Case Studies
- The following is a list of case studies, by year, as featured in Annual Reports published by this Office. These case studies provide an insight into some of the issues that this Office investigates on a day to day basis. For ease of reference, some of the case studies have been indexed by categories below.
Case Studies - By Year
Case Studies - By Category
- Right of Access
- Disclosure
- CCTV
- Fair Obtaining
- Further Processing
- Minors
- Medical Data
- Accurate & Up To Date
- Security of Data
- Direct Marketing - Email
- Direct Marketing - Postal
- Direct Marketing - SMS
- Direct Marketing - Telephone
- Direct Marketing - Fax
- Enforcement
- Registration
- Retention
- Right of Rectification / Deletion
- PPSN
- Legal Privilege Exemption
- Excessive Information
- Improper Procesing
Right of Access
- Case Study 10 of 2011: Financial Institutions Deny Right Of Access To Credit Assessments.
- Case Study 11 of 2011: Access Request For Old Records.
- Case Study 12 of 2011: Access Requests To Solicitors For Copies Of Files.
- Case Study 13 of 2011: Access To Reports Compiled By Private Investigators.
- Case study 6 of 2008 : Total Fitness Ireland and legal powers used to ensure compliance with an access request
- Case study 9 of 2008 : An access request and a successful claim of legal privilege by a Data Controller
- Case study 21 of 2008 : Access is wrongly denied in respect of an accident report
- Case study 2 of 2007 : Data Controller breaches several provisions in is processing of Sensitive Personal Data
- Case study 8 of 2007 : Failure to finalise a complaint against Money Corp Limited
- Case study 13 of 2007 : Dairygold - failure to comply in full with an access request
- Case study 9 of 2006 : An Garda Síochána - Failure to respond to an access request on time
- Case study 10 of 2006 : Caredoc - failure to comply with an access request & appeal of an enforcement notice
- Case study 11 of 2006 : Barcode / Westwood Club - failure to comply with an access request for CCTV footage
Disclosure
- Case Study 6 of 2011: Customer Data Legitimately Passed From Car Dealership To New Buyer.
- Case Study 8 of 2011: Veterinary Practice Discloses Dog Owner's Personal Data.
- Case Study 1 of 2009: Disclosure of personal data due to inappropriate security measures
- Case Study 3 of 2009: Disclosure of personal details by a local authority on its website
- Case Study 12 of 2009: Paternity test result sent to wrong address
- Case Study 13 of 2009: Use of postcards to communicate with customers regarding overdue account
- Case study 1 of 2008 : HSE West and a consultant ophthalmic surgeon breach the Acts
- Case study 2 of 2008 : Disclosure of email addresses by a financial institution
- Case study 14 of 2008 : Credit Union commits several breaches by failing to update a member's address record
- Case study 15 of 2008 : Tesco - resale of an apple Ipod containing a customer's personal data
- Case study 19 of 2008 : Personal data is disclosed in a letter
- Case study 2 of 2007 : Data Controller breaches several provisions in its processing of sensitive personal data
- Case study 7 of 2007 : Aer Lingus - disclosure of employee information
- Case study 14 of 2006 : School Archiving Project - disclosure of personal data
- Case study 4 of 2005 : Complaint by a school manager about disclosure to parents of his personal data contained in a school inspection report
CCTV
- Case Study 9 of 2011: Unlawful Use Of Cctv To Remotely Monitor An Employee.
