Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Case Studies 2009

These case studies are also available for download here in pdf format.

Case study 1: Disclosure of personal data due to inappropriate security measures

Case study 2: Prosecution of Jackie Skelly Fitness for unsolicited marketing text messages

Case study 3: Disclosure of personal details by a local authority on its website

Case study 4: Alleged disclosure of credit card details by a booking agent

Case study 5: Harvesting of mobile numbers from a website for the sending of marketing text messages

Case study 6: Email marketing error causes data protection breach

Case study 7: Recruitment companies sharing CVs

Case study 8: Excessive data sought on penalty points

Case study 9: Further processing personal data without consent

Case study 10: Mobile network operator fails to suppress customer marketing preferences

Case study 11: Car dealership breaks the law by sending direct marketing text messages 

Case study 12: Paternity test result sent to the wrong address

Case study 13: Use of postcards to communicate with customers regarding overdue account

Case study 14: Employer breaches Acts by covert surveillance using a private investigator 

Case study 15: Prosecution for sending unsolicited marketing faxes 

Case study 16: Prosecution of Brasserie Sixty6 for the sending of unsolicited direct marketing text messages


 

Case study 1: Disclosure of personal data due to inappropriate security measures


In August 2008, I received a complaint regarding the alleged disclosure of personal information by an airline. The complainant to my Office stated that in June 2008, in response to a phone call, the airline disclosed by email a travel itinerary for herself and her husband to her husband's employer and on foot of this disclosure, her husband was dismissed from his employment. The complainant stated that her husband's employer had made a written statement to the effect that the email in question was disclosed by the airline on the provision of a surname only. A copy of this statement was provided to my Office.

 

In the course of this investigation, the airline informed my Office that security questions were asked prior to the email in question being issued to the third party. It did not dispute that it sent the email. However, as the airline did not record the telephone call requesting the information, nor were its security questions system prompted and logged, it was not able to provide any evidence to prove that the appropriate security questions were asked in this instance. My Office also took into consideration that the booking was made from the complainant's own computer using a personal email address rather than from an email address at her husband's workplace.

On the basis of the information presented, together with the fact that the airline could not provide evidence that its own security measures were in fact used on this occasion, I  arrived at the decision, following the investigation of this complaint, that the airline had contravened Section 2(1)(c)(ii) by further processing the complainant's personal data and that of her husband when it disclosed to her husband's employer their travel itinerary in an email. It also contravened Section 2(1)(d) by failing to have in place appropriate security measures to prevent the unauthorised disclosure of her  personal information and that of her husband.

The security related issues highlighted by this complainant have been the subject of extensive engagement by this Office with the airline who, following this complaint, examined ways to enhance its security in relation to the handling of enquiries such as this.

This complaint clearly demonstrates the need for data controllers to have controls in place to prevent the disclosure of personal data. It is not sufficient to rely solely on the word of staff that they will ask the appropriate security questions in all instances, particularly in circumstances such as this where an individual deliberately seeks to obtain personal data which they are clearly not entitled to receive.

Back to Top
 

Case study 2: Prosecution of Jackie Skelly Fitness for unsolicited marketing text messages


My Office received complaints from two individuals regarding unsolicited marketing text messages which they received in the spring of 2008 from Map Dance Limited, trading as Jackie Skelly Fitness. One complainant was a former customer of Jackie Skelly Fitness and the other was an existing customer. Both complainants informed me that they had not consented to receiving marketing text messages from this company. Furthermore, the marketing text messages did not contain an opt-out facility as required.

 

As part of my Office's investigation into the matter, we sought the traffic records from the third party company used to send the messages on behalf of Jackie Skelly Fitness to the complainants' mobile phones. We did this to confirm that the messages were sent by Jackie Skelly Fitness and to establish the content of those messages.

The traffic records which we obtained showed that Jackie Skelly Fitness had sent the marketing text messages in question and that the messages did not contain an opt-out facility as required by the regulations in Statutory Instrument 535 of 2003. Following my Office's investigation, I was satisfied that offences had been committed and I decided to exercise my powers to prosecute Jackie Skelly Fitness in respect of those offences.

In April 2009, at Dublin Metropolitan District Court, Jackie Skelly Fitness pleaded guilty in respect of one charge related to the sending of an unsolicited marketing text message to a customer without consent, in contravention of Regulation 13(1)(b) of S.I. 535 of 2003. The Court recorded a conviction and it imposed a fine of €1,750. Jackie Skelly Fitness also pleaded guilty in respect of one charge related to the sending of a marketing text message to a former customer which did not contain a valid address to which the recipient could send an opt-out request, in contravention of Regulation 13(8) of S.I. 535 of 2003. The Court recorded a conviction and imposed a fine of €1,500. This was the first occasion on which a conviction was recorded in respect of an offence under Regulation 13(8) for failure to include an opt-out facility in a marketing text message.

