circumstances where there is a statutory obligation regarding data retention, the provision of the Data Protection Acts specifying that data should not be retained for any longer than necessary for the purpose are set aside.
This issue raised sensitive issues regarding children and their capacity to give consent. Parents, teachers and most of all students should be cautious when faced with any marketing campaigns. The test is whether the young person can reasonably be said to understand the implications of supplying personal data and giving consent.
Parents, teachers and most of all students should be cautious when faced with any marketing campaigns
PMI Ltd mailing list rented in good faith by a bank resulted in minors being marketed for credit cards without proper consent
In early January 2003 I received a complaint from an individual to the effect that his ten year old daughter had received unsolicited mail from a bank offering her a credit card. The letter was addressed to the child using “Blackrock, Co. Dublin” as the postal address. However the use of “Blackrock, Co. Dublin” indicated to the complainant that the address was not provided by any member of the family as they always used “Stillorgan, Co. Dublin” in their correspondence. The complainant contacted the bank in the matter requesting an explanation and also that his daughter’s name and that of his immediate family be removed from its mailing list. He was informed that the mailing list used by the bank had been rented from Precision Marketing Information Ltd.(PMI) who had got the details from a reputable third party.
The bank phoned my Office when this matter arose and stated that a mailing list, obtained from PMI, apparently had included data relating to a number of minors. The bank had issued credit card marketing material using this list and, in the process, had inadvertently marketed a minor. PMI also informed my Office that the maximum number of minors’ records involved in this instance was 202 and that those records were in the process of being deleted.
As there appeared to be a contravention of the Data Protection Acts, I then investigated the matter under section 10 of the Acts.
I established that the data purchased by PMI from a UK Company was obtained by that company from a post-holiday survey form which include age categories. The information was held and processed by the UK Company with whom PMI had an agreement to purchase data relevant to residents of the Republic of Ireland. However in this instance, the data relating to a minor arose as a result of a coding error when loading the new data onto PMIs systems. The error was rectified and additional stringent checks were put in place to ensure that an error of this type never occurred again.
Under Data Protection legislation fair obtaining of personal data is an active duty. It is up to the data controller, not the data subject, to make sure that it takes place. For a data controller to satisfy the requirements of fair obtaining and purpose specification it must ensure that at the time of providing personal information, individuals are made fully aware of:
the identity of the persons who are collecting it (though this may often be implied),
to what use it will be put,
the persons or category of persons to whom it will be disclosed.
I consider that when dealing with personal data relating to minors, the standards of fairness in the obtaining and use of data, required by the Data Protection Acts, are much more onerous than when dealing with adults. I consider that use of a minor’s personal data cannot be legitimate unless accompanied by the clear consent of the child’s parent or guardian.
In this case, the minor’s details were not fairly obtained in contravention of Section 2(1)(a) as a ten year old cannot give valid consent even if the opt-out box has not been ticked. The coding error resulting in the incorrect entry of the child’s details onto PMI’s systems was in contravention of Section 2(1)(b) as PMI, albeit it inadvertently, supplied data relating to minors to the bank and this led directly to the mailing received by the child in this case.
I considered the point made by PMI that they rather than the bank were the data controller in this case. While PMI were the original Data Controller of the mailing list however, when it came into the hands of the bank, through renting it, it then became the Data Controller of the list. While the bank actually mailed the minor, I accepted that it rented the mailing list, which inadvertently contained the minor’s details, in good faith from PMI. I noted that PMI, with whom the bank had a contract, provided it with data which included data relating to 202 minors under18 and as a result the bank marketed the minor in this particular case. I therefore found that the bank and PMI as data controllers were both in contravention of section 2 with regard to fair obtaining, processing and use of the minor’s data in this instance.
I was satisfied that PMI were aware of their responsibilities under the Data Protection Acts, 1988 and 2003 with regard to the use of data for direct marketing purposes, particularly in regard to minors. I accepted their assurance that the coding error which gave rise to the complaint was rectified and that additional stringent checks were put in place to ensure that an error of this type would not occur again. I acknowledged the swift action taken by both PMI and the bank in response to the complaint and to their co-operation with my Office in the course of the investigation.
While I also accept that the bank was the innocent party in this instance nevertheless marketing companies must take reasonable but effective measures to ensure that minors are not the targets of marketing campaigns without proper consent.
Women’s Mini- Marathon-unauthorised and incompatible disclosure-Internet photographs-informed consent.
I received a complaint from a mother who took part in the Women’s Mini-Marathon in June 2002 with her fourteen year old daughter. Her daughter subsequently received a letter in July 2002 from a UK company offering her photos of herself taken on the day of the marathon. The photos also appeared on the company’s website. The mother complained that she had not given permission to the organisers of the mini-marathon to supply her daughter’s name, address and race number to another company or to take photos of her daughter and she had requested that the photo be removed from the website immediately. The photos were subsequently removed from the web site at the request of my Office. The Data Protection issue here involved the disclosure of personal data in a manner incompatible with the purpose for which it had originally been obtained.
My Office contacted the organisers of the mini-marathon who agreed that they had supplied the information to the company to take photos on the day and that the participants would not have been aware of this when they signed up for the event. The organisers hoped if this proved popular that they would engage the company to take photos the next year. The organisers made facilities available to the company to take photos at the start and finish of the race. They gave them access to their database of participants and the company offered photos to these participants for sale.
While acknowledging the view of the race organisers that this service was of added value to participants and was part of the race experience, I considered that a contravention of Data Protection Law had occurred in this instance in that the entry form did not indicate the further use to which the database of entrants would be put and it should have provided for prior consent to be given or withheld.
My Office arranged a meeting with the organisers of the event at which the data protection requirements for events of this nature were discussed in detail and in particular, the obligation regarding transparency as to the uses to which information would be put. This involved a minimum requirement that a facility to opt out of additional uses be provided. The organisers agreed to revise their procedures for future events, and to give participants an option regarding photos.
I was satisfied with the response of the organisers of the Women’s Mini Marathon to the complaint, and I note that they revised their entry forms to reflect Data Protection requirements for the forthcoming 2003 event.
School web site – personal data relating to children – issue of fair obtaining
A parent contacted my Office to complain that the local primary school was publishing personal details of pupils on the school web site, without the knowledge or consent of parents. The details included photographic images of named individual pupils, as well as general details volunteered by pupils regarding their hobbies, likes and dislikes. The parent was concerned that the non-selective publication of children’s details in this way was inappropriate, and could expose the children to unnecessary risks. The parent had raised the matter with the school authorities and was very dissatisfied with the response she had received.
I immediately contacted the school principal to arrange that personal details relating to identifiable children would be deleted from the web site, pending an urgent meeting on this matter. At the meeting, the school principal explained that the web site had been set up several weeks previously in order to meet the educational needs of children in relation to computing. The pupils themselves had been quite positive about the development. Photographs of individual pupils in the junior and senior infants classes had been posted on the web site. Other pupils had been invited to contribute to the web site through other activities, such as filling out questionnaires giving personal information that would be of interest to pupils in other schools, both nationally and internationally. It was noted that the school web site had been given an award by an internet service company in recognition of its merit. As regards parental consent, the principal said that the new web site had been mentioned in a recent school newsletter, and that parents had been invited to come to the school to check it out for themselves.
I pointed out that section 2(1)(a) of the Data Protection Act requires that personal data “shall have been obtained, and the data shall be processed, fairly “. When dealing with personal data relating to schoolchildren, “fairness” in my judgement requires that the clear and informed consent of parents or guardians must be obtained before any use is made of the children’s data. This is particularly so where the use envisaged involves the posting of data on the worldwide web. The principal accepted these points and undertook not to post personal details of schoolchildren on the web site except with the express authorisation of a parent or guardian.
I have no doubt that forward-looking schools will continue to reflect the growing importance of the internet in their educational programmes in future. Certainly, the internet has the potential to serve as a versatile tool for educators and to yield many benefits for students. However, the posting of personal details on a web site entails a dramatic loss of control over access to and use of such details, in a manner that may be quite incompatible with a school’s responsibilities as a data controller. In this case, the vigilance of parents played a key role in ensuring that the school was made aware of its data protection responsibilities. I should also point out that, following the changes made on foot of the parents’ concerns, the school web site in question is now, in my opinion, an excellent and a safe educational resource. Part 1 of this Annual Report gives further information on this general topic under the heading ‘Education and Awareness’.
Direct mailing to children – complaint by parent – issues of fair obtaining and keeping data longer than necessary
A father complained to me that his children had received direct mail from a company making a product used mainly by children. This complainant took the view that children were more vulnerable than adults to manipulation by marketing and should not be targeted in such a way.
I took the matter up with the company concerned and was referred to the agency which carried out its marketing activities. This agency informed me that as a result of the complaint it had deleted the data relating to the children in question, but in its response it produced material to show that they had responded some time previously to another promotional campaign.
The earlier promotional campaign had been a “once-off”. I told the agency that in these circumstances its actions raised two issues:
First of all, the earlier campaign had been concluded for some time. Section 2(1)(c)(iv) provides that data “shall not be kept for longer than is necessary” for the purpose for which they were obtained in the first place. Consequently I asked the agency to consid whether it should still have the respondents’ data at all. The agency explained that when people responded to promotional campaigns their data were generally kept for about a year, because it was quite common for people who had taken part in campaigns, or thought or pretended they had, to contact the promoters again subsequently. I accepted this argument as reasonable in the particular circumstances of the case.
Secondly, the children’s data had been obtained for a single purpose – the conduct of the earlier campaign. I questioned whether it was open to the agency to use the data for another purpose without first of all seeking the individuals’ positive consent to do so. The agency undertook to keep this point in mind in future.
Various Breaches
Disclosure of Personal Information to a Third Party by a Data Processor
We received a complaint concerning the alleged unauthorised disclosure of the complainant’s personal information by An Post to a third party. The complainant, who had recently been bereaved, informed us that An Post had erroneously issued a valuation statement in respect of a joint savings deposit account that they had previously held with their late partner, to a solicitor acting on behalf of their late partner’s son. The statement contained the complainant’s personal financial data in relation to their joint State Savings account held with the National Treasury Management Agency (NTMA). Prior to making the complaint to this Office, the complainant had received an apology from An Post, on behalf of the NTMA, who acknowledged that the complainant’s personal information had been disclosed in error. However, because the complainant had received very little information as to how the disclosure had occurred they requested that we investigate this matter.
Although the complainant submitted a complaint against An Post, we established in our preliminary that An Post offers products and services on behalf of State Savings, which is the brand name used by the NTMA to describe the range of savings products offered by the NTMA to personal savers. An Post is therefore a “data processor” as defined under the Data Protection Acts 1988 and 2003 as it processes customers’ personal data on behalf of the NTMA. The NTMA is the “data controller” as defined under the Data Protection Acts 1988 and 2003 as it controls the content and use of its customers’ personal data for the purposes of managing their State Savings account.
We commenced an investigation by writing to the NTMA which NTMA did not contest the fact that the complainant’s personal information had been disclosed. The NTMA stated that, having received a full report from its data processor, An Post, it had confirmed that, contrary to State Savings standard operating procedures, a valuation statement, which included details of an account held jointly by the complainant and their deceased partner, was sent to a solicitor acting on behalf of a third party. The NTMA acknowledged that the information should not have been sent to the third party and that correct procedures were not followed in this instance by the data processor.
The complainant chose not to accept an apology and goodwill gesture from the NTMA as an amicable resolution of their data protection complaint, opting instead to seek a formal decision of the Data Protection Commissioner.
A decision of the Data Protection Commissioner issued in July 2016. In her decision, the Commissioner formed the opinion that the NTMA contravened Section 2A(1) of the Data Protection Acts 1988 and 2003 by processing the complainant’s personal information without their consent by way of the disclosure, by An Post as an agent of the NTMA, of the complainant’s personal information to a third party.
This case illustrates that it is vital for data controllers to ensure that their policies and procedures for the protection of personal data are properly and routinely adhered to by all staff. Staff awareness is key to this issue but employers should also ensure that regular reviews of how those policies and procedures are applied in practice are carried out so as to identify potential issues and enable the taking of appropriate remedial actions/ changes to the practices, policies and procedures.
Prosecution of Glen Collection Investments Limited and One of its Directors
The investigation in this case established that the defendant company obtained access to records held on computer databases in the Department of Social Protection over a lengthy period of time and that a company director used a family relative employed in the Department of Social Protection to access the records. The defendant company had been hired by a Dublin-based firm of solicitors to trace the current addresses of bank customers that the respective banks were interested in pursuing in relation to outstanding debts. Having obtained current address information or confirmed existing addresses of the bank customers concerned from the records held by the Department of Social Protection, the defendant company submitted trace reports containing this information to the firm of solicitors which acted for the banks. The case came to light on foot of a complaint which we received in February 2015 from a customer of AIB bank who alleged that an address associated with him and which was known only to the Department of Social Protection was disclosed by that department to an agent working on behalf of AIB bank.
The Data Protection Commissioner decided to prosecute both the company and the director in question, Mr Michael Ryan. Glen Collection Investments Limited was charged with seventy-six counts of breaches of the Data Protection Acts, 1988 & 2003. Sixty-one charges related to breaches of Section 19(4) of the Data Protection Acts for processing personal data as a data processor while there was no entry recorded for the company in the public register which is maintained by the Data Protection Commissioner under Section 16(2) of the Data Protection Acts. Fifteen charges related to breaches of Section 22 of the Data Protection Acts for obtaining access to personal data without the prior authority of the data controller by whom the data is kept and disclosing the data to another person.
Mr. Michael Ryan, a director of Glen Collection Investments Limited, was separately charged with seventy-six counts of breaches of Section 29 of the Data Protection Acts, 1988 & 2003 for his part in the offences committed by the company. This Section provides for the prosecution of company directors where an offence by a company is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of the company directors or other officers.
The cases against Glen Collection Investments Limited and its director were called in Tuam District Court in January, May and July of 2016 before the defendants eventually entered guilty pleas on 10 October 2016. While the defendant company was legally represented in court on all occasions, the Court issued a bench warrant for the arrest of the company director, Mr Ryan, on 10 May 2016 after he had twice failed to appear. The bench warrant was executed at Tuam District Court on 10 October, 2016 prior to the commencement of that day’s proceedings.
At Tuam District Court on 10 October 2016 Glen Collection Investments Limited pleaded guilty to twenty-five sample charges – thirteen in relation to offences under Section 22 and twelve in relation to offences under Section 19(4). The company was convicted on the first five counts with the remainder taken into consideration. The court imposed five fines of €500 each. Mr. Ryan pleaded guilty to ten sample charges under Section 29. He was convicted on all ten charges and the court imposed ten fines of €500 each. In summary, the total amount of fines imposed in relation to this prosecution was €7,500.
Disclosure of Personal Data to a Third Party in Response to a Subject Access Request
An ex-employee of Stobart Air made a complaint in August 2015 to us regarding the unlawful disclosure of their redundancy details to another member of staff following an access request made by that person to the company. The complainant also informed us they had equally received third party personal information in response to a subject access request that they themselves had made to the company in May 2015.
Stobart Air, on commencement of our investigation, confirmed to us that a breach of the complainant’s data had occurred in November 2014. It stated that it had not initially notified the complainant of the breach when it first learned of it as it was unaware of the data protection guidelines that advise the reporting of disclosures to the data subjects involved where the disclosure involves a high risk to the individual’s rights and requesting the third party in receipt of the information to destroy or return the data involved.
The complainant in this case declined an offer of amicable resolution and requested a formal decision of the Commissioner. In her decision the Commissioner found that Stobart Air had, in including the complainant’s personal data in a letter to ex-employees, had carried out unauthorised processing and disclosure of the complainant’s personal data. This had contravened Section 2A(1) of the Data Protection Acts, 1988 and 2003, by processing the complainant’s personal information without the complainant’s consent or another legal basis under the Data Protection Acts 1988 and 2003 for doing so.
Stobart Air identified itself that it had inadequate training and safeguards around data protection in place which it has since sought to rectify.
In a separate complaint received by the DPC in September 2015, we were notified that Stobart Air had disclosed financial data of a third party to the complainant in response to a subject access request. We proceeded to remind Stobart Air of its obligations as a data controller and Stobart Air identified a number of individuals who had been affected by these issues. Stobart Air subsequently notified all affected third parties of the breach of their personal data. However, in trying to comply by notifying the affected individuals, Stobart Air disclosed the complainant’s data, by divulging the fact that the complainant was the recipient of this data, in a letter notifying the individuals whose data was originally disclosed.
Stobart Air had no legal basis to disclose the complainant’s personal data to the third parties involved nor did it have consent of the individual affected. The disclosure of the complainant’s identity to the individuals affected by the original breach was unnecessary in the circumstances and in contravention of Section 2A(1) of the Data Protection Acts 1998 and 2003.
Disclosure of personal information to a third party by the Department of Social Protection
This Office received a complaint in July 2014 concerning an alleged unauthorised disclosure of the complainant’s personal information by the Department of Social Protection to a third party. The complainant informed us that, in the course of an Employment Appeals Tribunal hearing, her employer produced to the hearing an illness-benefit statement relating to her. The statement contained information such as her name, address, PPSN, date of birth, bank details and number of child dependants. She stated that her employer was asked how he had obtained this illness-benefit statement. He stated that he had phoned the Department of Social Protection and the statement had subsequently been sent to him by email. Prior to making the complaint to this Office, the complainant had, via her solicitors, received an apology from the Department, who acknowledged that her information had been disclosed in error and that proper procedures had not been followed. However, she informed us that she had very little information as to how the disclosure had occurred and that the matter had caused her considerable distress.
We commenced an investigation by writing to the Department of Social Protection. In response, it stated that it accepted that a statement of illness benefit was disclosed to the complainant’s employer in error, on foot of a telephone call from the employer. The Department acknowledged that the information should not have been sent out to the employer and that the correct procedures were not followed on this occasion. It stated that the staff member who supplied the information was new to the Department. It explained that it was not normal practice to issue a screenshot to the employer; the correct procedure was to issue a statement to the employee along with a note informing the employee that the information had been requested by their employer.
The data subject chose not to accept an apology from the Department as an amicable resolution of her data protection complaint, opting instead to seek a formal decision of the Data Protection Commissioner.
A decision of the Data Protection Commissioner issued in October 2015. In her decision, the Commissioner formed the opinion that the Department of Social Protection contravened Section 2(1)(c)(ii) of the Data Protection Acts 1988 and 2003 by the further processing of the complainant’s personal data in a manner incompatible with the purpose for which it had been obtained. The contravention occurred when the Department of Social Protection disclosed the complainant’s personal data to an unauthorised third party.
This case serves as a reminder to data controllers of the importance of ensuring that new staff are fully trained and closely supervised in all tasks, particularly in those tasks that involve the processing of personal data. Errors by staff present a high risk of data breaches on an ongoing basis and it is critically important that efforts are made to mitigate against those risks by driving data protection awareness throughout the organisation, with particular focus on new or re-assigned staff.
Marketing offences by MTS Property Management Limited – prosecution
We received a complaint in February 2013 from an individual who received marketing SMS messages from MTS Property Management Limited advertising the company’s property-management services. The complainant informed us that she had dealt with the company on one occasion over five years previously but she did not consent to her mobile phone number being used for marketing purposes. She also pointed out that the SMS messages that she received did not provide her with a means of opting out.
Our investigation of this complaint became protracted as the company denied knowledge of the mobile number to which the SMS messages were sent and it denied knowledge of the account holder of the sending phone number. However, our investigation established sufficient evidence to satisfy itself that MTS Property Management Limited was responsible for the sending of the marketing SMS messages to the complainant. We decided to prosecute the offences.
MTS Property Management Limited had come to our attention previously in the summer of 2010 when two individuals complained about unsolicited marketing SMS messages sent to them without consent and without the inclusion of an opt-out mechanism. Following the investigation of those complaints, we warned the company that it would likely face prosecution if it committed further offences under Regulation 13 of SI 336 of 2011 at any future time.
At Dublin Metropolitan District Court on 23 February 2015, MTS Property Management Limited pleaded guilty to one charge of sending an unsolicited marketing SMS without consent and it pleaded guilty to one charge of failing to include an opt-out mechanism in the marketing SMS. The Court convicted the company on both charges and it imposed two fines of €1,000 each. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner.
Marketing offences by Greyhound Household – prosecution
In May 2014, we received a complaint against Greyhound Household from an individual who received an unsolicited marketing phone call on his mobile telephone from the company’s sales department. The same individual had previously complained to us in December 2013 as he was receiving marketing SMS messages from Greyhound Household that he had not consented to receiving. He informed us that he had ceased being a customer of the company in May 2013. Arising from the investigation of the previous complaint, Greyhound Household had undertaken to delete the former customer’s details and it apologised in writing to him. On that basis, we concluded the matter with a formal warning to the effect that any future offences would likely be prosecuted.
On receipt of the latest complaint, we commenced a further investigation. Greyhound Household admitted that a telephone call was made to the complainant’s mobile phone number without consent but it was unable to explain why his details had not been deleted in line with the company’s previous undertaking. We decided to prosecute the offence.
At Dublin Metropolitan District Court on 23 February 2015, Greyhound Household pleaded guilty to one charge of making an unsolicited marketing phone call to a mobile phone number without consent. The Court applied Section 1(1) of the Probation of Offenders Act subject to the defendant making a charitable donation of €1,000 to Pieta House. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner.
