Case Studies

The following is a list of case studies, which have not been featured in the DPC's Annual Reports. These case studies provide an insight into some of the issues that this Office investigates on a day to day basis. 

 

  1. Inaccurate Information held on a banking system
  2. Failure to respond fully to an access request
  3. Use of CCTV in the workplace
  4. Access to CCTV footage
  5. Obligation to give reasons when refusing to provide access to personal data
  6. Processing of Special Category Data
  7. Further processing for a compatible purpose
  8. Appropriate security measures when processing medical data
  9. Appropriate security measures
  10. Processing that is necessary for the purpose of legitimate interests pursued by a controller
  11. Processing that is necessary for the purpose of performance of a contract
  12. Confidential expressions of opinion and subject access requests
  13. Processing of health data
  14. Access requests and legally privileged material
  15. Processing in the context of a workplace investigation

 

1)  Case Study 1: Inaccurate Information held on a banking system

The complainant in this instance held a mortgage over a property with another individual. The complainant and the other individual left the original property and each moved to separate addresses. Despite being aware of this, the complainant’s bank sent correspondence relating to the complainant’s mortgage to the complainant’s old address, where it was opened by the tenants in situ.

In response, the complainant’s bank noted that its mortgage system was built on the premise that there would be one correspondence address and, in situations where joint parties to the mortgage no longer had an agreed single correspondence address, this had to be managed manually outside the system, which sometimes led to errors.

It was apparent that the data controller for the purposes of the complaint was the complainant’s bank, as it controlled the complainant’s personal data for the purposes of managing the complainant’s mortgage. The data in question consisted of (amongst other things) financial information relating to the complainant’s mortgage with the data controller. The data was personal data because it related to the complainant as an individual and the complainant could be identified from it.

Data Protection legislation, including the GDPR sets out clear principles that data controllers must comply with when processing a person’s personal data. Of particular relevance to this claim was the obligation to ensure that the data is accurate and kept up to date where necessary, and the obligation to have appropriate security measures in place to safeguard personal data.

In applying these principles to the facts of this complaint, by maintaining an out-of-date address for the complainant and sending correspondence for the complainant to that address, the data controller failed to keep the complainant’s personal data up to date (Article 5(1)(d)). In addition, given the multiple pieces of correspondence that were sent to the wrong address, the data controller’s security measures failed to appropriately safeguard the complainant’s data (Article 5(1)(f). The obligation to implement appropriate security measures under Article 5(1)(f) is to be interpreted in accordance with Article 32 of the GDPR, which sets out considerations that must be taken into account by a data controller when determining whether appropriate security measures are in place.

 

2)  Case Study 2: Failure to respond fully to an access request

This complaint concerned an access request made by the complainant. The complainant was dissatisfied that his request for access to a copy of any information kept about the complainant by the data controller in electronic and in manual form was refused by the data controller, a County Council. The data controller instead advised the complainant that the requested files were available online or for viewing at the data controller’s premises.

During the course of the investigation of this complaint, the complainant alleged that the files made available to the complainant by the data controller at its premises did not constitute all the personal data concerning the complainant that was held by the data controller.

However, the data controller was of the view that the access request made by the complainant was limited to personal data held in relation to two planning applications due to the reference numbers for the planning applications being quoted by the complainant on the complainant’s access request. Accordingly, the data controller sought to distinguish between personal data relating to the publicly available planning files, which were supplied to the complainant at a public viewing, and personal data created following the refusal of the complainant’s planning application, which the data controller considered to be outside the scope of the access request.

While the complainant mentioned two specific planning applications, the access request was expressed in general terms and sought access to “any information you keep about me electronically or in manual form”. Accordingly, it was considered that the personal data sought by the complainant included all data that arose in the context of the complainant’s engagement with the data controller prior to submitting the two identified planning applications and all data that arose after those applications were refused.

The data controller, due to the specific circumstances of the case, contravened its data protection obligations when it failed to supply the complainant with a complete copy of the complainant’s personal data in response to the access request within the statutory period. Under GDPR, Article 15 relates to the right of access by the data subject to personal data relating to them that the controller holds. Article 12(3) sets out the condition under which a controller must provide said personal data. There is an onus on a controller to provide information on the action taken under such a request without undue delay and in any event within one month of receipt of the request. There are also conditions set out in this article that provide for this timeframe to be extended.