Back to Top

 

Case study 3: Disclosure of personal details by a local authority on its website


I received a complaint from a member of the public towards the end of 2008 regarding the disclosure of personal data submitted as part of an application for planning permission to a local authority. 

 

Background
(i)  In the latter part of 2006, my Office entered into discussions with the Department of the Environment, Heritage and Local Government in an effort to establish an appropriate balance between an open and transparent planning system and the rights of individuals to privacy and data protection.  Following these discussions, the Minister for Environment, Heritage and Local Government signed the Planning and Development Regulations 2007 (SI 135 of 2007).  Amongst other things, these regulations introduced an amended planning application form.  The amended form re-arranged the address/contact details section from the front of the form to a detachable page at the rear of the form to ensure that these personal details could be removed prior to the publishing of planning applications on the planning authority's website. 

(ii)  The Department of the Environment, Heritage and Local Government also issued Development Management Guidelines for planning authorities which, among other things, recommended the use of a Robots Exclusion Protocol (this is a simple protocol that, when placed on a web page, reputable search engines do not then proceed to index the page for inclusion in search results)  by all planning authorities in relation to planning application data on their website to protect personal data on those websites from search engine access.

Complaint
In this case, the complainant completed the planning application form and provided the planning authority with his contact details on the detachable part of the form.  However, the information supplied in this section was subsequently made available to the public on the local authority's website.

My Office contacted the local authority involved and asked it for its comments on what led to the publication of the contact details on the website and if it had implemented a Robots Exclusion Protocol to prevent personal data appearing on search engines. 

In reply, the local authority informed my Office that, on this occasion, its procedures which it had in place to comply with the data protection requirements did not operate and that as the procedures were relatively new, the physical removal of the contact details portion of the planning application form was overlooked.  It also indicated that the procedures had since been strengthened to ensure compliance with the data protection requirements. The response also indicated that the local authority had not yet implemented a Robots Exclusion Protocol and that it was currently being considered.  At that point, my Office made it clear to the local authority that, given the passage of time since the Department had published its Development Management Guidelines in 2007, we found it unacceptable that a Robots Exclusion Protocol had not yet been put in place. We pointed out that by not having it in place personal information of individuals making planning applications continued to be at risk of being picked up by search engines when the applications were uploaded onto the websites.  The local authority was instructed by my Office to put in place a Robots Exclusion Protocol immediately and failing that, I would use whatever legal powers I deemed necessary to protect the personal data of those individuals who submit planning applications to that local authority.  My Office subsequently received confirmation from the local authority that a Robots Exclusion Protocol had been put in place.

The complainant in this case requested a formal decision under Section 10 of the Acts.  My decision found that the local authority had contravened Section 2(1)(d) of the Data Protection Acts when it published, on its website, the contact details which the planning applicant had submitted on part of the planning application form. It breached this requirement by not having in place appropriate measures to prevent the unauthorised disclosure of the planning applicant's contact details.

This case demonstrates the need for local authorities to be extra vigilant when uploading planning applications to their websites to ensure that only the information required by law to be made publicly available is published in this way.  In addition, having a Robots Exclusion Protocol or similar in place guards against the risk of the planning applications themselves being captured by search engines.

Back to Top

 

Case study 4: Alleged disclosure of credit card details by a booking agent


In January 2009 I received a complaint regarding the alleged disclosure of personal information by an internet booking agent.  The complainant informed my Office that, when booking a hotel with the booking agent, he provided his credit card details to pay a deposit.  However, after his subsequent stay at the hotel and having paid the bill, he received a phone call from the hotel to inform him that the bill had been undercharged by €200 in error.  The complainant alleged that the hotel then contacted the booking agent who in turn provided the hotel with his credit card details and that these details were used by the hotel to debit €200 from his credit card account.

 

My Office contacted the booking agent in question and asked where on its terms and conditions did it state that an individual's credit card details would be shared with the hotel booked by the customer.

The booking agent, as part of its response, provided my Office with a copy of the full terms and conditions associated with the use of its website.  The terms and conditions clearly state that no reservation contract exists between the customer and the booking agent and that the contract is between the customer and the hotel.  The booking agent acts as a facilitator for the hotel and all rooms, availability, pricing and descriptions on hotel websites and all websites using the booking agent's technology are under the control of the hotel

In this case, the complainant, when using the booking agent to book the hotel, was actually booking directly with the hotel and not with the agent. Therefore, when he provided the credit card details on-line to pay the deposit for the hotel, the details were provided directly to the hotel and not to the booking agent as he had previously thought.  Therefore, no actual disclosure to a third party took place.

Since my Office raised this issue with the booking agent, it has expanded its terms and conditions to ensure that individuals using the booking agent's website to book hotels fully understand that the credit card details provided by them are provided to the hotel.