Marketing offences by Imagine Telecommunications Business Limited – prosecution
In March 2015, we received a complaint against Imagine Telecommunications Business Limited from a company that had received unsolicited marketing telephone calls. The same company had previously complained to us in 2014 about repeated cold calling to its offices. Despite having submitted an opt-out request to Imagine Telecommunications Business Limited, it continued to receive marketing phone calls. Following our investigation of the first complaint, and having been assured that the phone number of the complainant company had been removed from the marketing database, we issued a formal warning to Imagine Telecommunications Business Limited that any future offences would likely be prosecuted.
On investigating the current complaint, we were informed by Imagine Telecommunications Business Limited that it had failed to mark the telephone number concerned as ‘do not contact’ on the second of two lists on which it had appeared. This led to the number being called again in March and June 2015. It stated that the only reason the number was called after the previous warning was due to this error and it said that it took full responsibility for it.
We prosecuted the offences at Dublin Metropolitan District Court on 2 November 2015. Imagine Telecommunications Business Limited pleaded guilty to one charge of making an unsolicited marketing telephone call without consent. The Court applied Section 1(1) of the Probation of Offenders Act conditional upon a charitable donation of €2,500 being made to the Merchant’s Quay Project. Prosecution costs were recovered from the defendant.
Marketing offences by Eircom Limited – prosecution
We received complaints from two individuals in February and April 2015 concerning marketing telephone calls that they had received on their landline telephones from Eircom Limited. In both cases, and prior to lodging their complaints, the individuals had submitted emails to Eircom Limited requesting that they not be called again. Eircom’s Customer Care Administration Team replied to each request and informed the individuals that their telephone numbers had been removed from Eircom’s marketing database. Despite this, each individual subsequently received a further marketing telephone call in the following months, thus prompting their complaints to this Office.
Eircom informed our investigations that the agents in its Customer Care Administration Team who handled the opt-out requests had not updated the system to record the new marketing preference after sending out the replying email to the individuals concerned. It undertook to provide the necessary refresher training to the agents concerned.
Separately, a former customer of Eircom complained in May 2013 that he continued to regularly receive unsolicited marketing phone calls from Eircom on his landline telephone despite clearly stating to each caller that he did not wish to receive further calls. He stated that the calls were numerous and that they represented an unwarranted intrusion into his privacy. Eircom continued to make a further ten marketing telephone calls to the individual after the commencement of our investigation of this complaint. Our investigation subsequently established that this former customer had received over 50 marketing contacts from Eircom since 2009 when he ceased to be an Eircom customer. Eircom explained that the continued calls arose from a misunderstanding of what systems the former customer’s telephone number was to be opted out from.
In October 2014, an Eircom customer complained that he had received a marketing SMS from Eircom that did not provide him with a means to opt out of receiving further marketing SMS messages. Eircom informed our investigation of this complaint that the inclusion of an opt-out is the norm in all of its electronic-marketing campaigns but, in this instance, and due to human error, the link to the necessary opt-out had not been set properly. Our investigation established that this error affected over 11,600 marketing messages that were sent in the campaign concerned.
We proceeded to prosecute the offences identified on foot of the complaints received in the aforementioned cases. At Dublin Metropolitan District Court on 2 November 2015, Eircom Limited pleaded guilty to six charges of making unsolicited marketing calls without consent and it pleaded guilty to one charge of sending a marketing SMS without a valid address to which the recipient may send an opt-out request. The Court applied Section 1(1) of the Probation of Offenders Act conditional on the defendant making donations amounting to €35,000 as follows: €15,000 to Pieta House, €10,000 to LauraLynn (Children’s Hospice) and €10,000 to Our Lady’s Children’s Hospital, Crumlin. The company agreed to pay the prosecution costs incurred by this Office.
Defence Forces Ireland – failure to keep data safe and secure
A member of the Defence Forces made a complaint to this Office that certain personal data relating to him was not kept safe and secure by the Defence Forces.
The circumstances of the individual’s complaint to our Office arose when a Military Investigating Officer (MIO) was appointed to review an internal complaint made by him as a member of the Defence Forces. Subsequently, the Defence Forces Ombudsman was appointed to review the process of the handling of the complaint and, during the course of its review, it was ascertained that the MIO could not supply details of interview notes of an interview he had conducted with the complainant as he had stored them at an unsecure location and they were damaged or lost following flooding and a burglary at that location when the MIO was on an overseas mission. The unsecure location was in fact the MIO’s private house.
We raised the matter with the Defence Forces, who confirmed the complainant’s allegation that the notes had been stored at an unsecure location and had been damaged or lost as stated.
The Defence Forces informed us of the measures taken to keep data safe and secure, and referred us to its Administration Instruction, which provides for the prohibition of removal of records.
The Defence Forces further stated thatthe removal of records from their place of custody to a private residence would breach this instruction and that a breach of this provision may constitute an offence under S.168 of the Defence Act 1954. It advised that, as the MIO was no longer a serving member of the Defence Forces, he is not subject to military law.
The Defence Forces unequivocally acknowledged that the loss of the data in this case should not have occurred and was fully regretted. It informed us that it had recently undertaken a full review of practices and procedures in respect of both the processing and disclosure of data to mitigate the possibility of any future unauthorised or accidental disclosure of personal data.
The Commissioner’s decision on this complaint issued in June 2015, and it found that the Defence Forces contravened Section 2(1)(d) of the Data Protection Acts by failing to take appropriate security measures against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the complainant’s personal data when it allowed it to be stored at an unsecure location, namely a private house.
This Office acknowledges that the Defence Forces has procedures in place in relation to the protection of personal data as set out in its Administration Instruction. However, those procedures were not followed in this case and when an official record was removed from its place of custody, it resulted in the complainant’s personal data being lost or stolen because the appropriate security measures in place were not followed.
There are many workplace scenarios where staff and managers, in particular, may need to take files, including personal data, home with them. Extreme caution should always be exercised in such cases to ensure that there is no risk to the security of personal data either in the transit of the files or while the files are in the employee’s home. Data controllers must ensure that employees act in a responsible manner with regard to the safe custody and handling of workplace files. This demands a proper system that records the taking of and returning of files and the following of prescribed procedures for the safe keeping of personal data while the files concerned are absent from the workplace. Likewise, it is critical that employees are prohibited from emailing official files from their workplace email account to their personal email account for afterhours work or for any other reason. In such situations, data controllers lose control of personal data that they are obliged by law to protect.
Further processing of personal data by a state body
In February 2015, we received a complaint from an employee of a state body in relation to the alleged unfair processing of his personal data. The complainant stated that, in the course of a meeting, he had been advised that his manager had requested access to data from his security swipe card in order to compare it with his manually completed time sheets. The complainant explained that this had been carried out without any prior consultation with him or his line manager. By way of background, the complainant informed us that the security swipe cards used by the employees are for accessing the building and secured areas only, and are not used as a time management/attendance system.
We sought an explanation from the body concerned as to how it considered that it had complied with its obligations under the Data Protection Acts in the processing of the complainant’s personal information obtained from his swipe-card data. We also advised it that we had sight of the relevant section of its staff handbook and we noted that there was no reference to the swipe card being used for the purpose of checking attendance.
We received a response explaining that the swipe-card data relating to the complainant was handed over to the complainant’s manager in good faith on the basis that it was corporate rather than personal data. The organisation also confirmed that it checked the staff handbook and any other information that may have been circulated to staff regarding the purposes of the swipe card and that there was no mention of the use of swipe cards in relation to recording time or attendance. It advised that the focus of the information circulated with regard to swipe cards was on security and access only.
After consideration of the response received, along with the content of the complaint, we informed the organisation concerned that we considered that the Data Protection Acts were breached when the employee’s swipe-card details were provided to his manager to verify his working hours. We referred to the provisions of Section 2(1)(c)(ii) of the Data Protection Acts, which state that data shall not be further processed in a manner incompatible with the purpose for which it was obtained. Given that we considered the information concerned had been processed in contravention of the Data Protection Acts 1988 and 2003, we required an assurance that all email records created in relation to the further processing of the swipe-card details concerned be deleted from its systems; this assurance was duly provided.
The complainant in this case agreed, as an amicable resolution to his complaint, that he would accept a written apology from his employer. This apology acknowledged that the complainant’s data protection rights had been breached and it confirmed that the organisation had taken steps to ensure that this type of error did not recur in the future.
This case highlights the temptation organisations face to use personal data that is at their disposal for a purpose other than that for which it was originally obtained and processed. The scenario outlined above is not uncommon, unfortunately. Time and attendance monitoring may occasionally prove difficult for managers, and contentious issues arise from time to time. The resolution of those issues should not involve an infringement of the data protection rights of employees similar or otherwise to the circumstances in this case.
Supermarket’s excessive use of CCTV to monitor member of staff
A former staff member of a supermarket submitted a complaint to this Office regarding her employer’s use of CCTV.
The complainant informed us that she had been dismissed by her employer for placing a paper bag over a CCTV camera in the staff canteen. She informed us that the reason for her covering the CCTV camera was that when she was on an official break in the staff canteen, a colleague styled her. The complainant also stated that the camera was placed in the corner of the staff canteen and there was no signage to inform staff that surveillance was taking place. She informed us that she was never officially advised of the existence of the camera nor had her employer ever informed her of the purpose of the CCTV in the canteen.
In its response to our investigation, the supermarket informed us that the complainant was dismissed for gross misconduct, which occurred when she placed a plastic bag over the camera in the canteen to prevent her actions being recorded and thereby breaching the store’s honesty policy as outlined in the company handbook. The supermarket owner informed us that the operation of CCTV cameras within the retail environment was to prevent shrinkage, which can arise from customer theft, waste and staff theft. He stated that it was also used for health and safety, to counter bullying and harassment and for the overall hygiene of the canteen. In relation to the incident concerning the complainant, the owner informed us that, on the day in question, the store manager noticed some customers acting suspiciously around the off-licence area and that on the following day CCTV footage was reviewed. It was during the viewing of the footage in relation to suspicious activity in the off-licence area that he noticed the complainant putting a bag over the camera.
Following an inspection by one of our Authorised Officers, we informed the supermarket owner that, in our view, there was no justification from a security perspective for having a camera installed in the canteen area.
The complainant in this case declined an offer of an amicable resolution and she requested a formal decision of the Commissioner.
The decision by the Commissioner in January 2015 found that the supermarket contravened Section 2(1)(c)(iii) of the Data Protection Acts, 1988 and 2003, by the excessive processing of the complainant’s personal data by means of a CCTV camera in a staff canteen.
Data controllers are tempted to use personal information captured on CCTV systems for a whole range of purposes. Many businesses have justifiable reasons, usually related to security, for the deployment of CCTV systems on their premises but any further use of personal data captured in this way is unlawful under the Data Protection Acts unless the data controller has at least made it known at the time of recording that images captured may be used for those additional purposes, as well as balancing the fundamental rights of employees to privacy at work in certain situations, such as staff canteens and changing rooms.
Disclosure of personal information to a third party by the Department of Social Protection
This Office received a complaint in July 2014 concerning an alleged unauthorised disclosure of the complainant’s personal information by the Department of Social Protection to a third party. The complainant informed us that, in the course of an Employment Appeals Tribunal hearing, her employer produced to the hearing an illness-benefit statement relating to her. The statement contained information such as her name, address, PPSN, date of birth, bank details and number of child dependants. She stated that her employer was asked how he had obtained this illness-benefit statement. He stated that he had phoned the Department of Social Protection and the statement had subsequently been sent to him by email. Prior to making the complaint to this Office, the complainant had, via her solicitors, received an apology from the Department, who acknowledged that her information had been disclosed in error and that proper procedures had not been followed. However, she informed us that she had very little information as to how the disclosure had occurred and that the matter had caused her considerable distress.
We commenced an investigation by writing to the Department of Social Protection. In response, it stated that it accepted that a statement of illness benefit was disclosed to the complainant’s employer in error, on foot of a telephone call from the employer. The Department acknowledged that the information should not have been sent out to the employer and that the correct procedures were not followed on this occasion. It stated that the staff member who supplied the information was new to the Department. It explained that it was not normal practice to issue a screenshot to the employer; the correct procedure was to issue a statement to the employee along with a note informing the employee that the information had been requested by their employer.
The data subject chose not to accept an apology from the Department as an amicable resolution of her data protection complaint, opting instead to seek a formal decision of the Data Protection Commissioner.
A decision of the Data Protection Commissioner issued in October 2015. In her decision, the Commissioner formed the opinion that the Department of Social Protection contravened Section 2(1)(c)(ii) of the Data Protection Acts 1988 and 2003 by the further processing of the complainant’s personal data in a manner incompatible with the purpose for which it had been obtained. The contravention occurred when the Department of Social Protection disclosed the complainant’s personal data to an unauthorised third party.
This case serves as a reminder to data controllers of the importance of ensuring that new staff are fully trained and closely supervised in all tasks, particularly in those tasks that involve the processing of personal data. Errors by staff present a high risk of data breaches on an ongoing basis and it is critically important that efforts are made to mitigate against those risks by driving data protection awareness throughout the organisation, with particular focus on new or re-assigned staff.
Covert CCTV installed without management knowledge
This Office received a complaint from staff of Letterkenny General Hospital in relation to the operation of covert CCTV surveillance by management within the Maintenance Department of Letterkenny General Hospital.
We also received a ‘Data-Breach Incident Report’ from the Health Service Executive (HSE) about this matter. This breach report recorded the incident as ‘Unauthorised CCTV Surveillance of Office Area’ and stated that a covert CCTV camera was installed by two maintenance foremen in their two-man office due to concerns they had in relation to the security of their office.
We commenced an investigation of the complaint by writing to the Health Service Executive (HSE), outlining the details of the complaint. We sought information from it in relation to the reporting arrangements between the maintenance staff in Letterkenny General Hospital and the maintenance foremen who installed the covert CCTV; the whereabouts of footage captured by the covert CCTV; the outcome of the internal investigation; how the covert CCTV was installed without notice to the management of Letterkenny General Hospital; and details of any instruction or notification issued to staff on foot of the internal investigation.
In response, the HSE stated that the foremen who had installed the camera were direct supervisors of the maintenance department staff and that the footage recorded was stored on a DVD and secured in a locked safe. It further stated that an internal investigation concluded that two staff had installed the covert CCTV without the authority, consent or knowledge of the management of Letterkenny General Hospital, due to concerns regarding unauthorised access/security in their office. We established that the camera in question was previously installed in a now disused area of the hospital, had been decommissioned and was re-installed in the office in question.
As well as confirming that the footage captured by the covert camera was of normal daily comings and goings to the maintenance office, the HSE stated that this was an unauthorised action by staff in the maintenance section and that it was keenly aware of its duty to all staff to provide a workplace free from unauthorised surveillance. The HSE confirmed that it would initiate steps to ensure that there would be no repetition of this action.
The HSE subsequently issued a written apology to the complainants in which it also confirmed that the recordings had been destroyed.
A decision of the Data Protection Commissioner issued in April 2015. In her decision, the Commissioner formed the opinion that the HSE contravened Section 2(1)(a) of the Data Protection Acts 1988 and 2003 by failing to obtain and process fairly the personal data of individuals whose images were captured and recorded by a covert CCTV camera installed without its knowledge or consent.
Covert surveillance is normally only permitted on a case-by-case basis, where the data is kept for the purpose of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. This implies that a written specific policy must be put in place detailing the purpose, justification, procedures, measures and safeguards that will be implemented in respect of the covert surveillance, with the final objective being an active involvement of An Garda Síochána or other prosecutorial authority. Clearly, any decision by a data controller to install covert cameras should be taken as a last resort after the full exhaustion of all other available investigative steps.
Danske Bank erroneously shares account information with third parties
We received a complaint against Danske Bank alleging that it had disclosed personal data and account information in relation to a mortgage on a property owned by the complainant to third parties. We commenced an investigation of the matter by writing to Danske Bank, outlining the details of the complaint. We received a prompt response from Danske Bank, which stated that the complainant and the individual who received his personal data were joint borrowers on certain loan facilities and that it was during the course of email communications with the other individual in respect of that individual’s loan arrears that the personal data relating to the complainant was disclosed to two third parties. Danske Bank admitted that this was an error on its part and stated that it was unfortunate that it had occurred. It went on to explain that, in dealing with the queries raised by the other individual in respect of his arrears and entire exposure to Danske Bank, the relationship manager also included information on all arrears in respect of that individual’s connections, which included the complainant. The staff member concerned expressed his regret at the incident and Danske Bank confirmed that the staff member was reminded of its procedures with regard to data protection and the need to be vigilant when dealing with the personal data of customers. Danske Bank apologised for the incident and offered reassurance that it would endeavour to prevent a future reoccurrence.
Danske Bank went on to state that it had robust controls in place to ensure that such incidents did not occur; however, it admitted that, despite such controls, this was a case of a human error and it did not believe that it was in any way intentional.
The complainant requested that the Data Protection Commissioner issue a formal decision on his complaint. A decision of the Commissioner issued in January 2015, and it stated that, following the investigation of the complaint, she was of the opinion that Danske Bank contravened Section 2(1)(d) the Data Protection Acts 1988 and 2003 by disclosing the complainant’s personal data to a number of third parties without his knowledge or consent.
This case is illustrative of the need for financial institutions to be vigilant when dealing with the personal data of individuals who have common banking relationships with others, and to ensure that appropriate safeguards are in place to prevent accidental or erroneous sharing of personal data.
Complaint of Disclosure by Permanent TSB Not Upheld
A complaint from a customer of Permanent TSB alleged that the bank had violated the Data Protection Acts by discussing their accounts and personal details with a third party, the complainant’s tenant, thereby causing financial loss and stress.
We investigated the allegation with Permanent TSB. In response, the bank informed us that it had made no contact with residents in the properties concerned to discuss the mortgage account details of the complainant concerned. It further stated that all telephone calls received from the tenant concerned had been listened to and at no time did any staff member discuss the details of the mortgage account with her. As part of our investigation we sought a copy of the recordings of phone calls that took place between Permanent TSB and the tenant. We listened to the call recordings and we were satisfied that no personal data relating to the complainant was passed to the tenant during the phone calls with Permanent TSB. Instead, the tenant was repeatedly told that Permanent TSB could not discuss anything with her without the written authority of the account holder. In one instance, the tenant offered to give her contact number to Permanent TSB but she was informed that it was not required as Permanent TSB would not be contacting her. This Office’s investigation found no evidence that Permanent TSB disclosed any personal data relating to the complainant to the third party concerned.
In a separate aspect to the same complaint, it was alleged by the complainant that Permanent TSB had sent correspondence to a previous residential address after it had been notified of a change of address. The complainant supplied us with a copy of a letter sent by them in August 2011 notifying the bank of the new address for correspondence and we were also supplied with copies of letters sent by Permanent TSB to the previous address after that date. In response to our investigation of this matter, Permanent TSB confirmed that it had received the August 2011 letter, which notified it of the new address, but it could offer no explanation as to why its systems had not been updated at that time to reflect this. It informed us that it was not until it received a further letter in January 2012 that the system was updated. To assist with trying to resolve the complaint, the bank offered a goodwill gesture as an acknowledgement of the delay encountered and of any stress the delay may have caused, but this was rejected by the complainant.
The complainant sought a formal decision on the complaint. With regard to the failure to update the contact address, having been requested to do so in August 2011, the Commissioner formed the opinion that Permanent TSB contravened Section 2(1(b) of the Data Protection Acts. This section obliges data controllers to comply with the requirement to keep personal data accurate and up to date.
With regard to the allegation of disclosure of the complainant’s personal data to a tenant, the Commissioner was unable to form the opinion that a contravention of the Data Protection Acts occurred in this instance.
Disclosure of Financial Information by a Credit Union
A member of a credit union complained in 2013 in relation to the alleged disclosure of his loan and savings information by the credit union to his daughter. By way of background, the complainant explained that he was a guarantor on a credit union loan to his daughter. He received a letter from the credit union to inform him of difficulties that his daughter was experiencing with her loan. The purpose of the letter was to call on him, as the loan guarantor, to pay the balance of monthly repayments. He outlined that the letter was addressed to him and that it contained his membership number along with his savings and loan details, including balance outstanding. Soon afterwards, his daughter called to his house with a copy of the same letter as the credit union had also sent it to her. The complainant said that he considered this disclosure of his financial information to be a gross violation of his privacy.
We investigated the matter with the credit union concerned. It explained that the error that led to the disclosure occurred when the letter to the guarantor was issued under the guarantor’s membership number and not under the membership number of his daughter, whose loan it referred to. It explained that the computer system automatically brings across the account details of the membership number keyed in. The credit union admitted that a member of its credit-control staff inadvertently typed the letter under the guarantor’s membership number and, as a result, his account details were printed on the letter.
The credit union proposed that, as a means of trying to reach an amicable resolution of the complaint, it would issue a letter of apology to the guarantor. It also carried out staff training in regard to issuing letters to members, in particular letters to guarantors, and it re-circulated its data-protection policy to all staff. The complainant considered the offer and rejected it. He sought a formal decision of the Data Protection Commissioner on his complaint.
In April 2014, a decision issued to the complainant. In his decision, the Commissioner formed the opinion, following the investigation of the complaint, that the credit union contravened Section 2(1)(d) of the Data Protection Acts by providing details of the complainant’s membership account to a third party by means of a letter that was copied to the third party. Section 2(1)(d) obliges data controllers, among other things, to take appropriate security measures against unauthorised disclosure of personal data.