- Case study 10 of 2008 : An employer attempts to use CCTV for disciplinary purposes
- Case study 3 of 2007 : Inappropriate use of CCTV footage by West Wood Club
- Case study 6 of 2007 : Data Controller breaches data protection law in regard to use of covert CCTV footage
- Case study 11 of 2006 : Barcode/Westwood Club: Failure to comply with an access request for CCTV footage
- Case study 8 of 2005 : CCTV cameras on the Luas line
Fair Obtaining
- Case Study 7 of 2009: Recruitment companies sharing CV's
- Case Study 14 of 2009: Employer breaches Acts by covert surveillance using a private investigator
- Case study 1 of 2008 : HSE West and a consultant ophthalmic surgeon breach the Acts
- Case study 10 of 2008 : An employer attempts to use CCTV for disciplinary purposes
- Case study 6 of 2007 : Data Controller breaches data protection law in regard to use of covert CCTV footage
- Case study 6 of 2006 : News of the World: Limits of the Media Exemption
- Case study 2 of 2003 : PMI Ltd mailing list rented in good faith by a bank resulted in minors being marketed for credit cards without proper consent
- Case study 1 of 2001 : Bank and insurance company – cross-marketing of a third-party product – incompatible use and disclosure – fair obtaining and processing – small print and transparency
- Case study 4 of 2001 : Credit card transaction – use of details from a previous transaction without consent – fair obtaining – transparency - retention period
- Case study 2 of 2000 : Department of Education & Science – use of trade union membership subscription data to withhold pay – fair obtaining and processing – specified purpose – compatible use – purpose as described in register entry
Further Processing
- Case Study 9 of 2009: Further processing personal data without consent
- Case study 1 of 2008 : HSE West and a consultant ophthalmic surgeon breach the Acts
- Case study 10 of 2008 : An employer attempts to use CCTV for disciplinary purposes
- Case study 2 of 2007 : Data Controller breaches several provisions in its processing of Sensitive Personal Data
- Case study 3 of 2007 : Inappropriate use of CCTV footage by West Wood Club
- Case study 4 of 2004 : The Bar Council's In-house Legal Diary and Ashville Media
- Case study 5 of 2004 : Political database and a charity request, "spamming" of constituents and non co-operation from a County Councillor
- Case study 1 of 2003 : Drogheda Hospital- investigation into a consultant’s practice- patients felt consent was necessary- balance to be struck with concerns for public health issues overall
Minors
- Case study 3 of 2008 : A marketing campaign sets up personalised website addresses and breaches the Acts
- Case study 4 of 2008 : Interactive Voice Technologies and unsolicited text messages
- Case study 6 of 2006 : News of the World - Limits of the Media Exemption
- Case study 10 of 2006 : Caredoc - Failure to comply with an access request and appeal of an enforcement notice
- Case study 10 of 2004 : Bank of Ireland marketing of 12 and 13 year old school children
- Case study 2 of 2003 : PMI Ltd mailing list rented in good faith by a bank resulted in minors being marketed for credit cards without proper consent
- Case study 6 of 2002 : Women's Mini- Marathon-unauthorised and incompatible disclosure-Internet photographs-informed consent
- Case study 10 of 1998 : School web site - personal data relating to children - issue of fair obtaining
- Case study 7 of 1997 : Direct mailing to children – complaint by parent – issues of fair obtaining and keeping data longer than necessary
Medical Data
- Case study 1 of 2008 : HSE West and a consultant ophthalmic surgeon breach the Acts
- Case study 1 of 2007 : Right of Rectification of Personal Data Held by a Data Controller
- Case study 2 of 2007 : Data Controller breaches several provisions in its processing of Sensitive Personal Data
- Case study 10 of 2006 : Caredoc: Failure to comply with an access request and appeal of an enforcement notice
- Case study 2 of 2005 : Life assurance company and medical reports - access request denied
- Case study 9 of 2005 : Disclosure of patient details to the National Treatment Purchase Fund
- Case study 1 of 2004 :Employment matters – claim of legal privilege and access to medical data in the workplace
- Case study 1 of 2003 : Drogheda Hospital- investigation into a consultant’s practice- patients felt consent was necessary- balance to be struck with concerns for public health issues overall
- Case study 4 of 2003 : Access to medical records on a change of general practitioner
Accurate & Up To Date
- Case Study 10 of 2009: Mobile network operator fails to suppress customer marketing preferences
- Case study 14 of 2008 : Credit union commits several breaches by failing to update a member's address record
- Case study 18 of 2008 : A civil summons is served on the wrong person
- Case study 1 of 2007: Right of Rectification of Personal Data Held by a Data Controller
- Case study 1 of 2000 : An Garda Síochána – subject access request – time limit for response – accuracy of personal data – excessive and irrelevant personal data – date of birth
- Case study 6 of 1999 : Financial institution - inaccurate credit rating - rectification - notification of third parties to whom incorrect data had been released
- Case study 2 of 1997 : Data about two people combined in one record kept by a credit referencing agency – issue of accuracy
- Case study 11 of 1997 : Direct mail for previous householder – decline direct marketing – inaccurate data – repeated promises
- Case study 2 of 1996 : A customer disputed his credit rating by a financial institution – issue of accuracy – the rating as understood by the institution
- Case study 8 of 1997 : Credit record indicated that borrower had faced litigation and loan had been partly written off – issue of accuracy – previous concerns about fair obtaining revived
Security of Data
- Case study 12 of 2008 : Credit unions transmitting personal data via unsecured e-mails
- Case study 16 of 2008 : Failure to properly safeguard a staff member’s medical certificate
- Case study 10 of 2007 : Member of staff at Revenue accessing and using personal data of a taxpayer
- Case study 3 of 2003 : Visa application details accidentally put on website of Department of Justice, Equality and Law Reform
- Case study 9 of 2002 : Details of other bank account holders of the same name, supplied in response to access request-inadequate response to customer-security procedures-lack of awareness at branch level of data protection
- Case study 3 of 2001 : Employee performance ratings disclosed to other staff – inadequate security
- Case study 6 of 2000 : Financial institution – Laser card – printing of home address on receipts – incompatible disclosure – adequate security
- Case study 2 of 1999 : Life insurance company - retention by ex-employee of customer data - unauthorised access - obligation to take appropriate security measures
- Case study 1 of 1998 : Employee data - appropriate security measures - disclosure
Direct Marketing - Email
- Case Study 5 of 2011: Unlawful Obtaining And Use Of Email Addresses For Marketing Purposes By The Zone Extreme Activity Centre.