This case clearly demonstrates how important it is for individuals to be fully aware of the terms and conditions associated with any contract they enter into.  In most cases, the terms and conditions also outline how the information provided by an individual will be used.  In this case, had the complainant read the terms and conditions in full, he would have been aware that the contract existed between himself and the hotel and therefore, in entering his credit card details on-line, he was supplying them to the hotel.  I can fully accept, however, that terms and conditions are not always either immediately available or accessible in terms of language to a person seeking to make a booking over the internet.

Back to Top

 

Case study 5: Harvesting of mobile numbers from a website for the sending of marketing text messages


In January 2009 an individual complained to me regarding his receipt of an unsolicited marketing text message.  The complainant stated that he had placed his number on a website to advertise a property he had available to rent.  He subsequently received a text message from an energy efficiency testing company offering its services to him.  He was concerned not only about the way his number was obtained and processed by the company, but also by the fact that there was no 'opt out' option included in the message he received which would have allowed him to object to receiving any further communications.

 

In order to legitimately contact an individual mobile phone subscriber by text message for direct marketing, the sender must have obtained prior consent from the individual.  Otherwise the marketer runs the risk of committing a criminal offence under Regulation 13(1)(b) of S.I. 535 of 2003 (as amended), and may be prosecuted.  The failure of a sender to include a cost free opt out in a marketing text message is also an offence liable to prosecution.

My Office commenced an investigation into the matters raised by the complainant.  We contacted the company to seek an explanation and provided it with a copy of our Guidance Note on the use of electronic mail for direct marketing purposes to assist it in responding on the matter.

The company responded by admitting that it did source the complainant's number from a website and that it proceeded to then send him a marketing text message regarding a service it was providing to home owners.  It was extremely apologetic for causing offence to the complainant and for breaking any regulations.  It explained that it had recently commenced offering the service.  It also confirmed that it had abandoned plans to continue with such marketing and it advised that the complainant's personal details were now deleted from its databases.

As an act of good faith and in an effort to amicably resolve the matter to the satisfaction of the complainant, the company donated a sum of €100 to a charity of the complainant's choice. The complainant was satisfied with this outcome.

This case is an example of the disturbing trend of commercial entities sourcing mobile numbers of private individuals from websites or from other published sources for the purpose of using those numbers to market their own products. Any person who advertises their property for sale or rent on a website or elsewhere should not, as a consequence, be exposed to the risk of receiving unsolicited text messages from a company promoting its own products.  

Back to Top
 

Case study 6: Email marketing error causes data protection breach


In September of 2008 four complaints were received by my Office regarding the sending of a marketing email by a company, in which the email addresses were visible to each of the recipients.  The complainants also advised that they had not consented to receiving the email in question. It was also brought to my attention that the email did not contain an 'unsubscribe' option which would have enabled the recipients to record their preferences not to receive any further marketing communications. It was also a matter of concern to me that one of the complainants advised me that he had previously contacted the company to request removal of his email address, and despite that, he subsequently received the email which was the subject of the complaints to my Office.

 

The company notified me, following its own receipt of a complaint, that it had sent a marketing email which contained 1400 email addresses.  These addresses were disclosed in the carbon copy field (cc) in error, as opposed to listing the addresses in the blind carbon copy field (bcc), which would have ensured that the personal email addresses of the individual recipients would not have been visible. Once it had realised the error, the company advised me that it recalled all the emails and shut down its server.  However, as the complaints to my Office raised a number of other concerns regarding the electronic marketing practices of this company, I decided that an investigation of the matters raised by the complainants was warranted.

In the investigation of these complaints, my Office sought an explanation from the company as to why it sent the marketing email to the recipients without their consent and without the inclusion of a cost free opt out facility.  The company responded that one of its databases was used in error.  It explained that a new member of staff used an old database of consumer enquiries in error and also failed to protect the email address details of the individual contacts on the database.  Furthermore, the company did not have sufficient monitoring of its email marketing to provide an opt-out at the point of collection of contact details or to unsubscribe recipients effectively when requested to do so. Following my examination of the response from the company, I was satisfied that it had committed offences by sending the unsolicited email to the recipients without their consent and also without including an unsubscribe option in the email.

On foot of the four complaints to my Office, and in an effort to correct the deficiencies in its marketing operations, the company retained the services of a specialist digital communication service provider to manage its databases and email activity to ensure that there could be no recurrence of these issues in the future.  The company also strengthened its policy around database use and it introduced a new anti-spam policy.  As a gesture of goodwill, it offered the complainants free passes to an upcoming social event and a letter of apology for the inconvenience caused to them. Furthermore, it also made a charitable donation of €500 to a well-known charity. The four complainants were satisfied to resolve their complaints on that basis. Given that this company had not come to my attention before, I was satisfied that a prosecution against the company was not warranted at that time based on my normal policy in such matters.  I am happy to report that my Office has received no further complaints regarding the company's marketing practices since the investigation of these complaints.