This case highlights the serious consequences for the complainant concerned arising from what appeared to be an innocuous error on the part of the staff member typing a letter for the complainant on his own account rather than on the account of his daughter, to whom the subject matter of the letter related. It serves as a reminder to data controllers generally to keep data-protection awareness to the forefront, with regular staff training for those whose work involves any form of data processing.
Disclosure of Employee Salary Details by the HSE
An employee of the Health Service Executive (HSE) complained in March 2014 concerning the alleged disclosure on two occasions of his salary details to his ex-wife. He informed us in his complaint that the matter came to his attention when his ex-wife went to court in the summer of 2013 in relation to maintenance issues, and in court she provided exact details from his payslips. In December of the same year, his ex-wife went back to court for a review of maintenance and on that occasion she produced a copy of his P60 along with his salary details for the previous four months.
We commenced an investigation of the matter by writing to the HSE. In response, the HSE accepted that on two separate occasions, in May 2013 and in November 2013, personal data relating to its employee was disclosed to a third party without his consent. It acknowledged that there was no legal basis for the disclosure of the personal data. It stated that it established who, within the HSE, made the first disclosure but it was not possible to establish who made the second disclosure. It explained that its payroll department had received a number of court orders directing the HSE to make maintenance payments to its employee’s ex-wife. It stated that numerous queries were raised by a firm of accountants and tax professionals called Accountax on behalf of its employee’s ex-wife. Those queries sought clarifications with regards to the payments made. It went on to state that, in relation to the first breach, a specific request was made seeking a copy of its employee’s most recent payslip showing the maintenance deductions from January 2013 to date. The HSE admitted that the requests for constant updates regarding maintenance payments ultimately resulted in the unauthorised disclosure of its employee’s personal data. The HSE accepted that in hindsight the only data that should have been released by its payroll department to its employee’s ex-wife (or to a person acting on her behalf) was a summary of payments made that related to the court orders.
We informed the HSE that we considered that the Data Protection Acts were breached when the personal data of its employee was disclosed to a third party without his consent. The HSE indicated that it wished to pursue an amicable resolution to the complaint and, to this end, it enclosed a letter of apology for the complainant. The data subject considered the letter of apology and he decided that he did not wish to accept it, opting instead to seek a formal decision of the Data Protection Commissioner on his complaint.
A decision of the Data Protection Commissioner was issued in August 2014. In his decision, the Commissioner formed the opinion that the HSE contravened Section 2(1)(c)(ii) of the Data Protection Acts 1988 and 2003 on two occasions by the further processing of the complainant’s personal data in a manner incompatible with the purpose for which it had been obtained. These contraventions occurred in May 2013 and in November 2013 when the HSE disclosed his personal information to a third party. Section 2(1)(c)(ii) of the Data Protection Acts 1988 and 2003 provides that data shall not be further processed in a manner incompatible with the purpose for which it was obtained. In this case, the HSE acknowledged that on two separate occasions the personal data was disclosed to a third party without the consent or knowledge of the data subject. Such disclosures constitute further processing of personal data.
Doctor discloses sensitive personal data to insurance company without consent
This Office received a complaint from a solicitor acting on behalf of a data subject concerning the alleged further processing of the complainant’s personal data contained in medical records held by her General Practitioner (GP). It was alleged that medical records relating to the complainant were released to an insurance company by her GP, following a request made to the GP. The complaint stated that the GP had received a request from an insurance company seeking the complainant’s medical records relating to a knee injury she had suffered. It was alleged that, in replying to this request, the GP not only released data relevant to the knee injury, but he also disclosed other sensitive medical information – including cervical smear test results, a colposcopy, correspondence regarding lesions and records relating to Carpel Tunnel Syndrome, none of which were related to the knee injury.
We wrote to the GP and we asked that he provide an explanation as to what had occurred in this case. He responded stating that an insurance company had requested relevant information with respect to the patient concerned and her knee injury. He informed us that the request received stated that it ‘required copies of clinical consultations / surgery notes, investigations and associated results, treatments, referrals, outpatient appointments and repeat prescriptions from 18.2.2009 to the present date’. He stated that, inadvertently, copies of the patient’s records were supplied to the insurance company with some details which were not relevant to her knee injury and that this was obviously an oversight. He stated that he was deeply sorry that he had caused any distress or upset to his patient whom he had known for thirty five years. The GP stated that the complainant knew that he always endeavoured to keep a high standard in the practice and that she should understand his disappointment that the system used in releasing this information fell below the standard expected by the complainant and himself. He further stated that he hoped that she would accept his unreserved apology for the inadvertent disclosure of her records to the insurance company and that he completely understood how upset and disappointed she must be. He said that since this unpleasant and unfortunate error he had overhauled his practice procedures.
We wrote to the solicitor for the complainant outlining the GP’s response and also conveying the GP’s apologies. We stated that this Office’s approach to complaints is to try to seek an amicable resolution to the matter which is the subject of the complaint and we asked if his client would like to try to reach an amicable resolution of the complaint. They responded stating that their client wished for a formal decision of the Commissioner on the matter.
In considering this case, the key issue from a data protection perspective was the issue of consent. It was noted from the material provided that the complainant had completed and signed an insurance claim form which contained the following consent clause: “I authorise Financial Insurance Company Limited (the Underwriters) to make any enquiries and get any information they consider relevant from my doctor, employers or elsewhere. I understand that I must provide evidence to Financial Insurance Company Limited to prove my claim.” On the same claim form, the complainant supplied details of her accident and explained, as follows, why it prevented her from working: “Left knee injury. Tore Ligaments. Recovery Time Unknown. Waiting for Knee Surgery. On Waiting List.”
The insurance company concerned had sought the complainant’s medical records, supplied the relevant consent form and used the following terms in its request to the GP: “Can you please provide us with copies of the claimant’s medical records relevant to this claim. This includes all records relating to the medical conditions and associated symptoms which are the subject of this claim.”
It was clear from the insurance company’s request for medical records that it sought medical records relevant to the claim only. As the claim related to the complainant’s knee injury, the medical records sought related to that injury and the request did not extend beyond that. Equally, the complainant’s consent authorised the insurance company to make enquiries and to get any information considered relevant from her doctor and others. The consent was clearly limited to relevant information and it could not be interpreted as extending to all medical records held by the GP.
This Office issued a decision on this complaint which stated that the Commissioner was of the opinion, following the investigation of this complaint, that Section 2(1)(c)(ii)of the Data Protection Acts, 1988 & 2003 had been contravened by the GP by the further processing of the complainant’s sensitive personal data in the form of medical records unrelated to her knee injury. The contravention occurred when the GP, in responding to a request from an insurance company, disclosed to that insurance company certain medical records of the complainant without her consent.
Customer information disclosed by phone retailer
This Office received a complaint from a solicitor acting on behalf of a data subject alleging a data breach which occurred at the Carphone Warehouse following the theft of the data subject’s mobile phone. It stated that the data subject’s mobile phone had been stolen while she was out shopping and that the incident had been immediately notified to An Garda Síochána, who traced the mobile phone to a park in the town where it had been stolen. However, the mobile phone had not been recovered at that time. The complaint stated that, on the following day, two individuals arrived at the data subject’s isolated family home with the stolen mobile phone and they sought a reward for finding it. The complaint stated that the data subject handed over €50 and the stolen mobile phone was returned to her albeit damaged in what seemed to be an effort to extract the SIM card.
The complaint further stated that, shortly after this incident, the data subject contacted her local branch of Carphone Warehouse and was informed that two people had called there claiming that they had found the stolen mobile phone and that they were looking for contact details of the owner in order to return it. The complaint alleged that the Carphone Warehouse employee gave these two people the owner’s name and address. The complaint stated that the data subject was in contact with both local and regional management of the Carphone Warehouse but she considered that they failed to grasp the seriousness of the situation. She was offered a new mobile phone plus a written apology from Carphone Warehouse but she declined to accept this offer.
We commenced our investigation into this matter by contacting Carphone Warehouse and outlining the details of the complaint. We asked it to explain how the complainant’s personal data was allegedly disclosed in the manner outlined in the complaint.
We received a reply from Carphone Warehouse which stated that, on the evening concerned, two people presented to one of its stores with a handset which they claimed their daughter had found and which they were seeking to return to the rightful owner. The staff member in the store at the time was a trainee who initially recommended that they present the handset to the local Garda Station. However, the people said that they wanted to be sure that the person received their handset. Carphone Warehouse stated that the staff member then disclosed the owner’s address so that the handset could be returned, mistakenly thinking that he was assisting the customer. It acknowledged that this was an obvious and serious breach of its policies and procedures. It stated that it conducted a full investigation, including a formal interview with the staff member and identified that this was very poor judgement but in no way malicious as the staff member had nothing to gain personally from this action. It acknowledged that this in no way took from the severity of the breach but was factored into its internal actions for the staff member in question. Carphone Warehouse stated that it would again like to express its sincerest apologies to the data subject and it also offered to replace the customer’s handset and provide an additional payment of €100.
Following on from this correspondence, we wrote to the solicitor for the data subject stating that it was the view of this Office that Carphone Warehouse had contravened the Data Protection Acts in terms of how the data subject’s details were disclosed by its employee. We also stated that, as provided for under the Acts, it was our aim to amicably resolve complaints and to this end we stated that Carphone Warehouse had offered its sincere apologies, offered to replace the complainant’s mobile phone with a new one at a cost of €500 and offered a gesture of €100.
In response, we were informed that the data subject was not willing to accept the offer of an amicable resolution to her complaint made by Carphone Warehouse and a formal decision was required.
A decision issued on this complaint which stated that the Commissioner was of the opinion that, following the investigation of the complaint, that Carphone Warehouse contravened Section 2(1)(c)(ii) of the Data Protection Acts 1988 & 2003 by disclosing the data’s subject personal data to a third party without her knowledge or consent. This contravention occurred when the personal data of the complainant was disclosed by Carphone Warehouse to a third party or parties without her knowledge or consent.
A key principle of data protection is that personal data should be kept safe and secure and not be disclosed to unauthorised third parties. The actions of the Carphone Waterhouse employee in this case in disclosing the data subject’s address to strangers resulted in considerable distress for the data subject. Despite initially telling the individuals who were in possession of the mobile phone to present it to An Garda Síochána, which was the correct procedure for such cases, he then proceeded to disclose the data subject’s personal information to third parties. Regardless of the fact that the employee concerned was a trainee, this disclosure should not have happened. Data controllers should be vigilant at all times to ensure that appropriate procedures are in place to prevent disclosure of personal data to third parties and that all employees abide by them.
Health Service Executive
In February, the Health Service Executive (HSE) reported to this Office a data security breach involving the disclosure of patient data to a third party. Documents which were faxed to the Assisted Admissions Services from a number of Mental Health Services were faxed to a private company in error. The company alerted the HSE to the issue, stating that it had received approximately 100 such faxes over a 3 year period. It had destroyed each fax as received but had not alerted the HSE to the issue until that point. The company stated that it had 20 such faxes in its possession which it had recently received and the HSE immediately organised to collect these documents from the company.
The HSE employs a third party company to provide assisted admissions services in certain geographic areas. The issue arose when staff incorrectly entered the wrong fax number when sending such faxes, dialling the Dublin area code number rather than the correct county code number.
This Office notified the HSE of its alarm at the fact that this type of breach was occurring, especially in light of previous communications with the HSE regarding the sending of sensitive data by fax. This Office had recommended a number of measures, including that the sender should first contact the recipient to expect the fax and that the sender should ensure that the fax number is dialled correctly. The HSE responded to this Office notifying that the investigation into the matter had been escalated to its National Incident Management Team. The HSE stated that it was pre-programming the number of the Assisted Admissions Unit into all relevant fax machines. Old fax machines were replaced and additional machines provided in areas that did not have specific access to a fax machine.
The issue had appeared to have been addressed when the HSE notified this Office in August of another such incident. The HSE notified this Office that the pre- programmed number on the relevant fax machine had disappeared from the pre-programmed number list. The HSE further informed us that it was now introducing a specific 1800 fax number for the Assisted Admissions Unit. It has also changed the number dialled to access an outside number from zero to nine, to reduce the risk of an individual mis-dialling a number. This Office also advised that a sticker with the fax number of the Assisted Admissions Unit be placed on each fax machine. The HSE policy document in relation to the use of fax machines has also been displayed beside each fax machine within the HSE.
We were disappointed that this issue arose in the first instance, especially in light of previous communications with the HSE, and to then have it reoccur during the year, after the HSE had introduced preventative measures. It is apparent that staff were not adhering to the procedures which had been introduced. This issue highlights that, while data controllers can put in place systems to address potential data protection matters, all staff must be properly informed of the procedures being introduced and adhere to them.
Allied Irish Banks – postal breaches
During the Office’s investigation into the cause of postal breaches, it was identified that a significant proportion of Allied Irish Banks’ (AIB) breach notifications were the result of changes of address not being fully processed. We contacted AIB to raise the issue and to seek a solution. The response from AIB showed the seriousness with which they treated the matter, including bringing this matter to the attention of its Board Risk Committee.
AIB stated that it deals with, on average, 240,000 address amendments each year. However, almost one third of the notifications made by AIB to this Office were the result of errors made in the processing of such requests.
AIB, on foot of contact from this Office, carried out a comprehensive analysis of each incident to establish the cause of the error. AIB has now notified us of the procedures it is putting in place to address this issue.
AIB is to introduce a number of measures including the introduction of a “Self-Service Change of Address” facility on its internet banking portal to allow account holders to amend or change their address on accounts held solely in their name. A central unit to process address amendment requests is also to be established. It is proposed that change of address notifications will first be directed towards the self-service facility, but where this is not an option or appropriate, the notification will be forwarded to the central unit for processing.
AIB has also informed us of a number of additional steps that it will be taking immediately, including a number of training and briefing sessions to all its staff and the introduction of additional internal controls.
This Office welcomes the steps being taken by AIB to address this issue. We will monitor the effects of these new procedures and it is expected that they will lead to a serious reduction in the number of such data breach notifications that require to be made to the Office.
Case Study 16: Major Retailer – Credit card slips discarded
Early in the year, the Office received calls from two individuals reporting that there were credit card receipts littering a housing estate. The individuals had collected some of the receipts and were able to identify the retailer and the branch involved. We immediately contacted the retailer to advise them of the matter and to ensure that the retailer immediately sent staff to the area to recover the receipts.
The Retailer later notified this Office that the issue occurred when an envelope containing customer signed credit card receipts was put out for recycling rather than being securely destroyed. The envelope was then left out overnight in the store’s recycling bin. It is assumed that a passer-by searched through the bin, found and took the envelope. The individual then discarded the contents of the envelope a distance away from the store.
The Retailer, in an effort to recover the credit card slips, had staff search the locality in which the slips were seen and call to houses to recover any slips that may have been collected by individuals. The Retailer retrieved 500 credit card slips and was able to determine the period in which the relevant purchases had been made. We queried the total number of slips that were collected by the Retailer in this period.
It was determined that there was a balance of 200 receipt slips unaccounted for. Of the 500 recovered by the Retailer, many had been damaged by the inclement weather at the time and the details of the card holder could not be identified.
In dealing with such data security breaches, this Office employs a three-pronged approach. Firstly, we recommend that the affected individuals be notified of the matter. Secondly, the data controller should take steps to recover / secure the data. Finally, the data controller must put in place procedures to prevent a repeat of the issue.
In this case, the Retailer would not have the contact details of the affected individuals, nor was it in a position to identify all the affected individuals. The Retailer therefore contacted its service providers who process the credit and debit card payments. The card processing companies were able to identify the 700 customers involved. It was not appropriate for the card processing companies to supply the contact details to the Retailer and the card processing companies stated that in circumstances such as this it was their practice to monitor accounts for potential fraudulent activity, but not notify the cardholders directly. It was therefore agreed to proceed on this basis, the Retailer bearing all charges associated with this monitoring.
The Retailer, in attempting to secure the data, assigned considerable resources to searching the area in which the receipts slips were discarded and canvassing local houses. As noted above, this resulted in 500 of the 700 slips being recovered.
The Retailer notified my Office of the new procedures it was employing to prevent a repeat of this incident. A review of all confidential information held in stores was carried out and a special collection was arranged from all stores for the disposal of such information. A notification was issued to all staff reminding them of the need to securely store or destroy such confidential material. The Retailer’s Data Protection Policy and disposal policy were also updated.
We had also identified that the receipts being printed by the Retailer contained the full card number and start and expiry date of the card. We brought this issue to the attention of the Retailer, raising concerns with such a practice. The Retailer confirmed to this Office that it was changing its practice and future receipts would be printed with only part of the card number visible.
Customer Data Transfer for Waste Collection Service in Dublin
In January 2012 the Office received several complaints and enquiries from citizens of the Dublin City Council area after they received a letter notifying them that Dublin City Council and Greyhound Recycling and Recovery had reached agreement on the sale of the Council’s commercial and domestic waste collection business to Greyhound Recycling and Recovery. The letter indicated that Greyhound Recycling and Recovery would take over control of bin collections for the Council’s 140,000 customers on 16 January, 2012 and that from that date the Council would officially transfer its waste collection business to Greyhound Recycling and Recovery.
It went on to outline the annual service charge and lift fees which would apply to the service. It also gave details of the methods of payment and it included a customer payment card with a customer account number for the new Greyhound account. The letter also stated that the final City Council bill for the period ending on 13 January, 2012 would be issued and the revenue collected on behalf of the City Council by Greyhound Recycling and Recovery which would also collect any outstanding arrears on behalf of the City Council. Complainants to this Office expressed concerns in particular about the transfer of their personal data by Dublin City Council to a private company without their knowledge or consent.
We conducted a comprehensive investigation which focussed on both the transfer of customer data from Dublin City Council to Greyhound and the collection of Dublin City Council customer debts by Greyhound.
The transfer of customer data from Dublin City Council to Greyhound.
Our investigation concluded that the core elements of the sale of the business did not breach the Data Protection Acts. We established that the customer data transfer from Dublin City Council took place between 22 and 23 December, 2011. We noted that a notification letter regarding the new service provider was sent to customers of Dublin City Council in the first half of January 2012. The notification letter to customers should have taken place at a much earlier stage.
By notifying customers of their new service provider simultaneous to the completion of the sale but after the data transfer had occurred, it was not possible for the Office to come to the view that the “fair processing” requirements of the Data Protection Acts, 1988 & 2003 were fully met by Dublin City Council in this instance.
Dublin City Council agreed, in light of this experience, that in the event that any similar situation arises in the future, it will seek to comply with all relevant published Office of the Data Protection Commissioner guidance in relation to such matters in being at that time unless it obtains confirmation from this Office that compliance does not arise in a particular circumstance.
The collection of Dublin City Council customer debts by Greyhound.
Our investigation found that no transfer of personal data from Dublin City Council to Greyhound in respect of the collection of Dublin City Council customer debts had taken place. This was confirmed by the Office by way of an unannounced inspection at the premises of Greyhound and its agents on 26 January 2012. This inspection confirmed that only name, address and whether a household was entitled to a waiver were transferred to Greyhound.
We agreed with Dublin City Council and Greyhound that the customers of Dublin City Council and the customers of Greyhound must be assured that robust controls are in place at Greyhound to guard against any possibility of the cross pollination of debt collection information handled on behalf of Dublin City Council with personal data handled by Greyhound in the normal course of its waste collection activities. Accordingly, the following undertakings were agreed before any debt collection data was transferred from DCC:
Staff at Greyhound or its agents who handle personal data in the context of debt collection for Dublin City Council will not have access to any personal data held in the context of Greyhound’s waste collection business, and vice versa.
The debt collection database held on behalf of Dublin City Council by Greyhound and/or its agent to be separate and distinct from all other aspects of Greyhound’s waste collection business. All access and use of the personal data held on behalf of Dublin City Council to be auditable and verifiable via specific usernames and passwords.
An audit procedure to be put in place by Dublin City Council to ensure that Greyhound, as a data processor on behalf of Dublin City Council, is fully compliant with all aspects of its data protection responsibilities as a data processor. An initial audit will take place within six months of the commencement of the debt collection function.
The terms of the audit to be agreed with this Office. This audit will be conducted by a competent third party auditor to be agreed with this Office. Further audits will be scheduled on an annual basis (for so long as Greyhound are acting as a data processor on behalf of Dublin City Council in relation to customer debt collection in respect of outstanding waste collection charges). This Office will be supplied with a copy of each audit report.
This case serves to highlight the steps which must be followed and the considerations which must be given to the procedures which need to be put in place when customer data transfers are envisaged in the context of the sale or transfer of a business. A guidance note on “Transfer of ownership of a Business” is published on our website and we recommend that data controllers pay close attention to it in such circumstances.
Outstanding debt details legitimately passed on to debt collection agency
In January 2012, the Office received a complaint from an individual alleging that her personal data had been unfairly processed by the telecommunications company Hutchison 3G Ireland (Three). The complainant alleged that her personal data had been passed by Three to a debt collection agency without her consent.
The complainant informed us that she had entered into a twelve month broadband contract with Three and paid for the service by direct debit. She informed us that after the twelve months had expired, she cancelled her direct debit for payment of the service as she considered the contract was up. She stated that she also contacted Three to cancel her contract. The complainant alleged that she began to receive phone calls from Three querying the cancellation of her direct debit and in relation to an outstanding debt on her account. The complainant further informed us that, despite her communications with Three in relation to the matter, a number of months later she received a letter from a debt collection agency regarding her debt to Three.