- Case study 4: Tesco prosecuted for email marketing
- Case study 6 of 2009: Email marketing error causes data protection breach
- Case study 8 of 2008 : BuyAsYouFly and a failure to respect opt-outs from direct marketing by email
- Case study 17 of 2008 : A web design company is requested to delete a marketing database
- Case study 14 of 2007 : Ryanair - Remedial action taken for customers to unsubscribe from marketing
- Case study 15 of 2007 : On-line shoppers receive unsolicited marketing from Tesco
- Case study 5 of 2004 : Political database and a charity request, "spamming" of constituents and non co-operation from a County Councillor
Direct Marketing - Postal
- Case study 3 of 2008 : A marketing campaign sets up personalised website addresses and breaches the Acts
- Case study 3 of 2006 : Dell - Persistent direct marketing
- Case study 4 of 2006 :Sky Ireland - Direct marketing by email
- Case study 6 of 2005 : Cross marketing of a credit card by a travel agent
- Case study 2 of 2003 : PMI Ltd - mailing list rented in good faith by a bank resulted in minors being marketed for creditcards without proper consent
- Case study 7 of 1998 : Unsolicited direct mail from abroad - mutual assistance between parties to the 1981 Council of Europe Convention on Data Protection
Direct Marketing - SMS
- Case Study 2 of 2011: Telecommunications Companies Prosecuted For Marketing Offences
- Case Study 3: Prosecution Of Regine Ltd For The Sending Of Unsolicited Marketing Text Messages.
- Case Study 2 of 2009: Prosecution of Jackie Skelly Fitness for unsolicited marketing text messages
- Case Study 5 of 2009: Harvesting of mobile numbers from a website for the sending of marketing text messages
- Case Study 11 of 2009: Car dealership breaks the law by s3nding direct marketing text messages
- Case study 4 of 2008 : Interactive Voice Technologies and unsolicted text messages
- Case study 5 of 2008 : Unfounded complaint about unsolicted marketing text messages
- Case study 7 of 2008: Opt-In to subscription service text messages found following investigation
- Case study 5 of 2006 : Opera Telecom - forced to delete database
- Case study 12 of 2005 : Night club - collection of mobile numbers for marketing purposes
- Case study 5 of 2003 : Realm Communications - Unsolicited SMS texting and direct marketing
Direct Marketing - Telephone
- Case Study 2 of 2011: Telecommunications Companies Prosecuted For Marketing Offences.
- Case Study 4: Marketing Phone Call Made To A Number On The National Directory Database (Ndd) Opt Out Register.