Back to Top


 

Case study 7: Recruitment companies sharing CVs


In April 2009 I received a complaint against a recruitment company (company A) regarding an alleged disclosure of the complainant's curriculum vitae (CV) to another recruitment company (company B).  The complainant submitted his CV to company A for a particular job which was advertised on a recruitment website.  However, he was subsequently contacted by company B asking for further details in relation to his CV.  In a phone call, company B confirmed to the complainant that it had received his CV from company A.  The complainant claimed that the company to whom he sent his CV did not obtain his consent to disclose his CV to another company.

 

My Office commenced an investigation into the matter and we wrote to company A and asked it to demonstrate the consent it considered it had in place to disclose the complainant's CV to company B.  A key principle of data protection is that personal data should be used and disclosed only in ways compatible with the purposes for which it was obtained.  Company A explained that it and company B, although they were separate legal entities and registered separately with the Companies Registration Office, were effectively run as one company.  They both shared, among other things, the same office space, databases, IT infrastructure, telephone system and management.  However, one of the companies handled recruitment of middle and senior management while the other one handled recruitment of office and customer support staff.  In this case, when the complainant submitted his CV to Company A, the consultant who received it passed it to a consultant in Company B as possible skills were identified from the CV which may have been of interest to the other consultant's clients.

My Office advised Company A that the companies were two separate entities and therefore, individuals using the services of either one should be made fully aware, prior to submitting their personal information, that it would be shared between the two companies.  We also noted that the privacy policy on its website did not contain any reference to the fact that both companies share information and we advised that it should contain a statement which informed individuals using the website how their information would be processed and that their information would be shared between the two companies.  My Office also advised that, if it was unable to do this, the only alternative was to separate out the two entities completely and cease sharing personal information.

As a result of our investigation, we received an assurance from Company A that it would insert a statement on both of the companies' websites to inform individuals using the websites how their personal information would be processed and of the fact that it would be shared between both companies.  It also indicated that it would no longer have separate entities and that, although this would take some time to arrange, both companies would trade as one company in future. 

I welcome the fact that the data controller immediately put in place the measures needed to bring it into compliance with the Acts. It is important for any data controller to make individuals fully aware at the outset as to how their personal data will be processed and to whom it may be disclosed.   As a general rule personal data may not be shared between two legal entities without the consent of the individual about whom the data relates.

Back to Top

 

 

Case study 8: Excessive data sought on penalty points


In November 2008, my Office received a complaint against Quinn Direct Insurance regarding the amount of information sought when an individual requested a quotation for motor insurance.  The complainant stated that, during a phone call to Quinn Direct Insurance in November 2008, in which he sought a quotation for motor insurance, he was asked for information on any penalty points he had received on his driving licence during the previous five years.

 

Section 2(1)(c)(iii) of the Data Protection Acts, 1988 and 2003 provides that personal data obtained by a data controller shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or are further processed.  In October 2002, the Minister for Transport announced the introduction of penalty points for speeding offences for all drivers under the Road Traffic Act, 2002. Other offences were added to the penalty points system since then. Under the Act, penalty points remain on a person's driving licence for a period of three years.

My Office contacted Quinn Direct Insurance and raised our concerns that potential customers for car insurance were being asked to provide details of penalty points for the previous five years while the applicable legislation states that such details should be kept on a driver's licence for only three years.  Quinn Direct Insurance responded to my Office stating "In underwriting a motor policy, and assessing the risk involved, we require information from the proposer on the convictions and or penalty points obtained on their licence in the previous five years.  The risk may be assessed differently depending on the offence type, the number of points and whether or not there was a driving ban imposed - for example, the rating for careless driving will be different to speeding.  We do not rate solely on the number of points but require this information in deciding on the severity of the offence for assessing the policy."

My Office expressed its dissatisfaction at Quinn Direct Insurance's reasons for seeking information on penalty points for the previous five years in circumstances where the statutory obligation for the retention of penalty points on a driver's licence was three years.  We requested that it cease the practice of seeking such data immediately.  Quinn Direct Insurance in response stated that its quotation process would be revised to ensure that details on penalty points would only be requested for the previous three years rather than five years as had previously been the case.

This case clearly demonstrates how important it is that data controllers satisfy themselves, on an ongoing basis, that information sought from customers is not excessive.  Unless there is a clear basis for requesting certain categories of personal data, data controllers should exercise restraint when seeking personal data and they should ensure that only the minimum amount of personal data necessary is processed.  This is particularly the case where the data sought relates to matters such as offences.

Back to Top


 

Case study 9: Further processing personal data without consent


My Office received a complaint in December 2008 from a data subject regarding the alleged use of video clips of her and her family for training purposes, without her consent, by the HSE West. The video clips were recorded with the data subject's consent as part of her family's participation in a particular programme known as Marte Meo.  The data subject's family had agreed to participate in the programme for the purpose of being a foster family.  The data subject informed my Office that she first became aware that video clips concerning her family's participation in the programme had been shown at a conference held in Germany when her Fostering Social Worker telephoned her after the event to give her feedback from the conference. 