This matter was raised with Three and in its response, it informed us that the complainant had originally signed up for a twelve month minimum term contract. It also informed us that all of Three’s minimum term contracts remain in place following the expiry of the minimum term which is standard in the industry.
According to Three, under the terms of its customer contracts, if a customer wishes to cancel a contract, they must provide thirty days written notice. In this case, Three informed us that the complainant continued to use the account long after the minimum term of twelve months had expired. Three further informed us that the complainant cancelled her direct debit payment for the broadband service prior to her cancellation of the contract and it sought to recoup the monies owed in respect of the broadband usage which occurred after the direct debit had been cancelled.
It also informed us that, in accordance with its normal debt collection process, it issued the account of the complainant to a debt collection agency. Three’s terms and conditions clearly stated that it may use and share customer details for the collection of any debts on an account and that this may include the use of debt collection agencies to collect debts on its behalf. In this case, Three used a debt collection agency to obtain repayment of the complainant’s debt.
It was our view, following the investigation of this complaint, that Three did not unfairly process the complainant’s personal data when it passed her details to a debt collection agency in order to have any outstanding debt collected.
This case study highlights that it is vital when individuals are signing up to contracts with any company, that they are fully aware of what they are signing up to. Terms and conditions of a contract should always be read and fully understood before committing to such a contract.
Customer data legitimately passed from car dealership to new buyer.
In November 2010 I received two complaints from individuals who had received direct marketing text messages from a car dealership promoting special offers. Both of the complainants had previously purchased cars from a firm which had since ceased trading. Since closure, some of the sales team had become involved with the new car dealership which was now the subject of the complaint to my Office. Neither complainant had consented to receiving direct marketing text messages from the new dealership.
As part of the investigation of these complaints, my Office contacted the new dealership to obtain details, if any, of the consent it had in place to send the text messages to the complainants. In its response, the dealership informed us that it had purchased the previous dealership from the liquidator and it had taken over the existing premises, staff, equipment, stock, etc. From this purchase it had obtained the full database of previous customers. The contact details of both complainants were contained within this database. As customers of the previous business, both complainants had opted in to receive marketing messages at the time of their car purchase and/or car service. The dealership confirmed that it had now unsubscribed both customers from their database so they would no longer receive any future marketing messages. It also offered an apology to both complainants for any confusion caused.
Where a company purchases a business from a liquidator, it is likely that in circumstances where the customer data is to be used by the purchaser for the same purposes as the previous owner had used them, there would not be a data protection concern. If the customer data was to be considered for use for another purpose then the liquidator would need to get an opt in consent from those customers on the database to pass on their personal information to the new buyer. In the above case the customer data was used for the same purpose as previously by the new buyer so no breach of the Data Protection Acts arose.
Veterinary practice discloses dog owner’s personal data
In October 2010 I received a complaint from an individual who alleged that a veterinary practice had disclosed her personal information, i.e. her name and address details, to a third party, namely the original owner of a stray dog that she was now in possession of. In her complaint she explained that when the dog was found its original owner had been contacted using the information logged in connection with its identity microchip and that he had indicated that he did not want the dog returned. Following this, she said that the microchip and ownership details of the dog transferred to her. She indicated that all of these matters were conducted by her local vet (who was not the subject of this complaint). The complainant stated that she subsequently received a letter addressed to her at her home address from the dog’s original owner. This letter included a request by the previous owner to meet with her and the dog and it enclosed records of the dog’s medical history as compiled by the previous veterinary practice which the dog had attended. The complainant alleged that the previous veterinary practice had breached her data protection rights by disclosing her name and address to the original owner of the dog.
This matter was investigated with the veterinary practice complained of and we sought an explanation for the alleged disclosure of personal data. The veterinary practice acknowledged that it had searched for the new owner’s contact details and had given them to the previous owner. This arose when the previous owner told the practice that he had re-homed the dog, that he wanted to check to see if the new owner had re-registered the microchip in their own name and to ensure that it was no longer registered in his name. The veterinary practice took this to be a reasonable request and it accepted its bona fides. On being notified of our investigation, the veterinary practice realised that the original owner had misrepresented the purpose of his request for information. The new owner’s details were not held on the database of the veterinary practice concerned as she was not their client. Instead, the veterinary practice carried out a search using the dog’s microchip number on the website www.fido.ie – which is a database of microchipped pets to which veterinary surgeons have access. Having found on the website that the dog’s microchip was no longer registered to the previous owner, the veterinary practice informed the previous owner
accordingly and, in that context, it also disclosed the name and address of the new owner.
The veterinary practice said that it was sorry if its actions had created a situation which caused upset to the complainant and stated that it would not have happened had it been advised truthfully of the situation. It stated that as a result of this complaint all staff at the practice are now thoroughly aware of the need for protection of personal data.
This complaint demonstrates the need for data controllers to be aware of their data protection responsibilities, regardless of the situation presented to them. This disclosure of personal data could have been avoided had the veterinary practice simply informed its client that the dog’s microchip was no longer registered in his name. There was no justification in this instance for the disclosure of the new owner’s name and address details. Data controllers must exercise great caution where they receive requests for personal data of individuals that they are able to access, irrespective of the credibility of the case presented to them by the requester. Having said that we are entirely satisfied that the veterinary practice acted in good faith based on the information provided to it by the dog’s previous owner. Equally there was no suggestion during the investigation of the complaint that the dog’s previous owner was seeking to act in any untoward manner in relation to the dog’s new owner or the dog but rather was simply seeking to arrange contact with his former pet.
Disclosure of personal data due to inappropriate security measures
In August 2008, I received a complaint regarding the alleged disclosure of personal information by an airline. The complainant to my Office stated that in June 2008, in response to a phone call, the airline disclosed by email a travel itinerary for herself and her husband to her husband’s employer and on foot of this disclosure, her husband was dismissed from his employment. The complainant stated that her husband’s employer had made a written statement to the effect that the email in question was disclosed by the airline on the provision of a surname only. A copy of this statement was provided to my Office.
In the course of this investigation, the airline informed my Office that security questions were asked prior to the email in question being issued to the third party. It did not dispute that it sent the email. However, as the airline did not record the telephone call requesting the information, nor were its security questions system prompted and logged, it was not able to provide any evidence to prove that the appropriate security questions were asked in this instance. My Office also took into consideration that the booking was made from the complainant’s own computer using a personal email address rather than from an email address at her husband’s workplace.
On the basis of the information presented, together with the fact that the airline could not provide evidence that its own security measures were in fact used on this occasion, I arrived at the decision, following the investigation of this complaint, that the airline had contravened Section 2(1)(c)(ii) by further processing the complainant’s personal data and that of her husband when it disclosed to her husband’s employer their travel itinerary in an email. It also contravened Section 2(1)(d) by failing to have in place appropriate security measures to prevent the unauthorised disclosure of her personal information and that of her husband.
The security related issues highlighted by this complainant have been the subject of extensive engagement by this Office with the airline who, following this complaint, examined ways to enhance its security in relation to the handling of enquiries such as this.
This complaint clearly demonstrates the need for data controllers to have controls in place to prevent the disclosure of personal data. It is not sufficient to rely solely on the word of staff that they will ask the appropriate security questions in all instances, particularly in circumstances such as this where an individual deliberately seeks to obtain personal data which they are clearly not entitled to receive.
Disclosure of personal details by a local authority on its website
I received a complaint from a member of the public towards the end of 2008 regarding the disclosure of personal data submitted as part of an application for planning permission to a local authority.
Background
(i) In the latter part of 2006, my Office entered into discussions with the Department of the Environment, Heritage and Local Government in an effort to establish an appropriate balance between an open and transparent planning system and the rights of individuals to privacy and data protection. Following these discussions, the Minister for Environment, Heritage and Local Government signed the Planning and Development Regulations 2007 (SI 135 of 2007). Amongst other things, these regulations introduced an amended planning application form. The amended form re-arranged the address/contact details section from the front of the form to a detachable page at the rear of the form to ensure that these personal details could be removed prior to the publishing of planning applications on the planning authority’s website.
(ii) The Department of the Environment, Heritage and Local Government also issued Development Management Guidelines for planning authorities which, among other things, recommended the use of a Robots Exclusion Protocol (this is a simple protocol that, when placed on a web page, reputable search engines do not then proceed to index the page for inclusion in search results) by all planning authorities in relation to planning application data on their website to protect personal data on those websites from search engine access.
Complaint
In this case, the complainant completed the planning application form and provided the planning authority with his contact details on the detachable part of the form. However, the information supplied in this section was subsequently made available to the public on the local authority’s website.
My Office contacted the local authority involved and asked it for its comments on what led to the publication of the contact details on the website and if it had implemented a Robots Exclusion Protocol to prevent personal data appearing on search engines.
In reply, the local authority informed my Office that, on this occasion, its procedures which it had in place to comply with the data protection requirements did not operate and that as the procedures were relatively new, the physical removal of the contact details portion of the planning application form was overlooked. It also indicated that the procedures had since been strengthened to ensure compliance with the data protection requirements. The response also indicated that the local authority had not yet implemented a Robots Exclusion Protocol and that it was currently being considered. At that point, my Office made it clear to the local authority that, given the passage of time since the Department had published its Development Management Guidelines in 2007, we found it unacceptable that a Robots Exclusion Protocol had not yet been put in place. We pointed out that by not having it in place personal information of individuals making planning applications continued to be at risk of being picked up by search engines when the applications were uploaded onto the websites. The local authority was instructed by my Office to put in place a Robots Exclusion Protocol immediately and failing that, I would use whatever legal powers I deemed necessary to protect the personal data of those individuals who submit planning applications to that local authority. My Office subsequently received confirmation from the local authority that a Robots Exclusion Protocol had been put in place.
The complainant in this case requested a formal decision under Section 10 of the Acts. My decision found that the local authority had contravened Section 2(1)(d) of the Data Protection Acts when it published, on its website, the contact details which the planning applicant had submitted on part of the planning application form. It breached this requirement by not having in place appropriate measures to prevent the unauthorised disclosure of the planning applicant’s contact details.
This case demonstrates the need for local authorities to be extra vigilant when uploading planning applications to their websites to ensure that only the information required by law to be made publicly available is published in this way. In addition, having a Robots Exclusion Protocol or similar in place guards against the risk of the planning applications themselves being captured by search engines.
Paternity test result sent to the wrong address
My Office received a complaint in April 2009 from an individual concerning the disclosure of sensitive personal information by a data controller who provides paternity testing services.
The background to the complaint is that a DNA kit was ordered from the data controller, which duly arrived at the correct address, swabs were taken and the kit was returned to the data controller the next day. However, after a period of time had elapsed and as the test result was not forthcoming, the individual concerned phoned the data controller on 30th March 2009, to be informed that the test result had been posted on Friday 27th March. When the result had still not arrived the following day, the individual concerned again phoned the data controller and at that stage asked that it trace where the test result had been posted to. The data controller stated that the result had been posted to number 83 of a particular housing estate. However, the address of the individual concerned was number 82. When contact was made with the occupants of number 83 on this matter, they dropped the already opened envelope through the letter box of number 82.
My Office commenced the investigation of this complaint by informing the data controller that Section 2 of the Data Protection Acts 1988 and 2003 imposes responsibilities and obligations on data controllers regarding the collection, processing, keeping, use, disclosure and security of personal data. We also pointed out that medical data constitutes sensitive personal data under the Acts and we asked for an explanation as to how this sensitive personal information was issued to the incorrect address, despite the original DNA kit being posted to the correct address.
In its response the data controller stated that in normal circumstances addresses are printed from its system on to labels which are then placed on the envelope. On the said day, its system was not functioning properly and because of that it entered addresses manually. Due to human error, the person writing the address put the number 83 on the envelope instead of 82, despite the fact that the records held the accurate address. It said that it was confident that the error was a one-off occurrence. The data controller also conveyed its apologies to the individual concerned for any inconvenience caused and it offered to provide a full refund of the fee involved in order to amicably resolve the matter. This offer was accepted by the individual concerned and the complaint was resolved on this basis.
This complaint illustrates the need for data controllers to be vigilant at all times with regard to the processing of personal data. While the data controller may have had an appropriate electronic system in place to ensure that letters were properly addressed to its clients, the fall-back manual processes which came into play when the electronic system was out of commission failed in this case, leading to the disclosure of sensitive personal data. While the data controller put the incident down to human error, the consequence of not having any double checking in the manual process was a disclosure of sensitive personal information and a breach of the Data Protection Acts. This breach understandably caused great upset to the affected individual whose test result was disclosed to a neighbour.
Use of postcards to communicate with customers regarding overdue account
In July 2009 I received a complaint from a data subject concerning a company communicating with him via postcard to inform him that his account was overdue. The company communicated with him twice via a pre-printed postcard marked Urgent Overdue Account in white print on a red background. The postcards were delivered to the customer’s address through the normal postal system.
The data subject pointed out to my Office that these postcards had come through the postal system and they had potentially been seen by the staff in the sorting office, the staff in the local general post office, by staff in the local post office which is in a small rural area and the postman. He also pointed out that the bright red design of the cards and the large print on them made it very easy for postal staff handling them to see and read their contents. The data subject also told my Office of the embarrassment caused to him and his wife as a result of the sending of the postcards through the postal system as the postman who delivered them was a neighbour of his.
My Office contacted the company and informed it that the sending of information on a postcard to the data subject regarding his overdue account constituted a disclosure of his personal information and that such a practice was in breach of the Data Protection Acts, 1988 and 2003. We requested that the company confirm to us that they would immediately and voluntarily cease this practice.
The company responded to my Office promptly and informed us that it had taken verbal legal advice before sending the postcards and that it was not aware that it was in breach of the Acts. It confirmed that it would immediately and voluntarily cease sending such postcards to customers whose accounts are overdue. My Office received full cooperation from the company throughout our investigation of this matter.
We attempted to arrange an amicable resolution of this complaint, as the law obliges us to do in the first instance, but our efforts in that regard did not succeed. The data subject then requested a formal decision of the Data Protection Commissioner on his complaint.
In November 2009 I issued my decision on this complaint. I informed the data subject that following my Office’s investigation of his complaint I was of the opinion that the company twice contravened Section 2(1)(d) of the Data Protection Acts, 1988 and 2003 by failing to take appropriate security measures against disclosure of his personal data. These contraventions occurred when it issued two postcards to him in the postal system, each of which contained personal data.
This case demonstrates the need for data controllers to exercise great care in their handling of personal data and to refrain from actions which might compromise that data from a security perspective. While I appreciate that businesses need to pursue their customers for overdue accounts, they are obliged to comply with the law in doing so. Disclosing the fact of an overdue account on a postcard sent to a customer is a clear infringement of the Data Protection Acts and it should not happen.
On a more general level, data controllers who use postcards for whatever purpose should ensure that the message conveyed on them does not involve the processing of personal data. Convenience must not be put before security of personal data in such cases. I would strongly encourage any data controller whose practice it is to use post cards to re-examine such practices from the perspective of their legal obligations regarding security measures for the processing of personal data. The key message to be taken from this case study is ‘think data security before convenience.’
HSE West and a consultant ophthalmic surgeon breach the Acts
I received a complaint from a data subject about an alleged disclosure of personal information concerning his medical condition by a data controller. The data subject was involved in an insurance action with a third party in relation to an eye injury. The third party’s insurance company requested the data subject to attend a consultant ophthalmic surgeon for an assessment at his private surgery in Limerick. The consultant was also a consultant ophthalmic surgeon at the Mid-Western Regional Hospital in Limerick. The data subject had previously attended another consultant ophthalmic surgeon at the Mid-Western Regional Hospital as a public patient in relation to his eye injury.
The complaint was two fold. The first aspect related to the alleged release of the data subject’s hospital chart by the Mid-Western Regional Hospital to the consultant ophthalmic surgeon acting on behalf of the insurance company in his private practice. It was alleged that this took place without the data subject’s consent. The second aspect of the complaint related to the alleged unfair obtaining of the data subject’s hospital chart by the consultant ophthalmic surgeon.
The first point to be borne in mind in relation to this case was that the personal data in question, being medical records of the data subject, constituted ‘sensitive personal data’ as defined in the Acts. The central issue to be considered in this case, from a data protection point of view, was whether the HSE West, Mid-Western Regional Hospital complied in full with its obligations under the Acts.
Section 2 of the Acts deals with the collection, processing, keeping, use and disclosure of personal data. I was satisfied that no data protection issues arose in relation to sections 2(1)(a),(b), (c)(i), (c)(iii) or (c)(iv) of the Acts in relation to the Mid-Western Regional Hospital’s collection, processing, keeping and use of the data subject’s sensitive personal data. However, the disclosure of the data subject’s medical chart to the consultant ophthalmic surgeon had to be considered in the context of section 2(1)(c)(ii) of the Act. This section provides that personal data should not be further processed in a manner incompatible with the purpose for which it was collected. It was clear from my Office’s investigation that the consultant ophthalmic surgeon’s secretary at his private rooms contacted his secretary at the Mid-Western Regional Hospital to locate the data subject’s medical records relating to his eye condition. Following this contact, the secretary based at the hospital located the record and disclosed it to the consultant surgeon’s private surgery.
In assessing this issue from a data protection perspective, a clear distinction must be drawn between the consultant surgeon’s work within the HSE West, Mid-Western Regional Hospital as an employee of that hospital and his work carried out privately on behalf of an insurance company. The hospital’s disclosure of the medical records to the private rooms of the consultant surgeon undoubtedly involved the disclosure of those records from one data controller (the HSE West, Mid-Western Regional Hospital) to another (the consultant surgeon’s private surgery). It could not be regarded as information sharing within a single data controller because the consultant surgeon sought the data subject’s medical record from the hospital in his capacity as a separate data controller. In this instance he was not acting in his capacity as an employee of the HSE.
The medical record at the Mid-Western Regional Hospital in respect of the data subject was compiled in the course of his treatment for an eye condition. This was a specific, explicit and legitimate purpose. Any further use or disclosure of that medical record must be necessary for that purpose or compatible with the purpose for which the hospital collected and kept the data. The consultant surgeon was a separate data controller who sought this data for the purposes of an assessment of the data subject’s eye condition on behalf of an insurance company to facilitate their processing of an insurance claim. The processing of an insurance claim related to the data subject’s eye injury represented an entirely different purpose to the treatment of the data subject for an eye condition at the Mid-Western Regional Hospital.
There was also an obligation to meet the conditions set out in Section 2A of the Acts. These conditions included obtaining the consent of the data subject or deeming that the processing of the data was necessary for one of the following reasons:
· the performance of a contract to which the data subject is a party;
· in order to take steps at the request of the data subject prior to entering into a contract;
· compliance with a legal obligation, other than that imposed by contract;
· to prevent injury or other damage to the health of the data subject;
· to prevent serious loss or damage to property of the data subject;
· to protect the vital interests of the data subject where the seeking of the consent of the data subject is likely to result in those interests being damaged;
· for the administration of justice;
· for the performance of a function conferred on a person by or under an enactment;
· for the performance of a function of the Government or a Minister of the Government;
· for the performance of any other function of a public nature performed in the public interest; or
· for the purpose of the legitimate interests pursued by a data controller except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.
In this case, the data subject did not give his consent to the Mid-Western Regional Hospital for the processing of his personal data involving the disclosure of his medical record to the consultant surgeon. In the absence of consent, the data controller must be able to meet at least one of the eleven conditions set out above. In this instance, the hospital did not meet any of those conditions.
To process sensitive personal data, in addition to complying with Sections 2 and 2A of the Acts, at least one of a number of additional special conditions set out in Section 2B(1) of the Acts must be satisfied:
– the data subject must give explicit consent to the processing or
– the processing must be necessary for one of the following reasons:
· for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
· to prevent injury or other damage to the health of the data subject or another person, or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where consent cannot be given or the data controller cannot reasonably be expected to obtain such consent;
· it is carried out by a not-for-profit organisation in respect of its members or other persons in regular contact with the organisation;
· the information being processed has been made public as a result of steps deliberately taken by the data subject;
· for the administration of justice;
· for the performance of a function conferred on a person by or under an enactment;
· for the performance of a function of the Government or a Minister of the Government;
· for the purpose of obtaining legal advice, or in connection with legal proceedings, or for the purposes of establishing, exercising or defending legal rights;
· for medical purposes;
· for the purposes of political parties or candidates for election in the context of an election;
· for the assessment or payment of a tax liability; or
· in relation to the administration of a Social Welfare scheme.
As stated previously, the consent of the data subject, explicit or otherwise, was not obtained by the data controller for the processing of his personal data involving its disclosure by the Mid-Western Regional Hospital to the consultant surgeon. There are twelve conditions set out above, at least one of which must be met by a data controller in the absence of explicit consent before sensitive personal data can be processed. In this instance, the Mid-Western Regional Hospital did not meet any of those conditions.
I formed the opinion that the HSE West, Mid-Western Regional Hospital contravened Section 2(1)(c)(ii), Section 2A(1) and Section 2B(1)(b) of the Acts by processing the data subject’s sensitive personal data in a manner which was incompatible with the purpose for which it was obtained. This processing occurred when the consultant surgeon’s secretary at the Mid-Western Regional Hospital disclosed the data subject’s hospital medical file to his private practice secretary. In response to this incident the HSE West put in place improved controls for ensuring that requests for access to hospital files are justified and fully in line with the purpose for which health data is held. I welcome this.