 

3)  Case Study 3: Use of CCTV in the workplace

We received a complaint that concerned the use of CCTV cameras by the data controller in the complainant’s work premises, and the viewing of that CCTV footage (which contained personal data of the complainant, consisting of, among other things, images of the complainant) for the purpose of monitoring the complainant’s performance in the course of his employment with the data controller.

At the time of the complaint, the data controller had a CCTV policy in place, which stated that the reason for the CCTV system was for security and safety. This was also stated on signage in place in areas where the CCTV cameras were in operation. The facts indicated that the purposes for which the complainant’s personal data was initially collected were security and safety. However, during a meeting with the complainant, a manager informed the complainant that CCTV footage containing the complainant’s personal data had been reviewed solely for the purposes of monitoring the complainant’s performance in the course of the complainant’s employment with the data controller. This purpose was not one of the specified purposes of processing set out in the CCTV policy and signage. The controller acknowledged that the use of the complainant’s personal data in this way was a contravention of its policies.

Where personal data is processed for a purpose that is different from the one for which it was collected, the purposes underlying such further processing must not be incompatible with the original purposes. In relation to the use of the complainant’s personal data, the purpose of monitoring their performance was separate and distinct from the original purposes of security and safety for which the CCTV footage was collected.  On that basis, the processing of the complainant’s personal data contained in the CCTV footage for the purpose of monitoring performance was further processing for a purpose that was incompatible with the original purposes of its collection.

A further issue arose regarding the security around the manner in which the CCTV system and CCTV logs were accessed. In written responses to the DPC, the controller stated that, at the time of the complaint, access to CCTV footage was available on a standalone PC in the department, which did not require log-in information.  The responses from the controller indicated that access to CCTV footage was not logged either manually or automatically. The absence of an access log for the CCTV footage was a deficiency in data security generally. Data controllers must implement appropriate security and organisational measures, in line with Article 32 of the GDPR, in relation to conditions around access to personal data.

The CCTV policy has since been substantially revised and replaced by a new policy. The controller confirmed that the PC utilised has now been deactivated and removed. Access to CCTV recordings is now limited to a single individual in the specific unit and recordings are reviewed only in the event of a security incident or accident.

Of particular relevance in this type of situation are the obligations to process personal data fairly (Article 5(1)(a)), and to obtain such data for specific purposes and not further process it in a manner that is incompatible with those purposes (Article 5(1)(b)). Further, appropriate security measures should be in place to ensure the security of the personal data (Article 5(1)(f) and Article 32).

 

4)  Case Study 4: Access to CCTV footage

This complaint concerned an alleged incomplete response to a subject access request for CCTV footage made by the complainant to an educational institution. The complainant advised that they were the victim of an alleged attempted assault. The complainant requested access to CCTV footage from the time the alleged assault happened, in particular in relation to a specific identified time period from two different camera angles.

In response to the request by the organisation, a select number of stills from the CCTV footage relating to one camera were provided to the complainant. The complainant requested to be provided with a still for every second of the recording in which the complainant’s image appeared. The response received from the educational institution was that all “significant” footage, in the opinion of the controller, had been provided and as the CCTV cameras were on a 30-day recording cycle, the footage had since been recorded over. The controller clarified that it did not store any footage unless there was a ”lawful requirement” to do so.

The DPC noted that, when a valid access request is made to a data controller, the request must be complied with by the data controller with a certain period. (Under Article 12(3) of the GDPR, this is generally set at one month). The right of access to personal data is one of the key fundamental rights provided for in data protection legislation. In the context of access requests to CCTV footage, the data controller’s obligation to provide a copy of the requester’s personal data usually requires providing a copy of the CCTV footage in video format. Where this is not possible, such as where the footage is technically incapable of being copied to another device, or in other exceptional circumstances, it may be acceptable to provide a data subject with stills as an alternative to video footage. However, in such circumstances where stills are provided, the data controller should provide the data subject with a still for every second of the recording in which the data subject’s image appears and an explanation of why the footage cannot be provided in video format. The controller should also preserve all footage relating to the period specified until such time as the requester confirms that they are satisfied with the response provided.

As the data controller had not provided the complainant with either the CCTV footage requested or a complete set of the stills relating to the specified period, the data controller failed to comply with its obligations in relation to the right of access, both from a time perspective (Article 12(3)) and regarding the provision of a full and complete set of personal data processed by the controller (Article 15).  