 

According to the HSE, the Marte Meo model is used by Social Work Teams at the HSE as a supportive intervention in fostering cases.  It is a film-based intervention used to provide feedback to the prospective foster family on their natural supportive communications and how these can support their preparation for a foster placement.  In this case the data subject's family were asked by the HSE West to provide care to two young girls in an emergency situation.

The HSE West informed my Office that the data subject's Fostering Social Worker understood that the data subject had given verbal consent for the use of the video clips by her supervisor at the conference.  The HSE West confirmed to my Office that two short video clips of the fostering video tape were used at the conference.  The HSE West also confirmed that when the proposal to use the video clips was first put to the data subject she was informed that a signed consent would be sought.  However, on a subsequent visit to the data subject's home, the Fostering Social Worker forgot to bring the consent form.  The HSE West proceeded to use the video clips even though it had not obtained the written consent of the data subject and her family.

My Office informed the HSE West of our view that it had breached the Acts by further processing the video clips without obtaining the consent of the data subject and her family.  My Office also informed the HSE West that, based on information provided by them, the breach occurred when the HSE West departed from its own procedures - i.e. it failed to obtain written consent.

My Office's approach to complaints is to try to reach an amicable resolution.  The HSE West confirmed its willingness to acknowledge its error and to apologise in writing to the data subject.  It also informed us that a system was now in place to ensure that all consent forms are completed according to the Marte Meo standards.  The data subject accepted the amicable resolution of her complaint.

This case study demonstrates how an organisation can breach the Acts when its staff, however well-intentioned, fail to follow internal procedures.  It also highlights the importance of staff training in data protection.

Back to Top

 

 

Case study 10: Mobile network operator fails to suppress customer marketing preferences

In the Spring of 2009 I received complaints from two customers of a mobile network operator (MNO) about the difficulties they were experiencing when attempting to register their preference to opt out of further direct marketing from their MNO.  The difficulties experienced resulted in them receiving further marketing emails, despite indicating to the MNO that they had amended their marketing preferences and opted out. Both individuals informed me that they had made a number of attempts to opt out, including updating their account preferences, and clicking on the unsubscribe link contained in the marketing emails.  The first complainant further informed me that he had communicated with the MNO through the 'contact us' facility on its website and he subsequently received a telephone call from a representative who confirmed that his details would be removed from all circulation lists.  Unfortunately he continued to receive further marketing email.

 

When my Office contacted the MNO, we were told that in the cases of both complainants, they had provided their email addresses in the context of signing up to its services and neither individual availed of the opportunity given at that time to opt out of email marketing. However, it acknowledged that when both complainants tried to unsubscribe by clicking on a link in the email they received, an error occurred in the server used by the company's data processor to operate the suppression facility, with the result that the marketing preferences of both individuals were not updated to reflect their preferences.  Furthermore, it advised us that due to an administrative error, both complainants' email addresses were selected as part of a marketing campaign and they received an unsolicited marketing email promoting the company's newsletter.  Regarding the first complainant, the company identified a lag period of up to four weeks between the period that the complainant had the conversation with the call centre representative requesting suppression, and the time that his email address was selected from the system for inclusion in the marketing campaign.  The MNO acknowledged that this was unacceptable. However, the company informed us that it had addressed this and had taken steps to ensure that marketing preference changes are recorded and updated in a period of no more than forty eight hours.

As a means of ensuring that issues such as those highlighted in these complaints did not occur again, the company informed us that it was developing an E-learning data protection training programme for all employees which would include a module on the requirements for compiling marketing lists and correctly operating marketing campaigns.  In the interim, it would provide updated guidance sessions to its direct marketing personnel. It also assured us that the technical error in the server used by the company's data processor was a once-off isolated incident and that steps had been taken to mitigate against this occurrence in the future. The company also said that it sincerely regretted that both customers did not receive the high level of customer service that it strives to achieve in the observance of its customers' marketing preferences and it assured my Office that neither individual would receive any further marketing communications from the company.  As a gesture of goodwill for any inconvenience caused to both individuals, the company offered each of them an ex gratia payment of €150 and it extended its apologies to them.

When contacted by my Office, both complainants were happy that the issues raised in their complaints had been dealt with satisfactorily and they accepted the goodwill gesture and apology from the company.

Whilst I am encouraged that my Office has not received any further complaints concerning the marketing operations of that MNO, I was disappointed at the series of flaws in its marketing operations, which placed undue inconvenience on these complainants in attempting to have their marketing preferences recorded and respected.  Regulation 13 of SI 535 of 2003 (as amended) is clear on the legal obligations placed on marketers who wish to obtain and use customer contact details for marketing purposes and on the further obligations imposed on marketers to provide opportunities to those customers to object to the use of their contact details for marketing communications.   In line with my standard procedures in this area, the MNO was issued with a warning as these incidents constituted its first interaction with my Office in this area and any future matters will therefore be considered for prosecution.