I also considered whether the consultant surgeon had breached the requirements of the Acts by obtaining and using the file created in the Mid-Western Regional Hospital.
In light of my previous decision which found a number of contraventions of the Acts by the HSE West, it followed that the consultant surgeon unfairly obtained the data subject’s hospital file. However, it was also clear that this was done unintentionally and in good faith.
I accept that the lines can be blurred in some instances in the health sector between treatment provided by the public system and treatment provided by the private system (especially here in Ireland due to the public/private sector split). This can give rise to complexity in terms of data protection responsibilities as patient information flows between the public and private systems. However, no such complexity arises in relation to the transfer of personal data that is not related to the treatment of a patient (in this particular instance carried out on behalf of an insurance company). Organisations entrusted with personal data, and especially those holding sensitive personal data such as health information, have onerous responsibilities under the Data Protection Acts. These responsibilities reflect the position of trust afforded to such data controllers when they are given our personal data.
Disclosure of email addresses by a financial institution
In April 2008, I received a complaint from a data subject whose email address had been disclosed by a financial institution. The disclosure took place when the financial institution issued an email to 114 individuals with the email addresses of each of them visible to all recipients.
The background to this incident was that the data subject received several phishing emails. Having consulted the relevant financial institution’s website, he reported the matter using an email address provided by the financial institution for that purpose. Generally, phishing emails concerning banking services give the impression that they have been issued by a bank. They often request the recipient to log-on to their online banking service to confirm their security details by clicking the link in the email. If a person clicks on that link they are routed to a ‘spoof’ site which looks like the bank’s online service. The intention of the fraudster is that the recipient will be fooled into disclosing their confidential details to the ‘spoof’ site.
The matter of the disclosure of the data subject’s email address was raised by my Office with the financial institution. It explained that when an email is received by the team which handles reported instances of phishing a standard response is sent advising the user of additional precautions to take and providing related information. However, on a particular weekend in April 2008, an unprecedented number of emails were sent to the phishing alert email address. To respond to each email a business decision was made to send a single response to all customers using the “bcc” (blind copy) option in e-mail, which would have hidden all email addresses from the recipients. This bulk email failed because it was too large. To make the email more manageable for the mailbox, the user list was broken down into different outgoing emails. Due to a manual error, one of the emails was sent to 114 people using the “cc” option rather than the “bcc” option. This resulted in all 114 email addresses being visible to all recipients of the email.
The financial institution subsequently issued an email to the affected users to advise them of the incident and to apologise for the error. I am satisfied that the financial institution took prompt action to inform the affected parties that their email addresses had been disclosed. However, it is unfortunate that this disclosure occurred in the context of an email alert system that was established to prevent phishing.
All data controllers should take note of this incident and take steps to ensure that email addresses are not disclosed inadvertently. In particular, where an email is sent to a number of individuals it should be transmitted using the blind copy (‘bcc’) option in all situations which warrant it. It is the duty of data controllers to raise awareness amongst their employees about this issue and to foster a greater degree of care and responsibility in relation to the protection of personal data in the form of email addresses. However, I have some sympathy for data controllers where genuine mistakes occur in this area.
Credit union commits several breaches by failing to update a member’s address record.
In March 2008 I received an unusual and complex complaint against Halston Street Credit Union. The Credit Union had sent correspondence for the complainant’s ex-wife to the complainant’s address. After receiving the registered correspondence at his home address, the complainant informed the Credit Union by phone that his ex-wife did not reside at his address, nor indeed had she ever resided at that address. In fact they had been living apart for twenty-two years. Despite this, two further pieces of correspondence from Halston Street Credit Union to his ex-wife arrived at the complainant’s address on separate dates.
My Office wrote to Halston Street Credit Union in early April 2008 informing it that we were commencing an investigation of this complaint. The complainant was anxious to establish what personal data the Credit Union held in relation to him. He was genuinely concerned that the correspondence he was receiving was prompted by fraudulent use of his personal data by a third party. We advised him to submit a request to the Credit Union under section 3 of the Acts. Section 3 of the Acts provides that an individual may submit a request in writing to a data controller to be informed whether the data controller keeps personal data relating to the individual. If the data controller does have such data, section 3 provides that the data subject should be given a description of the data and the purposes for which it is kept. Under the provisions of the Acts a data controller must respond to such a request within twenty one days. The complainant took our advice but unfortunately did not receive a response from Halston Street Credit Union to the section 3 request that he submitted in mid-July 2008.
Halston Street Credit Union failed to reply to my Office’s initial correspondence despite three separate reminders during the period April to July. One of my officials received a very unsatisfactory call from one of the elected members of the Credit Union which did not provide any response to the issues raised. This situation, coupled with the failure by the Credit Union to meet its statutory obligation to respond to the request under section 3 of the Data Protection Acts, led my Office to form the view that the Credit Union had little regard either for the data protection rights of the complainant or for my Office. For these reasons I instructed two of my senior officers, using the powers conferred on them by section 24 of the Data Protection Acts, to enter and inspect the premises of Halston Street Credit Union to obtain information relevant to the investigation of this complaint. In the course of their inspection, my authorised officers found records which confirmed that the complainant had indeed informed Halston Street Credit Union in June 2007, as he had indicated, that his ex-wife did not live at his address. No action had been taken by the Credit Union on foot of this information in terms of updating the address on file and, as a result, the complainant’s address was used on two further occasions by the Credit Union to send letters intended for his ex-wife. My authorised officers also found the section 3 request that the complainant had submitted in July 2008 on the premises. They confirmed that the Credit Union had not taken any action in response to the request.
Subsequent to the inspection by my authorised officers, Halston Street Credit Union confirmed to my Office that a response issued to the complainant’s section 3 request in mid-September 2008. This was over five weeks outside the statutory requirement. My Office was disappointed to discover that the Credit Union had copied its response to the section 3 request to four separate third parties. The complainant was entitled to have his request handled in a confidential manner. It was, to say the least, very disappointing that the Credit Union copied the response to the request to third parties who had no business in relation to it.
Following my Office’s investigation, we found Halston Street Credit Union to be in breach of section 3(b) of the Data Protection Acts for failing to respond to the complainant’s section 3 request within the statutory timeframe of twenty one days. We found that the Credit Union was also in breach of section 2(1)(d) of the Acts for its unauthorised disclosure of the complainant’s personal data to third parties when responding to his section 3 request. The records of Halston Street Credit Union showed that the complainant first contacted it by telephone in June 2007 to inform it that his ex-wife did not live at his address. The Credit Union’s subsequent failure to take action to remove the complainant’s address from its records led it to process the complainant’s personal data on two further occasions, constituting two additional breaches of his data protection rights under section 2A of the Acts. The failure of Halston Street Credit Union to remove the complainant’s address from his ex-wife’s records caused two further breaches. This time the Credit Union breached the data protection rights of the complainant’s ex-wife, because it sent her personal data on two occasions in August 2007 and September 2007 to an address which it knew from June 2007 to be incorrect.
The sequence of events that culminated in my instruction to my authorised officers to use their powers under Section 24 of the Acts to progress the investigation of this complaint demonstrates the dismissive attitude shown by an elected member of Halston Street Credit Union towards my Office. This uncooperative approach by the Halston Street Credit Union was disappointing and unacceptable. Thankfully my staff do not encounter such attitudes every day and, in the event, the staff and manager in the Credit Union were very co-operative to my authorised officers during their visit. Our approach to complaints, as provided under the Acts, is to try to reach an amicable resolution by engaging openly and honestly with the parties concerned. When a data controller fails to cooperate satisfactorily with an investigation conducted by my Office, I will use my legal powers without hesitation, as this case demonstrates. Neither I nor my staff will be deterred from taking the actions that we consider necessary.
As I reflect on this regrettable and time-consuming incident, I note that it comes down to the Credit Union’s refusal to respond to a person with a genuine complaint. The complaint was well-grounded and reasonable and, if the Credit Union had demonstrated even a basic level of customer service, the matter would have been resolved quickly and without consuming the resources of my Office. In this respect, I accept that a Credit Union has a right to trace the location of a person with whom it needs to communicate for a genuine business reason and using reasonable means. For this reason I have no difficulty with the sending of the initial letter.
Tesco and the resale of an Apple ipod containing a customer’s personal data
In March 2008 I received a complaint from a data subject regarding the resale by a Tesco store of an Apple ipod which she had returned to the store after it developed a fault and onto which personal data relating to her had been downloaded.
The data subject informed my Office that she purchased the ipod at a Tesco store in May 2007 and that she returned it a few days later when it developed a fault. After purchasing it, the data subject had successfully downloaded music and photographs from her computer onto the ipod and she had registered it in her name. On returning the ipod she made a point of informing a member of staff at the Tesco store that due to the fault she was unable to delete from the ipod her personal photographs and music prior to returning it. She was given a replacement ipod immediately.
However, in early January 2008, the data subject became aware through an acquaintance that the ipod she had returned the previous May had subsequently been resold by Tesco to a different customer. The data subject contacted this customer who confirmed to her that she had purchased the ipod as a Christmas gift for her daughter at the same Tesco store some months after the data subject had returned it. She also informed the data subject that, on purchasing the ipod, she found that she had access to the data subject’s music and personal photographs. When she tried to register the ipod in her daughter’s name, it was confirmed that the ipod was still registered in the name of the data subject. That customer also returned the ipod to the Tesco store.
Understandably, the data subject was concerned to find that the faulty ipod that she had returned to Tesco in May was resold again some time later with her personal data still on it. My Office contacted Tesco’s Head Office regarding this matter. Tesco subsequently acknowledged to my Office that the ipod returned by the data subject should not have been put on sale after she had returned it. It informed my Office that its own internal controls failed to operate on this occasion and that the ipod should have been returned to its supplier. Instead, it appears to have been repackaged, retained in the store for some time and then inadvertently put on sale again. Tesco also informed my Office that when the ipod was returned a second time, its internal processes operated effectively and the ipod was returned to the supplier.
Tesco informed my Office that as a result of this incident it instituted a review of the data protection compliance processes in its stores. This included implementing more robust processes for the storage, return and tracking of any devices that contain personal data. Tesco also informed my Office that as part of its review of its data protection compliance processes, it had reiterated to its entire staff the need to be careful about how its customers’ personal data is used.
During my Office’s investigation of this complaint, Tesco expressed regret at the inconvenience and concern caused to the data subject as a result of the manner in which the matter was dealt with by the store. It also offered a gesture of goodwill to the data subject and expressed a wish to write directly to her to express its apologies for the incident.
As the Data Protection Acts mandate my Office, in the first instance, to resolve complaints amicably between the parties concerned, my Office informed the data subject of Tesco’s interest in reaching an amicable resolution. The data subject accepted Tesco’s goodwill gesture and letter of apology, both of which were forwarded to her via my Office.
This case perfectly demonstrates circumstances when, through the intervention of my Office, a data controller is made aware that it has breached the Acts and is reminded of its obligations under the Acts. At the same time, the concerns of a data subject are addressed and the matter is resolved amicably between the parties. It also highlights the need for retailers to raise awareness among their staff about the capacity of portable devices which they sell in their stores to process and retain personal data. Robust procedures are necessary in retail outlets to prevent incidents of a nature similar to that outlined in this case.
Data Controller breaches several provisions in its processing of Sensitive Personal Data
I received a complaint in May 2006 from a data subject regarding the use by her former employer, Baxter Healthcare S.A., of two medical reports relating to her. The data subject had been involved in an industrial accident at work in April 2002 which subsequently resulted in a prolonged absence from the workplace. During this absence, the data subject pursued a personal injuries claim against Baxter Healthcare. As part of this process, at the request of the solicitor acting on behalf of Baxter Healthcare’s insurers, she attended a consultant neurologist on two occasions for medical evaluation in 2003 and 2004. Early in 2005, the data subject became aware that the medical reports compiled as a result of those evaluations were in the possession of Baxter Healthcare. Through her solicitor, the data subject made an access request to Baxter Healthcare for copies of the medical reports. She was advised in writing that, as these reports were obtained in the context of her personal injury proceedings, her access request should be addressed to the solicitors,
P. O’Connor & Son, acting for the insurers. Shortly afterwards, the data subject’s contract of employment was terminated. The decision by Baxter Healthcare to terminate the employment was stated to be on the basis of the medical evidence available to the company, including the medical reports compiled in 2003 and 2004 in the context of the data subject’s personal injury claim. Following her dismissal, the data subject brought a claim to the Labour Relations Commission against Baxter Healthcare under the Unfair Dismissals Act 1977 to 2001. A hearing in relation to this case took place in April 2006 and the data subject alleged that, in the course of the hearing, copies of the medical reports were furnished by Baxter Healthcare to herself, to the Rights Commissioner and to all present. These medical reports had not been previously provided to her in response to her access request.
My Office conducted a detailed and extensive investigation of this complaint. This focused on 2 primary data protection issues, namely the use of the medical reports obtained to defend an insurance claim to support the dismissal of the data subject and the disclosure of those same medical reports at a labour relations hearing. The company’s solicitor stated that the medical reports of the consultant neurologist were obtained for the legitimate purpose of defending personal injury proceedings instituted by the data subject and that the medical reports were also employed and required for the legitimate purpose of defending separate legal proceedings against Baxter Healthcare under the Unfair Dismissals Acts 1977 to 2001. It submitted that Section 2(1)(c)(i) of the Acts specifically envisages that the data may be obtained and used for more than one purpose, provided that both purposes are legitimate. It went on to state that Section 2(1)(c) (ii) of the Acts only prohibits further processing insofar as that processing is incompatible with the original purpose or purposes. It argued that the use of the reports to defend legal proceedings against Baxter Healthcare under the Unfair Dismissals Act could not be said to be incompatible with the original purpose as the original purpose was to defend legal proceedings instituted by the data subject and the subsequent use was to also defend legal proceedings, albeit separate proceedings by the data subject.
The data subject sought a decision on her complaint under Section 10(1)(b(ii) of the Acts in June 2007. In my analysis of the data protection issues arising from this complaint, I found that the medical reports in question constitute ‘sensitive personal data’ within the meaning of the Acts. The medical reports were commissioned on behalf of Baxter Healthcare’s insurers, by its solicitors, for the purpose of the defence of the High Court personal injury claim instituted by the data subject. The reports were, however, used for three purposes:
They were used for the purpose for which they were generated in the first place, i.e. for the defence by Baxter Healthcare’s insurers of the High Court personal injury claim instituted by the data subject.
They were used in the decision taken by Baxter Healthcare to terminate the employment of the data subject.
They were used to defend legal proceedings taken by the data subject against Baxter Healthcare under the Unfair Dismissals Act at a hearing in April 2006.
No data protection issue arose in relation to the first use of the medical reports by Baxter Healthcare’s insurers in the context of its defence of the personal injury claim brought by the data subject.
With regard to the second use by Baxter Healthcare of the medical reports in the decision to terminate the data subject’s employment, this was done without the data subject’s consent. The general requirements that must be complied with by a data controller under the Acts in relation to the personal data of a data subject include the following:
the data shall have been obtained only for one or more specified, explicit and legitimate purposes
the data shall not be further processed in a manner incompatible with that purpose or those purposes
the data subject is informed of the purposes or purposes for which the data are intended to be processed
The consent of the data subject is the default position, as it were, for the fair processing and obtaining of personal data. Where it is absent, the data controller may not process personal data unless it can find another basis in the Acts. The Acts provide for the following exemptions which were potentially applicable in the present case:
the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject (Section 2A (1)(d));
and (because sensitive data is involved)
the processing is required for the purpose of obtaining legal advice or for the purposes of, or in connection with, legal proceedings or prospective legal proceedings or is otherwise necessary for the purpose of establishing, exercising or defending legal rights (Section 2B (b)( vii)).
All of these conditions must be met.
In my analysis of this complaint, I considered that the purpose for which the medical reports were originally obtained (the defence by Baxter’s insurers of the High Court personal injury claim instituted by the data subject) was not compatible with their further use to support the data controller’s decision to dismiss the data subject. I considered that, in the absence of the data subject’s consent, this processing of the data subject’s sensitive personal data constituted a breach of the Acts.
With regard to the third use by Baxter Healthcare of the medical reports to defend legal proceedings under the Unfair Dismissals Act, the same considerations arose in relation to the further use of the sensitive personal data at a hearing before a Rights Commissioner in April 2006, with the aggravating factor that the sensitive personal data was further disclosed to those involved in the hearing.
However, I had to consider if the processing of personal data in this case might benefit from the exemption in Section 8(f) of the Acts which provides that: “Any restrictions in this Act on the processing of personal data do not apply if the processing is …required…for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness.”
I formed the opinion that this exemption cannot apply to sensitive personal data which has already been improperly processed to support the decision (dismissal) which was the subject matter of the legal process. I concluded that the use of the medical records to defend the Unfair Dismissals claim constituted a further breach of the Acts.
For completeness, my Decision in this case also found that Baxter had failed to comply fully with an access request made by the data subject.
This case demonstrates the care which data controllers must exercise in the processing of all personal data, including sensitive personal data, in its possession. It is unacceptable for a data controller to seek to take advantage of personal data which may be in its possession and to use it for some purpose unrelated to the purpose for which it was originally obtained.
Aer Lingus – Disclosure of employee information
Early in 2007, my Office received a significant number of complaints from employees of Aer Lingus regarding an alleged disclosure of their personal information by Aer Lingus to a third party without their consent. According to the complainants, the Human Resources Division of Aer Lingus had passed on the names, staff numbers and place of employment of its staff to HSA Ireland without the knowledge or consent of the employees concerned. Staff of Aer Lingus had become aware of this matter when they received personally addressed promotional literature from HSA Ireland, a healthcare organisation offering a range of health care plans. In this promotional literature, a copy of which was received in my Office, HSA Ireland informed the Aer Lingus employees that Aer Lingus had agreed to allow it to directly distribute the information to them.
Section 2 of the Data Protection Acts, 1988 and 2003 sets out the position in relation to the collection, processing, keeping, use and disclosure of personal data. It provides that data should be obtained and processed fairly, kept for only one or more specified purposes and it should be used and disclosed only in ways compatible with that purpose or those purposes. It also provides that personal data should not be processed by a data controller unless at least one of a number of conditions is met – one of those conditions being the consent of the data subject to the processing.
In response to initial contact from my Office regarding the alleged disclosure of personal information, Aer Lingus confirmed that it had passed on the personal data of its staff to HSA Ireland and it set out the background to how it had occurred. It explained that the company had previously operated and administered a Staff Welfare Fund to assist employees in certain circumstances in relation to personal and family medical expenses. As this fund had closed, Aer Lingus committed to putting another scheme in place and it negotiated with HSA Ireland to offer a replacement scheme to employees. In order to increase staff awareness of this new scheme, it was decided that it would be in the best interests of staff to write to them directly at their place of employment. Employee names and staff numbers were provided to HSA Ireland by means of a mail merge file. Aer Lingus was of the opinion that this disclosure was legitimate in accordance with what it regarded as a bona fide employment purpose. It also confirmed that consent had not been sought or obtained from its employees prior to the forwarding of the employee details to HSA Ireland.
My Office reminded Aer Lingus of its obligations under Section 2 of the Data Protection Acts with regard to the processing of personal data and it pointed out that the personal data of its staff should not have been disclosed to a third party without the consent of the employees concerned. In the circumstances, my Office sought and obtained confirmation from Aer Lingus that it had now destroyed the mail merge file containing the names and staff numbers which it had forwarded to HSA Ireland. Confirmation was also received from HSA Ireland that it had not retained records of Aer Lingus employee names, addresses, payroll or payslip numbers on any database.
My Office was satisfied by the steps taken by Aer Lingus and HSA Ireland in terms of corrective action. By way of clarification, we pointed out that the key issue from a data protection perspective was that Aer Lingus had facilitated contact from a third party to its employees concerning the availability of a staff welfare scheme while the same information could have been promulgated to those employees without raising any data protection concerns had Aer Lingus sent it directly to its employees instead.
I fully recognise that employers may, from time to time, wish to communicate details of various schemes to their employees. This can easily be achieved without infringing on the data protection rights of employees if the employer supplies the information directly to its employees or by some other means in conformity with the Data Protection Acts. My Office had only in the weeks before these complaints were received conducted an audit of Aer Lingus which had generally found a high level of compliance with data protection requirements. The occasion of the audit could have been used to seek advice from my Office on this issue.
My Office is always available to give advice to data controllers and the public alike in relation to data protection responsibilities and rights.
School Archiving Project: Disclosure of personal data
A former pupil of a national school in Dublin complained to me about a disclosure of personal data through the availability of school registers in Dublin City Libraries and in the National Archives. These registers were indexed as part of the Wheatfield Indexing Project in Wheatfield Prison.
The information contained in school registers, including names, addresses and dates of birth, is personal data within the meaning of the Data Protection Acts.
The Wheatfield Indexing Project involved the archiving of certain Dublin national school registers. It was undertaken by the Irish Prison Service, in partnership with the Dublin City Public Libraries. The aim of the project was to reproduce certain school registers in an electronic format by inputting them into a computer database. The information was then made available to the schools involved and was lodged in “The Dublin and Irish Collection” in Dublin City Libraries at Pearse Street and in the National Archives.
The complainant contacted my Office concerning the disclosure of his personal information in this manner.
On investigation, it was established that Dublin City Libraries had not put the archive in question on public display and that the National Archives withdrew the material in their possession from display immediately upon receipt of a complaint made directly to them by the data subject.