 

5)  Case Study 5: Obligation to give reasons when refusing to provide access to personal data

This complainant previously owned a property in a development managed by a management company. The complainant made a data access request to the management company but was of the view that the data controller failed to provide all of the complainant’s personal data in its response.

The management company was determined to be the data controller, as it controlled the contents and use of the complainant’s personal data for the purposes of its role as a management company in respect of a development in which the complainant had owned a property. The data in question consisted of (amongst other things) the complainant’s name and address. The data was personal data as the complainant could be identified from it and it related to the complainant as an individual.

During the course of the DPC’s examination of the complaint, the data controller provided a description of a document containing the complainant’s personal data that was being withheld on the basis that it was legally privileged. This document had not been referred to in the data controller’s response to the complainant’s access request. It was noted that the data controller should have referred to this document and the reason(s) for which it was refusing to provide the document to the complainant in its response to the complainant’s access request.

The DPC also considered whether the data controller had supplied the complainant with all of their personal data, as required by legislation. The DPC noted that the complainant had provided specific and detailed descriptions of data they believed had not been provided. In response, the data controller stated that it did not retain data relating to matters that it considered to be closed and had provided the complainant with all of their personal data held by the data controller at the date of the access request. The office was of the view that it was credible that the data controller would not retain personal data on an indefinite basis. The DPC was satisfied that the data controller had provided the complainant with all of their personal data (with the exception of the document over which the data controller had asserted legal privilege, as set out above.) For that reason, no further contravention of the legislation had occurred. 

Under Article 15 of the GDPR, a data subject has a right to obtain from a data controller access to personal data concerning him or her which are being processed. However, this right does not apply to personal data processed for the purpose of seeking, receiving or giving legal advice, or to personal data in respect of which a claim of privilege could be made for the purpose of or in the course of legal proceedings (Section 60(3)(a)(iv) of the Data Protection Act 2018). Where a data controller refuses to comply with a request for access to personal data, however, it is required under Article 12 of the GDPR to inform the data subject without delay of the reasons for this refusal.

 

6)  Case Study 6: Processing of Special Category Data

This complaint concerned the processing of the complainant’s personal data (in this case, details about the nature of the complainant’s medical condition) by his employer, for the purpose of administering the complainant’s sick leave and related payments. In particular, the complainant raised concerns regarding the sharing of his medical records by the data controller (the employer), including with staff at the local office of the data controller where the complainant worked. The complainant highlighted his concerns to a senior official in the organisation. However, the view of the senior official was that the minimum amount of information necessary had been shared.

When a person’s personal data is being processed by a data controller, there are certain legal requirements that the data controller must meet. Of particular relevance to this complaint are the obligations (1) to process personal data fairly; (2) to obtain such data for specific purposes and to not further process it in a manner that is incompatible with those purposes; (3) that the data be relevant and adequate and the data controller not process more of it than is necessary to achieve the purpose for which it was collected; and (4) to maintain appropriate security of the personal data. As well as the rules that apply when personal data is being processed, because the personal data in this case concerned medical information, (which is afforded even more protection under data protection legislation), there were additional requirements that had to be met by the data controller.

 It was considered that the initial purpose of the processing of this personal data by the data controller was the administration of a statutory illness payment scheme. This office also found that the further processing of complainant’s personal data for the purpose of managing employees with work-related stress or long-term sick leave and the monitoring of sick pay levels was not incompatible with the purpose for which the data was initially collected. Moreover, the DPC concluded that processing for the purpose of managing work-related stress and long-term sick leave and monitoring sick pay was necessary for the performance of a contract to which the data subject was a party, for compliance with a legal obligation to which the controller was subject, and for the purpose of exercising or performing a right or obligation which is conferred or imposed by law on the data controller in connection with employment.

It was, however, considered that the data processed by the local HR office (i.e. the specific nature of the complainant’s medical illness) was excessive for the purpose of managing long-term sick leave and work related stress leave and for monitoring sick-pay levels. Moreover, the DPC concluded that, on the basis that excessive personal data was disclosed by the shared services provider to the local HR office and further within that office, the level of security around the complainant’s personal data was not appropriate. Finally, it was considered that, in these circumstances, the data controller did not process the complainant’s personal data fairly. Therefore, the data controller was found to have contravened its data protection obligations.