Back to Top

 

Case study 11: Car dealership breaks the law by sending direct marketing text messages


In mid 2009 I received two complaints from individuals who had received direct marketing text messages from a car dealership promoting special offer trade-ins.  One of the complainants had purchased a car from the dealership in 2006, whilst the second complainant had used the dealership in 2008 for repairs. Neither individual consented to receiving direct marketing text messages from the dealership.  It was also a concern to me that the messages were sent without the inclusion of a cost free facility by which the individuals could object to the use of their mobile numbers for further marketing.

 

As part of the investigation of these complaints, my Office contacted the dealership to obtain details, if any, of the consent it had in place to send the messages to the complainants and to find out why the messages were sent without an opt out facility.  In its response, the dealership informed us that the first complainant had completed a vehicle order form on the purchase of his car, and that the form included a data protection clause which permitted it to contact the complainant in the future.  However, having examined the form in question, I could find nothing to indicate that the customer had consented to future contact.  The dealership also provided us with a copy of the job card regarding the repair work it had carried out on the second complainant's car. Again, following examination of it, I could find no evidence that it had obtained consent to send this individual marketing text messages.

It was clear to me that the dealership did not obtain the consent of either individual to send them marketing text messages. On the issue of the non-inclusion of an opt out facility in the two messages sent to the complainants, the dealership stated that its telephone number was included in the messages and that this was considered sufficient to let the recipient know that all they had to do to opt out was to dial that number. I do not accept that the inclusion of a telephone number in a marketing text message to inform the recipient of the number to call for the purpose of availing of the advertised offer in the text message meets the requirements of S.I. 535 of 2003 (as amended) with regard to giving the recipient a valid address to which they may send a request that such marketing communications shall cease.  Indeed I have already successfully prosecuted a company on this very issue.

In an effort to assist the dealership in achieving understanding and compliance with the legislation concerning SMS marketing, my Office sent it our Guidance Note on the use of electronic mail for direct marketing purposes.  We also advised it to ensure that consent to send marketing text messages was obtained from the customer at the point when the customer provides their contact details. As a means of ensuring that no further marketing text messages would be sent by the dealership to any other individual without their consent, we requested it to delete its marketing database of mobile numbers.

Following our investigation of these complaints, the dealership informed my Office that it wished to engage in an amicable resolution process. By way of amicable resolution it offered a letter of apology to each of the complainants and it made a donation to charity. Both complainants were satisfied to have their complaints resolved on that basis. In turn, my Office warned the dealership that if its marketing operations were the subject of any further complaints to us, it was likely that prosecution action would be taken against it.

From a data protection perspective, it is critical that a marketer who wishes to engage in electronic direct marketing obtains consent from the recipient before a marketing text message is issued.  Furthermore, marketers are also obliged to offer the recipient an opportunity to object to receiving further marketing text messages.  This case is another example of the risks which are taken by marketers who do not take the required precautions before embarking on text message marketing campaigns.

Back to Top


 

Case study 12: Paternity test result sent to the wrong address


My Office received a complaint in April 2009 from an individual concerning the disclosure of sensitive personal information by a data controller who provides paternity testing services.

 

The background to the complaint is that a DNA kit was ordered from the data controller, which duly arrived at the correct address, swabs were taken and the kit was returned to the data controller the next day. However, after a period of time had elapsed and as the test result was not forthcoming, the individual concerned phoned the data controller on 30th March 2009, to be informed that the test result had been posted on Friday 27th March. When the result had still not arrived the following day, the individual concerned again phoned the data controller and at that stage asked that it trace where the test result had been posted to. The data controller stated that the result had been posted to number 83 of a particular housing estate. However, the address of the individual concerned was number 82. When contact was made with  the occupants of number 83 on this matter, they dropped the already opened envelope through the letter box of number 82.

My Office commenced the investigation of this complaint by informing the data controller that Section 2 of the Data Protection Acts 1988 and 2003 imposes responsibilities and obligations on data controllers regarding the collection, processing, keeping, use, disclosure and security of personal data. We also pointed out that medical data constitutes sensitive personal data under the Acts and we asked for an explanation as to how this sensitive personal information was issued to the incorrect address, despite the original DNA kit being posted to the correct address.

In its response the data controller stated that in normal circumstances addresses are printed from its system on to labels which are then placed on the envelope. On the said day, its system was not functioning properly and because of that it entered addresses manually. Due to human error, the person writing the address put the number 83 on the envelope instead of 82, despite the fact that the records held the accurate address.  It said that it was confident that the error was a one-off occurrence. The data controller also conveyed its apologies to the individual concerned for any inconvenience caused and it offered to provide a full refund of the fee involved in order to amicably resolve the matter. This offer was accepted by the individual concerned and the complaint was resolved on this basis.