This case highlights, among other things, the vast quantity of personal data which is held in school records and the necessity of treating and handling such data in accordance with the Data Protection Acts (the Acts will apply fully to manual data with effect from October 2007). I also recognise and appreciate the importance and significance of indexing and archiving school material as valuable genealogical, historical and sociological resources. However, such indexing and archiving should be carried out in a manner compatible with an individual’s right to privacy. In this case, the information indexed and archived was from the relatively recent past, with some records dating back to as recently as 1981, therefore allowing living individuals to be easily identified from the archived information.
Complaint by School Manager about disclosure to parents of his personal data contained in a school inspection report
A School Manager complained to me about disclosure to the school Principal of his personal data contained in the report of an unannounced visit by a school inspector under the terms of the Education Act 1998.
Comments about a School Manager or staff member in a school inspection report are personal data relating to that individual within the meaning of the Data Protection Acts.
In this case, the inspection report was released to the school principal, in response to an application by her to the Chief Inspector requesting a review of the inspection under section 13(9) of the Education Act 1998. The Department of Education and Science indicated that their policy in relation to the publication of inspection reports is as follows:
‘It is the Department’s practice to provide a copy of an inspection report to a person seeking a review as part of the section 13 (9) Review Procedure process. …. It is the view of the Department that the report in question was a record which was required to be disclosed to that person by operation of a rule of law, and in accordance with section 8 of the Data Protection Act, such disclosure is exempt from the terms of that Act and consequently the prior consent of a data subject was not required.’
My Office informed the Department that, insofar as possible, inspection reports which issue should not contain third party data, or at least that party’s consent should be sought to permit disclosure of his or her personal data, other than in cases under section 8(e) and 8(f) of the Data Protection Acts. In effect, these provisions allow for disapplying the restrictions on disclosure where required ‘by or under an enactment or a rule of law or order of a court’, section 8(e), or where ‘required for the purposes of or in the course of legal proceedings in which the person making the disclosure is a party or a witness’, section 8(f).
My Office advised the Department of their obligations under the Data Protection Acts, in particular of the general requirement that, in any case where an individual’s rights might be prejudiced, that that person should be made aware in the event that their personal data is being disclosed to a third party.
I also received complaints from the same School Manager, the Principal and a teacher about the release of the report to parents under the Freedom of Information Acts. Under Freedom of Information legislation, personal information is exempt from disclosure to third parties, subject to a number of exceptions. These exceptions include where the public interest in disclosure outweighs the individual’s right to privacy. Section 28(5)(a)) of the Freedom of Information Acts provides that a request for third party personal information may be granted when ‘on balance, the public interest that the request should be granted outweighs the public interest that the right to privacy of the individual to whom the information relates should be upheld’. This is an exception and the Information Commissioner has ruled (case No 99001) that ‘the protection of personal privacy afforded by the section 28 exemption is intended to be a strong one’.
My staff considered the issue of the interface between the Freedom of Information Acts and the Data Protection Acts. Section 1 (5)(a) of the Data Protection Acts 1988 and 2003 provides that –
“1. (5)(a) A right conferred by this Act shall not prejudice the exercise of a right conferred by the Freedom of Information Act 1997.”
The Data Protection Acts also set aside the general prohibition on disclosure in a number of specified circumstances including where disclosure is required under an enactment or by a rule of law or a court order.
In assessing whether a disclosure of personal information under the Freedom of Information Acts is legitimate in so far as the Data Protection Acts is concerned, the key issue is to determine what is the public interest in the particular case, and to apply the test provided by section 28(5)(a) of the Freedom of Information Acts. In the present case, this Office considered that there was a legitimate public interest, from the perspective of transparency and accountability, in a School Inspector’s report being made available to parents and that this public interest outweighs the right to privacy of the individual to whom the information relates. Accordingly, my staff concluded that there had not been a contravention of the Data Protection Acts.
I am aware that the Minister for Education is making School Inspection reports publicly available in the interests of transparency. My Office has advised that care should be taken to ensure that only personal data which is essential to the substance of the Inspection Report should be included.
Incorrect Association of an Individual’s Personal Details with Another File
We received a complaint concerning an alleged breach of an individual’s data protection rights by an insurance company.
During our investigation, the insurer (Insurer X) advised us that the complainant had in the past requested a quotation for household insurance from another insurance company (Insurer Y), the undertakings of which had been transferred to Insurer X. Insurer Y had failed to delete the quotation (the complainant had never proceeded to take out a policy) in line with its own data retention policy. In addition, Insurer Y had mistakenly linked the complainant’s personal details on the quotation to an insurance claim file in respect of a claim it had received from a person with an identical name.
When a transfer of Insurer Y’s undertakings to Insurer X was being completed, the insurance claim file which mistakenly included the complainant as the claimant (rather than another individual who had the same name) was transferred to Insurer X. The claim when assessed later turned out to be fraudulent and Insurer X had its solicitors write to the complainant advising that their claim was found to be fraudulent and indicating the follow-up action which Insurer X intended to pursue to protect its interests.
At its centre, this case concerned sloppy handling of personal data. Many people in Ireland have the same name and there was no reason why the complainant’s personal details collected when the complainant obtained a quotation should have been added to an insurance claim file. Sufficient checks and balances should have existed in Insurer Y’s data handling processes. However, the more significant issue that arose for this complainant is that they were unable to ascertain, prior to our involvement, how their details came to be in the possession of Insurer X and how the issue that arose had come about.
A number of contraventions therefore occurred in this case – a breach of the requirement of a reasonable retention period due to holding onto the quotation data longer than necessary and longer than was set out in the company’s own retention policy; unlawful further processing of the personal data by associating it with a claim file; failure to respond in a clear and timely manner to the complainant to explain how their data had been sourced and how it came to be processed in the way that it was. The complainant in this case suffered particularly serious consequences as they incurred significant legal costs in defending the accusation of making a fraudulent claim and the threat by Insurer X of instigating Circuit Court proceedings against them.
Further Processing of an Individual’s Personal Data in an Incompatible Manner
An individual submitted a complaint regarding the unfair processing of their personal data. The individual stated that they had received letters from Thornton’s Recycling and Oxigen Environmental respectively explaining that there would be a change-over of refuse collection services from Oxigen Environmental to Thornton’s Recycling within a week of the issuing of the letters. The complainant advised that they had not authorised the transfer of their personal details and had not been previously informed of this transfer of ownership.
We raised the matter with Oxigen Environmental requesting an explanation as to the reason for processing personal data in this manner in light of the data protection requirements of fair obtaining and fair processing of personal data. Oxigen Environmental confirmed that the customer details that were transferred to Thorntons consisted of a name, address and any balance that remained on the customer’s pre-paid account. It advised that no banking details were passed over at any stage. It also alleged that a letter had been sent out to all customers advising them of the transfer and that this letter had been issued before any customer data had been transferred but they were not able to clarify the date on which this allegedly occurred.
Oxigen Environmental indicated that the first and only notification that customers received regarding the transfer of services from Oxigen Environmental to Thorntons Recycling was made by way of two letters, one each from Oxigen Environmental and Thorntons Recycling, contained in the same envelope delivered to customers. The interval between this notification and the transfer of services spanned less than four working days. We considered that this was an insufficient timeframe for customers to consider the change-over and to make alternative arrangements to prevent the further processing of personal data. Whilst the issue of takeovers/mergers is often covered by a company’s contractual terms with its customers, we established that Oxigen Environmental’s terms and conditions and Customer Charter did not cover such issues.
Taking into account the short timeframe that had elapsed between the notification of the transfer of services and the date from which the transfer became effective, our view was that the fair processing requirements under the Acts were not fulfilled. Whilst a proposal for amicable resolution was put forward, we were unable to conclude an amicable resolution of the complaint and a formal decision of the Commissioner issued in July 2016. The Commissioner found Oxigen Environmental to be in contravention of Section 2(1)(a) of the Data Protection Acts 1988 and 2003 in that it unfairly processed personal data without sufficient notice to its customers.
The requirement to provide proper notice of processing to data subjects in accordance with Section 2(1)(a) and Section 2D of the Data Protection Acts 1988 and 2003 is an essential pre-requisite to the lawful processing of personal data. A data subject has the right to be properly informed with adequate notice of a change in the ownership of a business holding his or her personal data, in order to be able to withdraw from the services being provided and prevent the further processing of their personal data (including preventing the transfer to a new owner) and to make alternative arrangements. The issue of what constitutes adequate notice will vary from case to case but in any event it must be at minimum a sufficient period that will allow a data subject to have a meaningful opportunity to consider the changes contemplated and to take steps to exercise their preferences in relation to the proposed changes.
Further processing of personal data by a state body
In February 2015, we received a complaint from an employee of a state body in relation to the alleged unfair processing of his personal data. The complainant stated that, in the course of a meeting, he had been advised that his manager had requested access to data from his security swipe card in order to compare it with his manually completed time sheets. The complainant explained that this had been carried out without any prior consultation with him or his line manager. By way of background, the complainant informed us that the security swipe cards used by the employees are for accessing the building and secured areas only, and are not used as a time management/attendance system.
We sought an explanation from the body concerned as to how it considered that it had complied with its obligations under the Data Protection Acts in the processing of the complainant’s personal information obtained from his swipe-card data. We also advised it that we had sight of the relevant section of its staff handbook and we noted that there was no reference to the swipe card being used for the purpose of checking attendance.
We received a response explaining that the swipe-card data relating to the complainant was handed over to the complainant’s manager in good faith on the basis that it was corporate rather than personal data. The organisation also confirmed that it checked the staff handbook and any other information that may have been circulated to staff regarding the purposes of the swipe card and that there was no mention of the use of swipe cards in relation to recording time or attendance. It advised that the focus of the information circulated with regard to swipe cards was on security and access only.
After consideration of the response received, along with the content of the complaint, we informed the organisation concerned that we considered that the Data Protection Acts were breached when the employee’s swipe-card details were provided to his manager to verify his working hours. We referred to the provisions of Section 2(1)(c)(ii) of the Data Protection Acts, which state that data shall not be further processed in a manner incompatible with the purpose for which it was obtained. Given that we considered the information concerned had been processed in contravention of the Data Protection Acts 1988 and 2003, we required an assurance that all email records created in relation to the further processing of the swipe-card details concerned be deleted from its systems; this assurance was duly provided.
The complainant in this case agreed, as an amicable resolution to his complaint, that he would accept a written apology from his employer. This apology acknowledged that the complainant’s data protection rights had been breached and it confirmed that the organisation had taken steps to ensure that this type of error did not recur in the future.
This case highlights the temptation organisations face to use personal data that is at their disposal for a purpose other than that for which it was originally obtained and processed. The scenario outlined above is not uncommon, unfortunately. Time and attendance monitoring may occasionally prove difficult for managers, and contentious issues arise from time to time. The resolution of those issues should not involve an infringement of the data protection rights of employees similar or otherwise to the circumstances in this case.
Disclosure of personal data due to inappropriate security measures
In August 2008, I received a complaint regarding the alleged disclosure of personal information by an airline. The complainant to my Office stated that in June 2008, in response to a phone call, the airline disclosed by email a travel itinerary for herself and her husband to her husband’s employer and on foot of this disclosure, her husband was dismissed from his employment. The complainant stated that her husband’s employer had made a written statement to the effect that the email in question was disclosed by the airline on the provision of a surname only. A copy of this statement was provided to my Office.
In the course of this investigation, the airline informed my Office that security questions were asked prior to the email in question being issued to the third party. It did not dispute that it sent the email. However, as the airline did not record the telephone call requesting the information, nor were its security questions system prompted and logged, it was not able to provide any evidence to prove that the appropriate security questions were asked in this instance. My Office also took into consideration that the booking was made from the complainant’s own computer using a personal email address rather than from an email address at her husband’s workplace.
On the basis of the information presented, together with the fact that the airline could not provide evidence that its own security measures were in fact used on this occasion, I arrived at the decision, following the investigation of this complaint, that the airline had contravened Section 2(1)(c)(ii) by further processing the complainant’s personal data and that of her husband when it disclosed to her husband’s employer their travel itinerary in an email. It also contravened Section 2(1)(d) by failing to have in place appropriate security measures to prevent the unauthorised disclosure of her personal information and that of her husband.
The security related issues highlighted by this complainant have been the subject of extensive engagement by this Office with the airline who, following this complaint, examined ways to enhance its security in relation to the handling of enquiries such as this.
This complaint clearly demonstrates the need for data controllers to have controls in place to prevent the disclosure of personal data. It is not sufficient to rely solely on the word of staff that they will ask the appropriate security questions in all instances, particularly in circumstances such as this where an individual deliberately seeks to obtain personal data which they are clearly not entitled to receive.
Prosecution of Jackie Skelly Fitness for unsolicited marketing text messages
My Office received complaints from two individuals regarding unsolicited marketing text messages which they received in the spring of 2008 from Map Dance Limited, trading as Jackie Skelly Fitness. One complainant was a former customer of Jackie Skelly Fitness and the other was an existing customer. Both complainants informed me that they had not consented to receiving marketing text messages from this company. Furthermore, the marketing text messages did not contain an opt-out facility as required.
As part of my Office’s investigation into the matter, we sought the traffic records from the third party company used to send the messages on behalf of Jackie Skelly Fitness to the complainants’ mobile phones. We did this to confirm that the messages were sent by Jackie Skelly Fitness and to establish the content of those messages.
The traffic records which we obtained showed that Jackie Skelly Fitness had sent the marketing text messages in question and that the messages did not contain an opt-out facility as required by the regulations in Statutory Instrument 535 of 2003. Following my Office’s investigation, I was satisfied that offences had been committed and I decided to exercise my powers to prosecute Jackie Skelly Fitness in respect of those offences.
In April 2009, at Dublin Metropolitan District Court, Jackie Skelly Fitness pleaded guilty in respect of one charge related to the sending of an unsolicited marketing text message to a customer without consent, in contravention of Regulation 13(1)(b) of S.I. 535 of 2003. The Court recorded a conviction and it imposed a fine of €1,750. Jackie Skelly Fitness also pleaded guilty in respect of one charge related to the sending of a marketing text message to a former customer which did not contain a valid address to which the recipient could send an opt-out request, in contravention of Regulation 13(8) of S.I. 535 of 2003. The Court recorded a conviction and imposed a fine of €1,500. This was the first occasion on which a conviction was recorded in respect of an offence under Regulation 13(8) for failure to include an opt-out facility in a marketing text message.
Disclosure of personal details by a local authority on its website
I received a complaint from a member of the public towards the end of 2008 regarding the disclosure of personal data submitted as part of an application for planning permission to a local authority.
Background
(i) In the latter part of 2006, my Office entered into discussions with the Department of the Environment, Heritage and Local Government in an effort to establish an appropriate balance between an open and transparent planning system and the rights of individuals to privacy and data protection. Following these discussions, the Minister for Environment, Heritage and Local Government signed the Planning and Development Regulations 2007 (SI 135 of 2007). Amongst other things, these regulations introduced an amended planning application form. The amended form re-arranged the address/contact details section from the front of the form to a detachable page at the rear of the form to ensure that these personal details could be removed prior to the publishing of planning applications on the planning authority’s website.
(ii) The Department of the Environment, Heritage and Local Government also issued Development Management Guidelines for planning authorities which, among other things, recommended the use of a Robots Exclusion Protocol (this is a simple protocol that, when placed on a web page, reputable search engines do not then proceed to index the page for inclusion in search results) by all planning authorities in relation to planning application data on their website to protect personal data on those websites from search engine access.
Complaint
In this case, the complainant completed the planning application form and provided the planning authority with his contact details on the detachable part of the form. However, the information supplied in this section was subsequently made available to the public on the local authority’s website.
My Office contacted the local authority involved and asked it for its comments on what led to the publication of the contact details on the website and if it had implemented a Robots Exclusion Protocol to prevent personal data appearing on search engines.
In reply, the local authority informed my Office that, on this occasion, its procedures which it had in place to comply with the data protection requirements did not operate and that as the procedures were relatively new, the physical removal of the contact details portion of the planning application form was overlooked. It also indicated that the procedures had since been strengthened to ensure compliance with the data protection requirements. The response also indicated that the local authority had not yet implemented a Robots Exclusion Protocol and that it was currently being considered. At that point, my Office made it clear to the local authority that, given the passage of time since the Department had published its Development Management Guidelines in 2007, we found it unacceptable that a Robots Exclusion Protocol had not yet been put in place. We pointed out that by not having it in place personal information of individuals making planning applications continued to be at risk of being picked up by search engines when the applications were uploaded onto the websites. The local authority was instructed by my Office to put in place a Robots Exclusion Protocol immediately and failing that, I would use whatever legal powers I deemed necessary to protect the personal data of those individuals who submit planning applications to that local authority. My Office subsequently received confirmation from the local authority that a Robots Exclusion Protocol had been put in place.
The complainant in this case requested a formal decision under Section 10 of the Acts. My decision found that the local authority had contravened Section 2(1)(d) of the Data Protection Acts when it published, on its website, the contact details which the planning applicant had submitted on part of the planning application form. It breached this requirement by not having in place appropriate measures to prevent the unauthorised disclosure of the planning applicant’s contact details.
This case demonstrates the need for local authorities to be extra vigilant when uploading planning applications to their websites to ensure that only the information required by law to be made publicly available is published in this way. In addition, having a Robots Exclusion Protocol or similar in place guards against the risk of the planning applications themselves being captured by search engines.
Alleged disclosure of credit card details by a booking agent
In January 2009 I received a complaint regarding the alleged disclosure of personal information by an internet booking agent. The complainant informed my Office that, when booking a hotel with the booking agent, he provided his credit card details to pay a deposit. However, after his subsequent stay at the hotel and having paid the bill, he received a phone call from the hotel to inform him that the bill had been undercharged by €200 in error. The complainant alleged that the hotel then contacted the booking agent who in turn provided the hotel with his credit card details and that these details were used by the hotel to debit €200 from his credit card account.
My Office contacted the booking agent in question and asked where on its terms and conditions did it state that an individual’s credit card details would be shared with the hotel booked by the customer.
The booking agent, as part of its response, provided my Office with a copy of the full terms and conditions associated with the use of its website. The terms and conditions clearly state that no reservation contract exists between the customer and the booking agent and that the contract is between the customer and the hotel. The booking agent acts as a facilitator for the hotel and all rooms, availability, pricing and descriptions on hotel websites and all websites using the booking agent’s technology are under the control of the hotel
In this case, the complainant, when using the booking agent to book the hotel, was actually booking directly with the hotel and not with the agent. Therefore, when he provided the credit card details on-line to pay the deposit for the hotel, the details were provided directly to the hotel and not to the booking agent as he had previously thought. Therefore, no actual disclosure to a third party took place.
Since my Office raised this issue with the booking agent, it has expanded its terms and conditions to ensure that individuals using the booking agent’s website to book hotels fully understand that the credit card details provided by them are provided to the hotel.
This case clearly demonstrates how important it is for individuals to be fully aware of the terms and conditions associated with any contract they enter into. In most cases, the terms and conditions also outline how the information provided by an individual will be used. In this case, had the complainant read the terms and conditions in full, he would have been aware that the contract existed between himself and the hotel and therefore, in entering his credit card details on-line, he was supplying them to the hotel. I can fully accept, however, that terms and conditions are not always either immediately available or accessible in terms of language to a person seeking to make a booking over the internet.
Harvesting of mobile numbers from a website for the sending of marketing text messages
In January 2009 an individual complained to me regarding his receipt of an unsolicited marketing text message. The complainant stated that he had placed his number on a website to advertise a property he had available to rent. He subsequently received a text message from an energy efficiency testing company offering its services to him. He was concerned not only about the way his number was obtained and processed by the company, but also by the fact that there was no ‘opt out’ option included in the message he received which would have allowed him to object to receiving any further communications.
In order to legitimately contact an individual mobile phone subscriber by text message for direct marketing, the sender must have obtained prior consent from the individual. Otherwise the marketer runs the risk of committing a criminal offence under Regulation 13(1)(b) of S.I. 535 of 2003 (as amended), and may be prosecuted. The failure of a sender to include a cost free opt out in a marketing text message is also an offence liable to prosecution.
My Office commenced an investigation into the matters raised by the complainant. We contacted the company to seek an explanation and provided it with a copy of our Guidance Note on the use of electronic mail for direct marketing purposes to assist it in responding on the matter.
The company responded by admitting that it did source the complainant’s number from a website and that it proceeded to then send him a marketing text message regarding a service it was providing to home owners. It was extremely apologetic for causing offence to the complainant and for breaking any regulations. It explained that it had recently commenced offering the service. It also confirmed that it had abandoned plans to continue with such marketing and it advised that the complainant’s personal details were now deleted from its databases.
As an act of good faith and in an effort to amicably resolve the matter to the satisfaction of the complainant, the company donated a sum of €100 to a charity of the complainant’s choice. The complainant was satisfied with this outcome.
This case is an example of the disturbing trend of commercial entities sourcing mobile numbers of private individuals from websites or from other published sources for the purpose of using those numbers to market their own products. Any person who advertises their property for sale or rent on a website or elsewhere should not, as a consequence, be exposed to the risk of receiving unsolicited text messages from a company promoting its own products.
