We received a complaint against the Department of Foreign Affairs and Trade (the DFAT), alleging that the mission in Cairo, Egypt, had shared the complainant’s personal data with a third party (his employer) without his knowledge or consent, and that it had failed to keep the complainant’s personal data safe and secure, having transmitted it via WhatsApp to his employer. This related to processing of the complainant’s personal data contained in a short-term visa application that the complainant had submitted in order to sit an exam in Ireland.

During our investigation, the DFAT informed us that it was standard practice in processing visa applications to check for accuracy, completeness and the validity of supporting documents . According to DFAT, a suspicion had arisen as to the veracity of a supporting document submitted by the complainant, which had purportedly been signed by his employer. In order to verify its validity, a staff member in the Cairo mission had contacted the employer (an official of an Egyptian government agency, whose name and signature appeared on the document) by telephone as he was best placed to verify the authenticity of the document. The employer confirmed that he would need to see the document to verify it, but that as he did not have an official email address, the only way to receive it was via WhatsApp. The DFAT informed us that prior to sending the data via WhatsApp it had carried out a local risk assessment, including looking at the security/ encryption associated with WhatsApp. It had concluded that in light of the end-to-end encryption on WhatsApp, this was the most secure means of transmission available, given the urgency of the visa application, as outlined by the complainant in his application. In this context, DFAT informed us that many government officials and civil servants in Egypt do not have access to official email accounts/ systems and often use services like Gmail, Hotmail, WhatsApp and Viber to carry out official business. In this case, the government official in question had confirmed that this was the only method of communication available to him.

The documents had been sent by using the mobile phone of the only staff member of the Cairo mission with WhatsApp and had been deleted from the device immediately after being sent. Ultimately, the official informed the Cairo mission that the documents were fraudulent and the visa application was denied . During our investigation, the complainant informed us that he was seeking €3,000 in compensation from the DFAT, as the lost cost of sitting the exam in Ireland. Upon the DPC informing the complainant that it did not have the power to award compensation, the complainant requested a formal decision from the DPC. In considering whether a contravention of the Acts had occurred when the complainant’s personal data was sent by DFAT, via WhatsApp to the official in question, the DPC sought to establish the facts in relation to, first, whether the transmission in question was necessary, and, second, whether it was secure, including whether there were more secure methods available to DFAT to transmit the data. On the first issue, the DPC was satisfied that it was necessary for the DFAT to share the complainant’s personal data with the official who, in the application for the short-term visa, was stated to be his employer and who, according to the application documents, had purportedly signed certain supporting documents. We noted in this regard that the relevant privacy policy (for the Irish Naturalisation and Immigration Services) explicitly states that burden of proof in a visa application is on the applicant and that the visa officer may verify any evidence submitted in support of an application. The policy also states that any information provided in an application form can be disclosed to, among others, foreign governments and other bodies for immigration purposes.

The DPC was satisfied that given the lack of any other secure means to contact the official in question, the transmission via WhatsApp was necessary to process the personal data for the purpose provided (visa eligibility) and that the complainant was on notice that supporting documentation could be shared with third parties to verify authenticity. The DPC also took account of the fact that the local risk assessment carried out by DFAT had established that, in the circumstances, sending the personal data via WhatsApp was the most secure means of transmission. Accordingly, the DPC found that DFAT had complied with the Acts.