This complaint illustrates the need for data controllers to be vigilant at all times with regard to the processing of personal data. While the data controller may have had an appropriate electronic system in place to ensure that letters were properly addressed to its clients, the fall-back manual processes which came into play when the electronic system was out of commission failed in this case, leading to the disclosure of sensitive personal data. While the data controller put the incident down to human error, the consequence of not having any double checking in the manual process was a disclosure of sensitive personal information and a breach of the Data Protection Acts. This breach understandably caused great upset to the affected individual whose test result was disclosed to a neighbour.

Back to Top


 

Case study 13: Use of postcards to communicate with customers regarding overdue account


In July 2009 I received a complaint from a data subject concerning a company communicating with him via postcard to inform him that his account was overdue. The company communicated with him twice via a pre-printed postcard marked Urgent Overdue Account in white print on a red background. The postcards were delivered to the customer's address through the normal postal system.

 

The data subject pointed out to my Office that these postcards had come through the postal system and they had potentially been seen by the staff in the sorting office, the staff in the local general post office, by staff in the local post office which is in a small rural area and the postman. He also pointed out that the bright red design of the cards and the large print on them made it very easy for postal staff handling them to see and read their contents. The data subject also told my Office of the embarrassment caused to him and his wife as a result of the sending of the postcards through the postal system as the postman who delivered them was a neighbour of his.

My Office contacted the company and informed it that the sending of information on a postcard to the data subject regarding his overdue account constituted a disclosure of his personal information and that such a practice was in breach of the Data Protection Acts, 1988 and 2003. We requested that the company confirm to us that they would immediately and voluntarily cease this practice.

The company responded to my Office promptly and informed us that it had taken verbal legal advice before sending the postcards and that it was not aware that it was in breach of the Acts. It confirmed that it would immediately and voluntarily cease sending such postcards to customers whose accounts are overdue. My Office received full cooperation from the company throughout our investigation of this matter.

We attempted to arrange an amicable resolution of this complaint, as the law obliges us to do in the first instance, but our efforts in that regard did not succeed.  The data subject then requested a formal decision of the Data Protection Commissioner on his complaint.

In November 2009 I issued my decision on this complaint. I informed the data subject that following my Office's investigation of his complaint I was of the opinion that the company twice contravened Section 2(1)(d) of the Data Protection Acts, 1988 and 2003 by failing to take appropriate security measures against disclosure of his personal data. These contraventions occurred when it issued two postcards to him in the postal system, each of which contained personal data.

This case demonstrates the need for data controllers to exercise great care in their handling of personal data and to refrain from actions which might compromise that data from a security perspective. While I appreciate that businesses need to pursue their customers for overdue accounts, they are obliged to comply with the law in doing so.  Disclosing the fact of an overdue account on a postcard sent to a customer is a clear infringement of the Data Protection Acts and it should not happen.

On a more general level, data controllers who use postcards for whatever purpose should ensure that the message conveyed on them does not involve the processing of personal data. Convenience must not be put before security of personal data in such cases. I would strongly encourage any data controller whose practice it is to use post cards to re-examine such practices from the perspective of their legal obligations regarding security measures for the processing of personal data. The key message to be taken from this case study is 'think data security before convenience.'

Back to Top

 

Case study 14: Employer breaches Acts by covert surveillance using a private investigator


In October 2008, I received a complaint from an individual concerning the processing, without his knowledge or consent, of both his and his children's personal data by his employer. The complaint involved the obtaining and processing of his personal data and that of his children by way of a private investigator producing footage of his movements and his children's movements on a DVD for the company without his knowledge or consent. 

 

My Office commenced an investigation into the matter by writing to the company.  We informed it of its obligations under the Data Protection Acts and we asked for its comments on the complaint.  The company informed my Office of the circumstances which led to it hiring a private investigator to check on the employee's activities.  According to it, the complainant was employed as a sales representative and, as such, spent virtually all of his time away from the company's premises.  It stated it became concerned that the employee was not carrying out his duties as required by his contract of employment and it decided it was necessary to check on his activities in his sales territory.  A private investigator was engaged to check on the employee's activities in order to establish whether or not he was performing his duties.  The private investigator recorded the movements of the employee for a period of approximately one week and produced a DVD of those movements which he provided to the company.  Some of the recordings produced on the DVD also contained images of the employee's children.

My Office remained concerned about the justification for the processing of the employee's personal data by way of the private investigator recording his movements. We asked that the company review any documentation it had which it believed may suggest that the processing of the employee's personal data in this way was justified.  We subsequently received a range of documents in that regard.   My Office also asked if it had taken any steps to address the concerns it had about the employee's activities prior to the hiring of the private investigator - to which it replied that it believed there were no other steps it could have taken.  It also informed my Office that it felt it needed to make observations of the employee's company car over a period of at least a week before it could be satisfied that the employee had a case to answer.  The company stated that it did not have the resources internally to check this over such a period of time and for that reason the private investigator was asked to check and report.  Having considered the case put forward by the company and the documentation submitted, my Office informed it that we considered that the processing of the employee's personal data by way of a private investigator recording the employee's movements was not justified as it had not taken appropriate steps to highlight its concerns to the employee prior to making the decision to hire a private investigator to record his movements.  My Office also requested that the DVD in question be destroyed and we subsequently received confirmation of its destruction from the company.