- Case study 11 of 2008 : Marketing telephone calls to numbers on the NDD Opt -Out Register
- Case study 4 of 2007 : NewTel Communications Communications - Ordered to suspend marketing
- Case study 9 of 2007: Marketing calls by Eircom - remedial action - amicable resolution
- Case study 1 of 2006 : Talk Talk - Unsolicited direct marketing calls
- Case study 2 of 2006 : Gaelic Telecom / Global Windows - Cold calling
- Case study 10 of 2005 : Optic Communications - persistent unsolicited marketing phone calls
- Case study 11 of 2005 : Prosecution of 4's A Fortune Ltd - unsolicited marketing communications
- Case study 6 of 1997 : Ex-directory phone number obtained by insurance broker - Information Notice used to establish circumstances
Direct Marketing - Fax
Enforcement
- Case Study 2 of 2009: Prosecution of Jackie Skelly Fitness for unsolicited marketing text messages
- Case Study 15 of 2009: Prosecution for sending unsolicited marketing faxes
- Case Study 16 of 2009: Prosecution of Brasserie Sixty6 for the sending of unsolicited direct marketing text messages
- Case study 6 of 2008 : Total Fitness Ireland and legal powers used to ensure compliance with an access request
- Case study 13 of 2007: Dairygold - Failure to comply in full with an AccessRequest
- Case study 5 of 2006 : Opera Telecom - Forced to delete database
- Case study 10 of 2006 : Caredoc - Failure to complywith an access request and appeal of an enforcement notice
- Case study 12 of 2006 : Ashbury Taverns - Failure to complywith an access request
- Case study 5 of 2004 : Political database and a charity request, "spamming" of constituents and non co-operation from a County Councillor
- Case study 5 of 2002 : Telephone company - alleged disclosure of customer call relate information at the request of the Gardai - Information Notice issued
- Case study 6 of 2001 : Legal firm - identification of source of personal data - lack of co-operation - issue of enforcement notice
- Case study 6 of 1997 : Ex-directory phone number obtained by insurance broker - Information Notice used to establish circumstances
Registration
- Case study 9 of 2001 : Legal firm - registration under Section 16 of the Act - on-site examination of computer files
- Case study 2 of 2000 : Department of Education & Science - use of trade union membership subscription data to withhold pay - fair obtaining and processing - specified purpose - compatibleuse - purpose as described in register entry
- Case Study 5 of 1999: voluntary organisation - role in administration of an official scheme - collection and use of RSI numbers - failure to register as a data controller
- Case Study 2 of 1998: Use of telemarketing company in the management of customer accounts - transfer of data to agent not disclosure - obligation of data processors to register
- Case Study 8 of 1998: Bank account details - disclosure to a person listed as a "disclosee" in the bank’s entry in the Register of Data Controllers - Register entry not conclusive as to compliance with data protection principles
Retention
- Case Study 11 of 2011: Access Request For Old Records.
- Case study 13 of 2008 : Retention of personal data provided online
- Case study 11 of 2007 : Croke Park - Retention of personal data of nearby residents
- Case study 4 of 2001 : Credit Card transaction - use of details from a previous transaction without consent - fair obtaining - transparency - retention period
- Case study 7 of 1999 : Debt collection service - acting on behalf of hospital - whether data had been "disclosed" for purposes of Data Protection Act - whether debt-collecting agency is entitled to build a database of debtors
- Case study 2 of 1999 : Life insurance company - retention by ex-employee of customer data - unauthorised access - obligation to take appropriate security measures
- Case study 13 of 1996 : Criminal conviction struck out but details remain on Garda records - accuracy and retention of data - policy issues arising
Right of Rectification / Deletion
- Case study 1 of 2007 : Right of rectification of personal data held by a Data Controller
- Case study 13 of 2006 : Irish Insurance Federation - complaint about information on central registry
- Case study 8 of 2003 : Catholic Church baptismal records deletion request not upheld
- Case study 6 of 1999 : Financial institution - inaccurate credt rating - rectificaton - notification of third parties to whom incorrect data had been released
- Case study 2 of 1996 : A customer disputed his credit rating by a financial institution -issue of accuracy - the rating as understood by the institution
PPSN
- Case study 5 of 2007 : Excessive Personal Data on EU Single Payment Scheme application forms
- Case study 7 of 2006 : Local Authority - Use of PPS Numbers
- Case study 10 of 2002 : Aer Rianta - Inappropriate use of the Personal Public Service Number (PPSN)
- Case study 5 of 1999 : Voluntary organisation - role in administration of an official scheme - collection and use of RSI numbers- failure to register as a data controller
Legal Privilege Exemption
- Case study 9 of 2008 : An access request and a successful claim of legal privilege by a Data Controller
- Case study 21 of 2008 : Access is wrongly denied in respect of an accident report
- Case study 13 of 2007 : Dairygold - Failure to comply in full with an Access Request
- Case study 2 of 2005 : Life assurance company and medical reports - access request denied
- Case study 1 of 2004 : Employment matters - claim of legal privilege and access to medical data in the workplace
Excessive Information
- Case Study 1 of 2011; Leisure centre requests excessive personal data from patrons.
- Case Study 7: Allianz Requesting Excessive Personal Information At Quotation Stage
- Case Study 8 of 2009: Excessive data sought on penalty points
- Case Study 5 of 2007: Excessive Personal Data on EU Single Payment Scheme Application Forms
- Case Study 15 of 2006: Ulster Bank: Excessive information sought from new customers
- Case Study 7of 2005: Complaint against AIB - excessive information sought regarding Savings Account
- Case study 1 of 2001 : Motor Insurance - excessive information - marital status not necessary
Improper Processing
» Permanent Link