Email marketing error causes data protection breach
In September of 2008 four complaints were received by my Office regarding the sending of a marketing email by a company, in which the email addresses were visible to each of the recipients. The complainants also advised that they had not consented to receiving the email in question. It was also brought to my attention that the email did not contain an ‘unsubscribe’ option which would have enabled the recipients to record their preferences not to receive any further marketing communications. It was also a matter of concern to me that one of the complainants advised me that he had previously contacted the company to request removal of his email address, and despite that, he subsequently received the email which was the subject of the complaints to my Office.
The company notified me, following its own receipt of a complaint, that it had sent a marketing email which contained 1400 email addresses. These addresses were disclosed in the carbon copy field (cc) in error, as opposed to listing the addresses in the blind carbon copy field (bcc), which would have ensured that the personal email addresses of the individual recipients would not have been visible. Once it had realised the error, the company advised me that it recalled all the emails and shut down its server. However, as the complaints to my Office raised a number of other concerns regarding the electronic marketing practices of this company, I decided that an investigation of the matters raised by the complainants was warranted.
In the investigation of these complaints, my Office sought an explanation from the company as to why it sent the marketing email to the recipients without their consent and without the inclusion of a cost free opt out facility. The company responded that one of its databases was used in error. It explained that a new member of staff used an old database of consumer enquiries in error and also failed to protect the email address details of the individual contacts on the database. Furthermore, the company did not have sufficient monitoring of its email marketing to provide an opt-out at the point of collection of contact details or to unsubscribe recipients effectively when requested to do so. Following my examination of the response from the company, I was satisfied that it had committed offences by sending the unsolicited email to the recipients without their consent and also without including an unsubscribe option in the email.
On foot of the four complaints to my Office, and in an effort to correct the deficiencies in its marketing operations, the company retained the services of a specialist digital communication service provider to manage its databases and email activity to ensure that there could be no recurrence of these issues in the future. The company also strengthened its policy around database use and it introduced a new anti-spam policy. As a gesture of goodwill, it offered the complainants free passes to an upcoming social event and a letter of apology for the inconvenience caused to them. Furthermore, it also made a charitable donation of €500 to a well-known charity. The four complainants were satisfied to resolve their complaints on that basis. Given that this company had not come to my attention before, I was satisfied that a prosecution against the company was not warranted at that time based on my normal policy in such matters. I am happy to report that my Office has received no further complaints regarding the company’s marketing practices since the investigation of these complaints.
Recruitment companies sharing CVs
In April 2009 I received a complaint against a recruitment company (company A) regarding an alleged disclosure of the complainant’s curriculum vitae (CV) to another recruitment company (company B). The complainant submitted his CV to company A for a particular job which was advertised on a recruitment website. However, he was subsequently contacted by company B asking for further details in relation to his CV. In a phone call, company B confirmed to the complainant that it had received his CV from company A. The complainant claimed that the company to whom he sent his CV did not obtain his consent to disclose his CV to another company.
My Office commenced an investigation into the matter and we wrote to company A and asked it to demonstrate the consent it considered it had in place to disclose the complainant’s CV to company B. A key principle of data protection is that personal data should be used and disclosed only in ways compatible with the purposes for which it was obtained. Company A explained that it and company B, although they were separate legal entities and registered separately with the Companies Registration Office, were effectively run as one company. They both shared, among other things, the same office space, databases, IT infrastructure, telephone system and management. However, one of the companies handled recruitment of middle and senior management while the other one handled recruitment of office and customer support staff. In this case, when the complainant submitted his CV to Company A, the consultant who received it passed it to a consultant in Company B as possible skills were identified from the CV which may have been of interest to the other consultant’s clients.
My Office advised Company A that the companies were two separate entities and therefore, individuals using the services of either one should be made fully aware, prior to submitting their personal information, that it would be shared between the two companies. We also noted that the privacy policy on its website did not contain any reference to the fact that both companies share information and we advised that it should contain a statement which informed individuals using the website how their information would be processed and that their information would be shared between the two companies. My Office also advised that, if it was unable to do this, the only alternative was to separate out the two entities completely and cease sharing personal information.
As a result of our investigation, we received an assurance from Company A that it would insert a statement on both of the companies’ websites to inform individuals using the websites how their personal information would be processed and of the fact that it would be shared between both companies. It also indicated that it would no longer have separate entities and that, although this would take some time to arrange, both companies would trade as one company in future.
I welcome the fact that the data controller immediately put in place the measures needed to bring it into compliance with the Acts. It is important for any data controller to make individuals fully aware at the outset as to how their personal data will be processed and to whom it may be disclosed. As a general rule personal data may not be shared between two legal entities without the consent of the individual about whom the data relates.
Excessive data sought on penalty points
In November 2008, my Office received a complaint against Quinn Direct Insurance regarding the amount of information sought when an individual requested a quotation for motor insurance. The complainant stated that, during a phone call to Quinn Direct Insurance in November 2008, in which he sought a quotation for motor insurance, he was asked for information on any penalty points he had received on his driving licence during the previous five years.
Section 2(1)(c)(iii) of the Data Protection Acts, 1988 and 2003 provides that personal data obtained by a data controller shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or are further processed. In October 2002, the Minister for Transport announced the introduction of penalty points for speeding offences for all drivers under the Road Traffic Act, 2002. Other offences were added to the penalty points system since then. Under the Act, penalty points remain on a person’s driving licence for a period of three years.
My Office contacted Quinn Direct Insurance and raised our concerns that potential customers for car insurance were being asked to provide details of penalty points for the previous five years while the applicable legislation states that such details should be kept on a driver’s licence for only three years. Quinn Direct Insurance responded to my Office stating “In underwriting a motor policy, and assessing the risk involved, we require information from the proposer on the convictions and or penalty points obtained on their licence in the previous five years. The risk may be assessed differently depending on the offence type, the number of points and whether or not there was a driving ban imposed – for example, the rating for careless driving will be different to speeding. We do not rate solely on the number of points but require this information in deciding on the severity of the offence for assessing the policy.”
My Office expressed its dissatisfaction at Quinn Direct Insurance’s reasons for seeking information on penalty points for the previous five years in circumstances where the statutory obligation for the retention of penalty points on a driver’s licence was three years. We requested that it cease the practice of seeking such data immediately. Quinn Direct Insurance in response stated that its quotation process would be revised to ensure that details on penalty points would only be requested for the previous three years rather than five years as had previously been the case.
This case clearly demonstrates how important it is that data controllers satisfy themselves, on an ongoing basis, that information sought from customers is not excessive. Unless there is a clear basis for requesting certain categories of personal data, data controllers should exercise restraint when seeking personal data and they should ensure that only the minimum amount of personal data necessary is processed. This is particularly the case where the data sought relates to matters such as offences.
Further processing personal data without consent
My Office received a complaint in December 2008 from a data subject regarding the alleged use of video clips of her and her family for training purposes, without her consent, by the HSE West. The video clips were recorded with the data subject’s consent as part of her family’s participation in a particular programme known as Marte Meo. The data subject’s family had agreed to participate in the programme for the purpose of being a foster family. The data subject informed my Office that she first became aware that video clips concerning her family’s participation in the programme had been shown at a conference held in Germany when her Fostering Social Worker telephoned her after the event to give her feedback from the conference.
According to the HSE, the Marte Meo model is used by Social Work Teams at the HSE as a supportive intervention in fostering cases. It is a film-based intervention used to provide feedback to the prospective foster family on their natural supportive communications and how these can support their preparation for a foster placement. In this case the data subject’s family were asked by the HSE West to provide care to two young girls in an emergency situation.
The HSE West informed my Office that the data subject’s Fostering Social Worker understood that the data subject had given verbal consent for the use of the video clips by her supervisor at the conference. The HSE West confirmed to my Office that two short video clips of the fostering video tape were used at the conference. The HSE West also confirmed that when the proposal to use the video clips was first put to the data subject she was informed that a signed consent would be sought. However, on a subsequent visit to the data subject’s home, the Fostering Social Worker forgot to bring the consent form. The HSE West proceeded to use the video clips even though it had not obtained the written consent of the data subject and her family.
My Office informed the HSE West of our view that it had breached the Acts by further processing the video clips without obtaining the consent of the data subject and her family. My Office also informed the HSE West that, based on information provided by them, the breach occurred when the HSE West departed from its own procedures – i.e. it failed to obtain written consent.
My Office’s approach to complaints is to try to reach an amicable resolution. The HSE West confirmed its willingness to acknowledge its error and to apologise in writing to the data subject. It also informed us that a system was now in place to ensure that all consent forms are completed according to the Marte Meo standards. The data subject accepted the amicable resolution of her complaint.
This case study demonstrates how an organisation can breach the Acts when its staff, however well-intentioned, fail to follow internal procedures. It also highlights the importance of staff training in data protection.
HSE West and a consultant ophthalmic surgeon breach the Acts
I received a complaint from a data subject about an alleged disclosure of personal information concerning his medical condition by a data controller. The data subject was involved in an insurance action with a third party in relation to an eye injury. The third party’s insurance company requested the data subject to attend a consultant ophthalmic surgeon for an assessment at his private surgery in Limerick. The consultant was also a consultant ophthalmic surgeon at the Mid-Western Regional Hospital in Limerick. The data subject had previously attended another consultant ophthalmic surgeon at the Mid-Western Regional Hospital as a public patient in relation to his eye injury.
The complaint was two fold. The first aspect related to the alleged release of the data subject’s hospital chart by the Mid-Western Regional Hospital to the consultant ophthalmic surgeon acting on behalf of the insurance company in his private practice. It was alleged that this took place without the data subject’s consent. The second aspect of the complaint related to the alleged unfair obtaining of the data subject’s hospital chart by the consultant ophthalmic surgeon.
The first point to be borne in mind in relation to this case was that the personal data in question, being medical records of the data subject, constituted ‘sensitive personal data’ as defined in the Acts. The central issue to be considered in this case, from a data protection point of view, was whether the HSE West, Mid-Western Regional Hospital complied in full with its obligations under the Acts.
Section 2 of the Acts deals with the collection, processing, keeping, use and disclosure of personal data. I was satisfied that no data protection issues arose in relation to sections 2(1)(a),(b), (c)(i), (c)(iii) or (c)(iv) of the Acts in relation to the Mid-Western Regional Hospital’s collection, processing, keeping and use of the data subject’s sensitive personal data. However, the disclosure of the data subject’s medical chart to the consultant ophthalmic surgeon had to be considered in the context of section 2(1)(c)(ii) of the Act. This section provides that personal data should not be further processed in a manner incompatible with the purpose for which it was collected. It was clear from my Office’s investigation that the consultant ophthalmic surgeon’s secretary at his private rooms contacted his secretary at the Mid-Western Regional Hospital to locate the data subject’s medical records relating to his eye condition. Following this contact, the secretary based at the hospital located the record and disclosed it to the consultant surgeon’s private surgery.
In assessing this issue from a data protection perspective, a clear distinction must be drawn between the consultant surgeon’s work within the HSE West, Mid-Western Regional Hospital as an employee of that hospital and his work carried out privately on behalf of an insurance company. The hospital’s disclosure of the medical records to the private rooms of the consultant surgeon undoubtedly involved the disclosure of those records from one data controller (the HSE West, Mid-Western Regional Hospital) to another (the consultant surgeon’s private surgery). It could not be regarded as information sharing within a single data controller because the consultant surgeon sought the data subject’s medical record from the hospital in his capacity as a separate data controller. In this instance he was not acting in his capacity as an employee of the HSE.
The medical record at the Mid-Western Regional Hospital in respect of the data subject was compiled in the course of his treatment for an eye condition. This was a specific, explicit and legitimate purpose. Any further use or disclosure of that medical record must be necessary for that purpose or compatible with the purpose for which the hospital collected and kept the data. The consultant surgeon was a separate data controller who sought this data for the purposes of an assessment of the data subject’s eye condition on behalf of an insurance company to facilitate their processing of an insurance claim. The processing of an insurance claim related to the data subject’s eye injury represented an entirely different purpose to the treatment of the data subject for an eye condition at the Mid-Western Regional Hospital.
There was also an obligation to meet the conditions set out in Section 2A of the Acts. These conditions included obtaining the consent of the data subject or deeming that the processing of the data was necessary for one of the following reasons:
- · the performance of a contract to which the data subject is a party;
- · in order to take steps at the request of the data subject prior to entering into a contract;
- · compliance with a legal obligation, other than that imposed by contract;
- · to prevent injury or other damage to the health of the data subject;
- · to prevent serious loss or damage to property of the data subject;
- · to protect the vital interests of the data subject where the seeking of the consent of the data subject is likely to result in those interests being damaged;
- · for the administration of justice;
- · for the performance of a function conferred on a person by or under an enactment;
- · for the performance of a function of the Government or a Minister of the Government;
- · for the performance of any other function of a public nature performed in the public interest; or
- · for the purpose of the legitimate interests pursued by a data controller except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject.
In this case, the data subject did not give his consent to the Mid-Western Regional Hospital for the processing of his personal data involving the disclosure of his medical record to the consultant surgeon. In the absence of consent, the data controller must be able to meet at least one of the eleven conditions set out above. In this instance, the hospital did not meet any of those conditions.
To process sensitive personal data, in addition to complying with Sections 2 and 2A of the Acts, at least one of a number of additional special conditions set out in Section 2B(1) of the Acts must be satisfied:
- – the data subject must give explicit consent to the processing or
- – the processing must be necessary for one of the following reasons:
- · for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment;
- · to prevent injury or other damage to the health of the data subject or another person, or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where consent cannot be given or the data controller cannot reasonably be expected to obtain such consent;
- · it is carried out by a not-for-profit organisation in respect of its members or other persons in regular contact with the organisation;
- · the information being processed has been made public as a result of steps deliberately taken by the data subject;
- · for the administration of justice;
- · for the performance of a function conferred on a person by or under an enactment;
- · for the performance of a function of the Government or a Minister of the Government;
- · for the purpose of obtaining legal advice, or in connection with legal proceedings, or for the purposes of establishing, exercising or defending legal rights;
- · for medical purposes;
- · for the purposes of political parties or candidates for election in the context of an election;
- · for the assessment or payment of a tax liability; or
- · in relation to the administration of a Social Welfare scheme.
As stated previously, the consent of the data subject, explicit or otherwise, was not obtained by the data controller for the processing of his personal data involving its disclosure by the Mid-Western Regional Hospital to the consultant surgeon. There are twelve conditions set out above, at least one of which must be met by a data controller in the absence of explicit consent before sensitive personal data can be processed. In this instance, the Mid-Western Regional Hospital did not meet any of those conditions.
I formed the opinion that the HSE West, Mid-Western Regional Hospital contravened Section 2(1)(c)(ii), Section 2A(1) and Section 2B(1)(b) of the Acts by processing the data subject’s sensitive personal data in a manner which was incompatible with the purpose for which it was obtained. This processing occurred when the consultant surgeon’s secretary at the Mid-Western Regional Hospital disclosed the data subject’s hospital medical file to his private practice secretary. In response to this incident the HSE West put in place improved controls for ensuring that requests for access to hospital files are justified and fully in line with the purpose for which health data is held. I welcome this.
I also considered whether the consultant surgeon had breached the requirements of the Acts by obtaining and using the file created in the Mid-Western Regional Hospital.
In light of my previous decision which found a number of contraventions of the Acts by the HSE West, it followed that the consultant surgeon unfairly obtained the data subject’s hospital file. However, it was also clear that this was done unintentionally and in good faith.
I accept that the lines can be blurred in some instances in the health sector between treatment provided by the public system and treatment provided by the private system (especially here in Ireland due to the public/private sector split). This can give rise to complexity in terms of data protection responsibilities as patient information flows between the public and private systems. However, no such complexity arises in relation to the transfer of personal data that is not related to the treatment of a patient (in this particular instance carried out on behalf of an insurance company). Organisations entrusted with personal data, and especially those holding sensitive personal data such as health information, have onerous responsibilities under the Data Protection Acts. These responsibilities reflect the position of trust afforded to such data controllers when they are given our personal data.
An employer attempts to use CCTV for disciplinary purposes
In February 2008 I received complaints from two employees of the same company regarding their employer’s intention to use CCTV recordings for disciplinary purposes.
In this case, the employer had used CCTV images to compile a log that recorded the employees’ pattern of entry and exit from their place of work. The employer then notified a trade union representative that this log would be used at a disciplinary meeting. It also supplied a copy of the log to the union representative. The employer sent letters to each employee requesting that they attend a disciplinary meeting to discuss potential irregularities in their attendance. The letters indicated that this was a very serious matter of potential gross misconduct and that it could result in disciplinary action, up to and including dismissal.
The employees immediately lodged complaints with my Office. They stated that they had never been informed of the purpose of the CCTV cameras on the campus where they were employed. They pointed out that there were no signs visible about the operation of CCTV. On receipt of the complaints, my Office contacted the employer and we outlined the data protection implications of using CCTV footage without having an appropriate basis for doing so. We informed the company that, to satisfy the fair obtaining principle of the Data Protection Acts with regard to the use of CCTV cameras, those people whose images are captured on camera must be informed about the identity of the data controller and the purpose(s) of processing the data. This can be achieved by placing easily read signs in prominent positions. A sign at all entrances will normally suffice. If an employer intends to use cameras to identify disciplinary (or other) issues relating to staff, as in this instance, staff must be informed of this before the cameras are used for these purposes.
The employer accepted the views of my Office. It informed the two employees that it was not in a position to pursue the matter of potential irregularities in attendance as it could not rely on CCTV evidence obtained in contravention of the Data Protection Acts.
This case demonstrates how data controllers are tempted to use personal information captured on CCTV systems for a whole range of purposes. Many businesses have justifiable reasons, related to security, for the deployment of CCTV systems on their premises. However, any further use of personal data captured in this way is unlawful under the Data Protection Acts unless the data controller has made it known at the time of recording that images captured may be used for those additional purposes. Transparency and proportionality are the key points to be considered by any data controller before they install a CCTV system. Proportionality is an important factor in this respect since the proposed use must be justifiable and reasonable if it is not to breach the Data Protection Acts. Notification of all proposed uses will not be enough if such uses are not justifiable.
Substantial guidance is available on our website in relation to the use of CCTV in a business or in a workplace. I would encourage all data controllers, particularly those who may already have such recording systems in place, to familiarise themselves with our guidance on this important issue.
Data Controller breaches several provisions in its processing of Sensitive Personal Data
I received a complaint in May 2006 from a data subject regarding the use by her former employer, Baxter Healthcare S.A., of two medical reports relating to her. The data subject had been involved in an industrial accident at work in April 2002 which subsequently resulted in a prolonged absence from the workplace. During this absence, the data subject pursued a personal injuries claim against Baxter Healthcare. As part of this process, at the request of the solicitor acting on behalf of Baxter Healthcare’s insurers, she attended a consultant neurologist on two occasions for medical evaluation in 2003 and 2004. Early in 2005, the data subject became aware that the medical reports compiled as a result of those evaluations were in the possession of Baxter Healthcare. Through her solicitor, the data subject made an access request to Baxter Healthcare for copies of the medical reports. She was advised in writing that, as these reports were obtained in the context of her personal injury proceedings, her access request should be addressed to the solicitors,
P. O’Connor & Son, acting for the insurers. Shortly afterwards, the data subject’s contract of employment was terminated. The decision by Baxter Healthcare to terminate the employment was stated to be on the basis of the medical evidence available to the company, including the medical reports compiled in 2003 and 2004 in the context of the data subject’s personal injury claim. Following her dismissal, the data subject brought a claim to the Labour Relations Commission against Baxter Healthcare under the Unfair Dismissals Act 1977 to 2001. A hearing in relation to this case took place in April 2006 and the data subject alleged that, in the course of the hearing, copies of the medical reports were furnished by Baxter Healthcare to herself, to the Rights Commissioner and to all present. These medical reports had not been previously provided to her in response to her access request.
My Office conducted a detailed and extensive investigation of this complaint. This focused on 2 primary data protection issues, namely the use of the medical reports obtained to defend an insurance claim to support the dismissal of the data subject and the disclosure of those same medical reports at a labour relations hearing. The company’s solicitor stated that the medical reports of the consultant neurologist were obtained for the legitimate purpose of defending personal injury proceedings instituted by the data subject and that the medical reports were also employed and required for the legitimate purpose of defending separate legal proceedings against Baxter Healthcare under the Unfair Dismissals Acts 1977 to 2001. It submitted that Section 2(1)(c)(i) of the Acts specifically envisages that the data may be obtained and used for more than one purpose, provided that both purposes are legitimate. It went on to state that Section 2(1)(c) (ii) of the Acts only prohibits further processing insofar as that processing is incompatible with the original purpose or purposes. It argued that the use of the reports to defend legal proceedings against Baxter Healthcare under the Unfair Dismissals Act could not be said to be incompatible with the original purpose as the original purpose was to defend legal proceedings instituted by the data subject and the subsequent use was to also defend legal proceedings, albeit separate proceedings by the data subject.
The data subject sought a decision on her complaint under Section 10(1)(b(ii) of the Acts in June 2007. In my analysis of the data protection issues arising from this complaint, I found that the medical reports in question constitute ‘sensitive personal data’ within the meaning of the Acts. The medical reports were commissioned on behalf of Baxter Healthcare’s insurers, by its solicitors, for the purpose of the defence of the High Court personal injury claim instituted by the data subject. The reports were, however, used for three purposes:
They were used for the purpose for which they were generated in the first place, i.e. for the defence by Baxter Healthcare’s insurers of the High Court personal injury claim instituted by the data subject.