The complainant subsequently requested a decision under Section 10 of the Acts.  My decision found that the company had contravened Section 2(1)(a) of the Acts by the processing of the employee's personal data and that of his children, in the recording of images by a private investigator acting on its behalf, without his knowledge or consent.

Covert surveillance of individuals is very difficult to reconcile with the Data Protection Acts. As a minimum and this may not even make such surveillance legal, there must be strong and evidence based justification for such surveillance in the first instance.

Back to Top

 

Case study 15: Prosecution for sending unsolicited marketing faxes


Early in 2009 I received a complaint from an individual concerning unsolicited direct marketing fax messages he had received in November 2008 and January 2009.  The faxes were sent to his fax number by Prism Fax Services Ltd promoting various holiday offers, competitions, hotel offers, etc. on behalf of a number of advertisers.  In support of his complaint, the complainant supplied copies of the faxes he had received. 

 

Regulation 13(1)(a) of S.I. No. 535 of 2003 (as amended) provides that marketing faxes may not be sent to individuals without their consent.

My Office commenced an investigation by contacting Prism Fax Services Ltd. It informed us that the intended recipient of the fax messages in this case was a school.  However, it said that it had entered the fax number of the school incorrectly on its database and, as a result, the faxes were sent to the wrong number.   It confirmed to my Office that it had now removed the incorrect fax number from its database.  I was satisfied that offences had been committed by Prism Fax Services Ltd and I decided to prosecute the company in respect of those offences arising from previous interactions with it on the sending of unsolicited faxes where the legal requirements in this area were made clear.

In December 2009, in the Dublin District Court, Prism Fax Services Ltd pleaded guilty in respect of one offence under Regulation 13(1)(a) of S.I. No. 535 of 2003 and two offences under Regulation 13(1)(a) of S.I. No. 535 of 2003 (as amended), in respect of the sending of direct marketing faxes to an individual without their consent on dates in November 2008 and January 2009.  The Judge accepted the guilty pleas and Prism Fax Services Ltd was convicted and fined a total of €2,250.

This was the first occasion on which I brought prosecution proceedings for an offence in respect of the sending of unsolicited marketing fax messages.  Prism co-operated fully with my Office's investigation of this matter and indicated a willingness to plead guilty at the earliest opportunity, which further assisted matters. 

Back to Top

 


Case study 16: Prosecution of Brasserie Sixty6 for the sending of unsolicited direct marketing text messages


In July 2008 I received complaints from members of the public regarding marketing text messages that were sent to them by a Dublin based restaurant, Brasserie Sixty6. The complainants alleged that they had not consented to the receipt of the text messages.

 

My Office investigated the matter as it is an offence for a marketer to send a marketing text message to an individual without prior consent.  In the course of our investigation, my Office contacted Brasserie Sixty6 to ascertain what consent they had to send the messages to the individuals concerned.  However, Brasserie Sixty6 was unable to provide evidence of such consent.  It said that some of the telephone numbers used to make reservations had been added to the marketing text messaging field, instead of the reservation field, on its computer system due to human error. It did, however, advise that those numbers were now deleted from the marketing database.

Unfortunately, one of the individuals concerned continued to receive marketing text messages after this, as his number was not removed from the marketing database as a result of human error.

I was very surprised that Brasserie Sixty6 was the subject of complaints about marketing text messages, given that only one year earlier, in July 2007, my Office had investigated several complaints against Brasserie Sixty6 in relation to direct marketing text messages. Following an investigation of those complaints, my Office found that these complainants had provided their mobile numbers in the context of making a reservation and at no stage in the collection of the numbers was their consent sought to subsequently market them.  Following the 2007 investigation, I decided, in line with my normal policy in such matters, to seek to amicably resolve those complaints and not take prosecutions, as these were first offences.  By way of amicable resolution, Brasserie Sixty6 had agreed to delete the database and to review its procedures for the collection, storing and use of mobile numbers. It also made a goodwill gesture of a voucher to each of the complainants.

In light of the 2007 investigation in relation to a similar issue, I deemed the subject matter of the 2008 complaints to be repeat offences and I therefore decided to bring a prosecution against Brasserie Sixty6 in relation to four offences which came to my attention.

My Office issued four summonses in the Dublin District Court in relation to these offences.  These came before the court in June 2009. Home RBVR Limited, trading as Brasserie Sixty6, pleaded guilty to the charges. Following evidence given by my staff, the Judge recorded four convictions against Home RBVR Limited and imposed a total fine of €3,250.

Back to Top