They were used in the decision taken by Baxter Healthcare to terminate the employment of the data subject.
They were used to defend legal proceedings taken by the data subject against Baxter Healthcare under the Unfair Dismissals Act at a hearing in April 2006.
No data protection issue arose in relation to the first use of the medical reports by Baxter Healthcare’s insurers in the context of its defence of the personal injury claim brought by the data subject.
With regard to the second use by Baxter Healthcare of the medical reports in the decision to terminate the data subject’s employment, this was done without the data subject’s consent. The general requirements that must be complied with by a data controller under the Acts in relation to the personal data of a data subject include the following:
the data shall have been obtained only for one or more specified, explicit and legitimate purposes
the data shall not be further processed in a manner incompatible with that purpose or those purposes
the data subject is informed of the purposes or purposes for which the data are intended to be processed
The consent of the data subject is the default position, as it were, for the fair processing and obtaining of personal data. Where it is absent, the data controller may not process personal data unless it can find another basis in the Acts. The Acts provide for the following exemptions which were potentially applicable in the present case:
the processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject (Section 2A (1)(d));
and (because sensitive data is involved)
the processing is required for the purpose of obtaining legal advice or for the purposes of, or in connection with, legal proceedings or prospective legal proceedings or is otherwise necessary for the purpose of establishing, exercising or defending legal rights (Section 2B (b)( vii)).
All of these conditions must be met.
In my analysis of this complaint, I considered that the purpose for which the medical reports were originally obtained (the defence by Baxter’s insurers of the High Court personal injury claim instituted by the data subject) was not compatible with their further use to support the data controller’s decision to dismiss the data subject. I considered that, in the absence of the data subject’s consent, this processing of the data subject’s sensitive personal data constituted a breach of the Acts.
With regard to the third use by Baxter Healthcare of the medical reports to defend legal proceedings under the Unfair Dismissals Act, the same considerations arose in relation to the further use of the sensitive personal data at a hearing before a Rights Commissioner in April 2006, with the aggravating factor that the sensitive personal data was further disclosed to those involved in the hearing.
However, I had to consider if the processing of personal data in this case might benefit from the exemption in Section 8(f) of the Acts which provides that: “Any restrictions in this Act on the processing of personal data do not apply if the processing is …required…for the purposes of, or in the course of, legal proceedings in which the person making the disclosure is a party or a witness.”
I formed the opinion that this exemption cannot apply to sensitive personal data which has already been improperly processed to support the decision (dismissal) which was the subject matter of the legal process. I concluded that the use of the medical records to defend the Unfair Dismissals claim constituted a further breach of the Acts.
For completeness, my Decision in this case also found that Baxter had failed to comply fully with an access request made by the data subject.
This case demonstrates the care which data controllers must exercise in the processing of all personal data, including sensitive personal data, in its possession. It is unacceptable for a data controller to seek to take advantage of personal data which may be in its possession and to use it for some purpose unrelated to the purpose for which it was originally obtained.
Inappropriate use of CCTV footage by West Wood Club
I received a complaint from a data subject alleging breaches of the Data Protection Acts by inappropriate use of CCTV footage at West Wood Club, Sandymount in Dublin. In her complaint she informed my Office that on 4th March, 2006 she visited the West Wood Club as a member to use the steam/sauna rooms and the swimming pool. A customer service issue arose in relation to the cleanliness of the facilities on the day which were the subject of a phone-call by the complainant from the steam/sauna rooms. The data subject wrote a subsequent letter of complaint about the matter to the Club following which she was asked to meet the manager to discuss the matter. Upon doing so she was presented with CCTV footage which it was claimed supported the club’s view of the customer service issues arising and refuting the claim that she had made a phone-call on the issue on the morning in question. In this respect, three CDs of CCTV footage were presented each of which in turn were claimed to be the data subject engaging in leisure activities within the gym on the morning in question. They in fact were not the data subject and were other female members of the gym.
Shortly afterwards the data subject’s membership of the gym was revoked.
The data subject informed my Office that she found it acceptable to be shown CCTV footage to assure her that the sauna/steam rooms had been cleaned but she found it unbelievable that West Wood Club kept and viewed footage to discredit members’ genuine complaints. She felt strongly that the CCTV footage was shown to her to intimidate her and question her good character and was used to say that she was lying.
My Office commenced an investigation and wrote to the Managing Director of West Wood Club expressing our concern at what appeared to be excessive and disproportionate use by West Wood Club of CCTV footage for the purpose of dealing with the data subject’s complaint. A response was received from the solicitors for the Club and an exchange of correspondence subsequently took place between my Office and the solicitors. Among other things, my Office was informed that the only purpose for which CCTV was used in the Club was for security. They also confirmed that members and staff of the Club were aware that their images were being recorded as there were several signs displayed in the Club regarding the operation of CCTV. It was also confirmed to my Office that CCTV footage was automatically erased at the end of each month.
However, the Solicitors contested any suggestions that the Data Protection Acts prohibit data that has been bona fide obtained and temporarily stored for one general purpose from being used in specific circumstances for some other useful purpose that is for the general good. They also stated that the purpose of the CCTV system in operation at West Wood Club was, like most CCTV systems, security and that this included the issues of theft and personal safety and integrity. They contended that this was a health and safety issue, coming under the general heading of security, on the grounds that the data subject made a complaint that the sauna was unhygienic because it had not been cleaned. I disagreed with the data controller’s position on this matter. I accepted that the purpose of ‘security’ may include the issues of theft and personal safety in certain circumstances related to security risk. However, the issues of integrity, health and safety are clearly separate purposes to the purpose of ‘security.’
Section 2(1)(c)(ii) provides that data shall not be further processed in a manner incompatible with that purpose or those purposes for which it was obtained. It was clear from my Office’s correspondences with the data controller’s solicitors that West Wood Club processed images which were recorded for ‘security’ purposes by showing them to the data subject in response to a complaint which she had made concerning the sauna/ steam rooms not being operational on the morning of 4 March, 2006. Her complaint had nothing whatsoever to do with ‘security’ issues and, therefore, it was entirely inappropriate for the data controller to produce personal data, about other individuals as it transpired, which was obtained for ‘security’ purposes, to attempt to deal with this matter.
I had no reason to doubt the version of events given to me by the data subject. I concluded that West Wood Club did indeed set out to refute the data subject’s complaint through the use of CCTV footage which was recorded for a ‘security’ purpose.
I was required to make a Decision on this case under Section 10(1)(b)(ii) of the Acts. I formed the opinion that West Wood Club breached Section 2(1)(c)(ii) of the Acts by the further processing of CCTV footage which was obtained for security purposes in a manner incompatible with that purpose. I found it disturbing that the data subject’s membership of West Wood Club was invalidated following a breach of the Data Protection Acts by West Wood Club. It is unacceptable that an entity against whom a complaint is made would contravene the Data Protection Acts in dealing with the complaint and thereby infringe on the data protection rights of the complainant or others.
CCTV recordings have become an everyday part of our lives. Their usage, and seeming acceptance, for so many different purposes is troubling. In this case, the use of CCTV in the private areas of a sauna/steam room in a gym is questionable in itself from a data protection perspective. To then use the footage captured (notionally for security purposes) in an attempt to discredit a gym member making a customer service complaint is totally unacceptable. In the circumstances I had no hesitation in finding in favour of the complainant.
NewTel Communications – Ordered to suspend marketing
The marketing activities of the telecommunications company NewTel Communications Ltd came to the attention of my Office in 2006 and again early in 2007. In 2006 an inspection was conducted of its marketing activities and appeared to indicate that it had taken appropriate remedial activity. However, in 2007 we received in a short period a number of complaints regarding marketing calls made by this company. These calls were made to individuals who either had already expressly told the company that they did not wish to be contacted or had exercised their right to have their preference not to be called recorded on the
National Directory Database opt-out register.11
These marketing calls contravened Regulations 13 4(a) and 13 4(b) of SI 535 of 2003 which state that:
“A person shall not use, or cause to be used, any publicly available electronic communications service to make an unsolicited telephone call for the purpose of direct marketing to the line of a subscriber, where
(a) the subscriber has notified the person that the subscriber does not consent to the receipt of such a call on his, her or its line, or
(b) subject to paragraph (5), the relevant information referred to in Regulation 14(3) is recorded in respect of the line in the National Directory Database.”
My Office investigated the complaints which we had received. After initial investigation, we found out that an external offshore agency employed by NewTel Communications Ltd to make marketing calls was not following the company’s “do not call” policy. As a result of this information, NewTel Communications Ltd ceased its relationship with the offshore agency concerned in March 2007. However, my Office continued to receive complaints about further unsolicited calls made by NewTel Communications Ltd. We concluded that, despite assurances from the company, its marketing procedures were not sufficiently robust or watertight to uphold the data protection rights of subscribers who did not wish to receive direct marketing calls. We accordingly requested NewTel Communications to cease all ‘cold call’ marketing with immediate effect or we would issue a legally binding enforcement notice to that effect. We informed the company that we would not agree to allow this marketing activity to recommence until it had identified and remedied whatever problems in its procedures or systems had led to the unsolicited marketing calls to the complainants to my Office.
NewTel Communications Ltd complied with my Office’s request and it initiated an internal investigation. As a result of this investigation, the company established that a second offshore agency was not following the company’s “do not call” policy. Recognising the seriousness of the matter, the company suspended this agency from marketing on its behalf. My Office was satisfied with the actions taken by the company to identify the problems and to correct them. Following this remedial action, we agreed that NewTel could recommence its telemarketing activities. Its ‘cold calling’ marketing campaign had been suspended for a total of twenty days as a result of the actions taken by my Office.
This case demonstrates that my Office will take strong and effective action, such as requiring the suspension of marketing activities, where necessary. Complaints about telemarketing from the general public are an indicator of problems in the procedures or systems in companies which operate in the telemarketing sector. My Office continues to ensure that those companies complained of take immediate steps to identify the problems and then sort them out without delay. If the suspension of a company’s marketing activities is necessary to achieve corrective measures, we will not hesitate to require such action, difficult though it may be for the company concerned.
11 Telephone subscribers can have their preference not to be contacted by direct marketers recorded on the National Directory Database (NDD) by contacting their line provider who will supply the relevant details to the NDD.
The Bar Council’s In-house Legal Diary and Ashville Media
The Bar Council complained to me about the use of their members’ data by a publication “The Irish Legal Professional” which was published by the Ashville Media Group. The Bar Council explained that Ashville Media Group had published the Bar Council’s in-house legal diary, which was for the sole use of barristers from 1998 to 2002, under contract. On expiry of the contract, the Bar Council then changed to another company for publication of the diary. In order to publish the barristers’ diary, Ashville Media Group had been afforded access to an internal database containing contact details for all barristers, including their home addresses, home and work telephone numbers, mobile numbers and email addresses. The Bar Council stated that despite the termination of the contract between the Bar Council and Ashville Media Group, Ashville Media Group used the database in their own publication “The Irish Legal Professional” in 2003 and 2004.
In my investigation, Ashville acknowledged the facts alleged in the complaint. However they submitted that the personal data (contact details) of barristers are already in the public domain and are readily available to the public, and as such the Legal Diary simply makes these more accessible to Barristers and Solicitors. I noted that section 1(4)(b) of the Acts provides that the Acts do not apply to personal data which is required to be made available to the public by the person keeping it. However, I was satisfied that there is no legal obligation on the Bar Council to make the personal data of barristers available to the public so I found that section 1(4) was not relevant in this case. However, even if it was the case that barristers’ details are in the public domain by virtue of a requirement on the Bar Council to publish the data, that would not absolve other data controllers or data processors acquiring those data of their obligations under the Acts.
In my decision, I noted that during the currency of the contract, Ashville was a data processor on behalf of the Bar Council within the meaning of the Acts (a data processor being a person who processes personal data on behalf of a data controller). I found that this means that personal data obtained for the purposes of a data processor contract may not be processed subsequently for a different purpose and that as a data processor; Ashville in publishing the contact details of Barristers in their 2003 and 2004 Guide contravened section 21(1) which provides that
“personal data processed by a data processor shall not be disclosed by him…without the prior authority of the data controller on behalf of whom the data are data processed”.
I also found that Ashville Media Publications
? in continuing to process the data were in that respect also a data controller and that as such they had contravened section 2(1)(c)(ii) of the Acts by further processing the data for a new purpose, i.e. in publishing the contact details of Barristers in their 2003 and 2004 Guide;
? as a data controller, had contravened section 2(1)(a) of the Acts in that the data was not fairly obtained for the new purpose and
? contravened section 2A of the Acts in that none of the conditions specified in that section (consent or another specified condition) were met in order to legitimise the processing of the data.
In reaching my Decision, I required Ashville to delete the Bar Council’s 2002 database and any other data derived from it i.e. the 2003 and 2004 databases and I noted that they responded promptly undertaking to comply with this requirement. Accordingly, I decided not to institute proceedings against Ashville Media for an offence under section 21(2) of the Acts.
personal data obtained for the purposes of a data processor contract may not be processed subsequently for a different purpose- responded promptly undertaking to comply with Commissioner’s requirements and not necessary to prosecute
Political database and a charity request, “spamming” of constituents and non co-operation from a County Councillor
During the year, I received two complaints concerning matters relating to political activity which raised important Data Protection issues.
The first related to a political party. It was alleged by the complainant, a member of this party, that another local member of the party who was also a member of a charitable organisation had sent him a fund-raising letter on behalf of the charity which identified him as “an active member of our community within the party”. He maintained that his contact details were obtained from the party membership list held locally.
While the appeal for the charity was worthwhile nevertheless once a complaint was received I had to take the matter up with the party’s national headquarters. It responded promptly and acknowledged that the local member had used the local party database in sending out an appeal for funds for the charity. While the individual was well-intentioned, the headquarters accepted that the use of data in this way was a contravention of section 2 of the Data Protection Acts, 1988 and 2003 which provides that personal data
(i) ” shall have been obtained only for one or more specified , explicit and legitimate purposes”
and
(ii) “shall not be further processed in a manner incompatible with that purpose or those purposes.”
Data relating to membership of a political party is sensitive personal data within the meaning of the Acts and such data controllers are required to ensure that appropriate safeguards against disclosure are in place. This is especially important given the provision in section 2B(1)(ix) of the Acts which permits processing of sensitive data without individual consent “by political parties, or candidates for election to, or holders of, elective political office in the course of electoral activities for the purpose of compiling data on people’s political opinions?”. In the course of concluding this complaint, my Office advised the party on their obligations as a data controller, particularly in regard to informing members processing personal data of the requirements of Data Protection.
The second complaint which was received in late 2003 was about an unsolicited email of a political nature which had been sent by a County Councillor, Jon Rainey, of Fingal County Council. It was alleged that in June 2003 he had “harvested” email addresses from the address line of an email sent by a third party – who was also a County Councillor but of another party. (“Harvesting” refers to the addition to one’s own mailing list of any email address received on the “to” or “cc” line of the email). This was in contravention of the provisions of S.I. No. 535 of 2003 (European Communities (Electronic Communications Networks and Services (Data Protection) Regulations 2003) which provides for prior consent for unsolicited emailing of individuals for direct marketing purposes, including political purposes.
I only name Mr. Rainey in my Report as he failed completely to cooperate with my investigations and only acknowledged the facts of the complaint 6 months after I had first raised them and then only when I had to formally issue him with an Information Notice under sections 10 and 12 of the Acts. At that late stage, he confirmed that the details of email addresses “harvested” from another email had been deleted from his system and that no further details had been been obtained in this manner. However, his attitude to my Office was that the matter was of little consequence and he complained that I had “pestered” him.
It is important that public representatives and candidates for elective office realise the importance of their obligations under the Acts and that, in so far as responding to legitimate investigations from statutory office holders is concerned, in no sense should they consider themselves above the Law. In this case, I was concerned that a public representative failed to see the significance of a complaint that he was “spamming” his constituents and equally that a lot of unnecessary correspondence and time could have been spared if a full reply to this matter had been received initially.
That said I am pleased to record that this was an isolated incident as any complaints I have received regarding political activities are responded to in a proper and prompt manner.
used the local political party database in sending out an appeal for funds for a charity. While the individual was well-intentioned it was accepted that the use of data in this way was a contravention of the Data Protection Acts.
a public representative failed to see the significance of a complaint that he was “spamming” his constituents and equally a lot of unnecessary correspondence and time could have been spared if a full reply to this matter had been received initially – an isolated incident as any complaints I have received regarding political activities are responded to in a proper and prompt manner.
Drogheda Hospital- investigation into a consultant’s practice- patients felt consent was necessary- balance to be struck with concerns for public health issues overall
I received many complaints from former patients of a Drogheda hospital in relation to the manner in which an investigation was carried out by a health board into the conduct of a consultant’s practice. They complained that in the course of its investigation, the health board had sent copies of patients’ records and charts to a UK based healthcare risk management group and to an Irish review group without the consent of the individuals involved in 1998 and subsequently.
When I began to investigate the matter, I established that the data that had been disclosed by the Health Board prior to1 July, 2003 was manual data, consisting of patient files, theatre files, etc. While the Data Protection Act, 1988 only applied to personal data on computer the Data Protection (Amendment) Act, 2003 applies to manual data from 1 July, 2003.Whilst manual data, therefore, was involved, and was not subject to the remit of my Office as the manual data in question was referred in 1998, nevertheless, given the major issue involved, the matter was given full consideration as if the principles of both Acts applied.
The background to these complaints was that in October, 1998 the Health Board was made aware of serious concerns in relation to the management of patients under the care of a Consultant Obstetrician/ Gynaecologist, as a result of which a preliminary assessment was carried out in relation to the perceived concerns regarding his clinical practice. The records of 42 patients were involved and to ensure patient privacy and confidentiality, patients were numbered consecutively and this numbering was used in the management of all subsequent classifications in the review process.
Initially the records of 3 patients were sent to the UK based company for risk assessment review. Consultation was then undertaken by the Health Board with the Chairman of the Institute of Obstetrician and Gynaecologists in Ireland, who indicated that the Institute would assist the Board in order to conduct a review. The Board stated that it was their intention to deal with the alleged serious concerns regarding the Consultant and his practice in a confidential and sensitive process, having regard to the Board’s statutory duty of care and service management to patients availing of services within its area. The Review was carried out by the Institute at the request of the Health Board, and consisted of three independent Obstetrician Gynaecologists. The Terms of Reference included a request to assess and consider the nature and merit of the concerns of the Health Board.
The Health Board maintained that it had a duty of care to patients within the Health Board area and when it was appraised of serious concerns relating to patient care, immediate legal and medical advice was sought and that it was in this regard that charts were provided in a confidential manner to the Review Group following consultation with the Institute of Obstetricians and Gynaecologists. It also stated that at this stage the well being of patients and the wider population was the primary concern. The Health Board set up help lines and counselling services, following the significant media coverage of the concerns in December, 1998 regarding the consultant’s practice. Following receipt of the Review Group’s Report in April1999, the help-line was re-activated and direct contact was made with the General Practitioners of patients involved by way of letter and telephone, who were asked to advise patients directly about the report and the options available to them.
The general principle of the Data Protection Acts is that personal data should only be processed and disclosed to other parties with the patient’s consent unless one of the provisions of section 8, which lift the restrictions on disclosure in limited and defined circumstances, apply.
Section 8(b) provides that –
“8.-Any restrictions in this Act on the processing of personal data do not apply if the processing is –
((b) required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid…”
while section 8(d) provides that –
“8- Any restrictions in this Act on the processing of personal data do not apply if the processing is-
(d) required urgently to prevent injury or other damage to the health of a person or serious loss of or damage to property.”
Section 8 therefore recognises that privacy rights are in no sense absolute and must constantly be balanced against other competing interests including society’s right to be made aware of particular information.
The matter which had to be considered by me, therefore, in terms of the Data Protection Acts, was whether the Board could rely on any of the provisions of section 8 as a basis for the referral of case files to the UK company and subsequently to the Enquiry by the Institute of Obstetricians and Gynaecologists, without the consent of the patients involved.
In routine referrals anonymised information should only be disclosed; charts etc might not need to be forwarded and indeed prior patient consent should be sought. However, in a case such as this when a serious matter, with implications for the health and welfare of past patients and indeed possible dangers for current and future patients, was brought to its attention, I deemed that the Board had a duty to fully establish all of the facts using whatever expert resources were necessary and indeed in a speedy and urgent manner. I considered that the Board were justified in disclosing the files in order to protect the health of those who had had the procedures carried out by the consultant and also so that necessary steps could be identified to avoid inappropriate procedures in the future. Having regard to the serious and far-reaching public health issues and circumstances involved, I considered that the Board were justified in making the disclosures under section 8(b) and section 8(d) of the Acts.
Furthermore, I considered that the disclosure by the Board was a compatible disclosure within the meaning of section 2 of the Acts. Section 2 (1) (c) (ii) provides that “data shall not be further processed in a manner incompatible with that purpose or those purposes” (for which it is held). I considered that the disclosure of patient data for the limited purpose of practice review in the wider interest of public health and, subject to confidentiality and privacy safeguards, was consistent with the purpose for which personal data was held by a healthcare provider. However, while names of patients were also included in the charts supplied to the reviewing bodies it would have been prudent, if it were feasible, given the urgency and importance of the investigation, to delete all references to patients so that only anonymised information was released.
I deeply appreciate and I am glad that the matter was brought to my attention by concerned and reasonable patients as it raised serious matters in the healthcare area regarding data protection.