Under the GDPR, special category personal data (such as health data) must be processed fairly in line with Article 5(1)(a).  It must be collected for a specified, explicit and legitimate purpose and not further processed in a manner incompatible with those purposes in line with Article 5(1)(b). It may be processed only in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, in line with Article 5(1)(f). When processing special category data, controllers need to be conscious of the additional requirements set out in Article 9 of the GDPR.

 

7)  Case Study 7: Further processing for a compatible purpose

The complainant was a solicitor who engaged another solicitor to represent them in legal proceedings. The relationship between the complainant and the solicitor engaged by the complainant broke down and the solicitor raised a grievance about the complainant’s behaviour to the Law Society. In this context, the solicitor provided certain information about the complainant to the Law Society. The complainant referred the matter to the DPC, alleging that the solicitor had contravened data protection legislation.

It was established that the complainant’s solicitor was the data controller, as it controlled the contents and use of the complainant’s personal data for the purpose of providing legal services to the complainant. The data in question consisted of (amongst other things) information relating to the complainant’s legal proceedings and was personal data because the complainant could be identified from it and it related to the complainant as an individual.

The DPC noted Law Society’s jurisdiction to handle grievances relating to the misconduct of solicitors (by virtue of the Solicitors Acts 1954-2015) . It also accepted that the type of misconduct that the Law Society may investigate includes any conduct that might damage the reputation of the profession. The DPC also noted that the Law Society accepts jurisdiction to investigate complaints made by solicitors about other solicitors (and not just complaints made by or on behalf of clients) and its code of conduct requires that, if a solicitor believes another solicitor is engaged in misconduct, it should be reported to the Law Society. The DPC therefore considered that the complaint made by the data controller to the Law Society was properly made and that it was for the Law Society to adjudicate on the merit of the complaint.

The DPC then considered whether the data controller had committed a breach of data protection legislation. In this regard, the DPC noted that data controllers must comply with certain legal principles that are set out in the relevant legislation. Of particular relevance to this complaint was the requirement that data must be obtained for specified purposes and not further processed in a manner that is incompatible with those purposes. The DPC established that the reason the complainant’s personal data was initially collected/processed was for the purpose of providing the complainant with legal services. The DPC pointed out that when the data controller made a complaint to the Law Society, it conducted further processing of the complainant’s personal data. As the further processing was for a purpose that was different to the purpose for which it was collected, the DPC had to consider whether the purpose underlying the further processing was incompatible with the original purpose.  

The DPC confirmed that a different purpose is not necessarily an incompatible purpose and that incompatibility should always be assessed on a case-by-case basis. In this case, the DPC held that, because there is a public interest in ensuring the proper regulation of the legal profession, the purpose for which the complainant’s data was further processed was not incompatible with the purpose for which it was originally collected. On this basis, the data controller had acted in accordance with data protection legislation.

The DPC then noted that, in addition to other legal requirements, a data controller must have a lawful basis for processing personal data. The lawful basis that the data controller sought to rely on in this case was that the processing was necessary for the purposes of the legitimate interests pursued by the data controller. In this regard, the DPC held that the data controller had a legitimate interest in disclosing to the Law Society any behaviour that could bring the reputation of the legal profession into disrepute. Further, the data controller was required by the Law Society’s Code of Conduct to report serious misconduct to the Law Society). As a result, the DPC was of the view that the data controller had a valid legal basis for disclosing the complainant’s personal data and had not contravened the legislation.

Under Article 6 of the GDPR, a data controller must have a valid legal basis for processing personal data. One such legal basis, in Article 6(1)(f) of the GDPR, provides that processing is lawful if and to the extent that it is necessary for the purpose of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the data subject. However, Article 6(4) of the GDPR provides that where processing of personal data is carried out for a purpose other than that for which the data were initially collected, this is only permitted where that further processing is compatible with the purposes for which the personal data were initially collected.

In considering whether processing for another purpose is compatible with the purpose for which the personal data were initially collected, data controllers should take into account (i) any link between the purposes for which the data were collected and the purposes of the intended further processing, (ii) the context in which the data were collected, (iii) the nature of the personal data, (iv) the possible consequences of the intended further processing for data subjects, and (v) the existence of appropriate safeguards.

 

8)  Case Study 8: Appropriate security measures when processing medical data

The background to this complaint was that the complainant’s wife made a Freedom of Information (“FOI”) request to a GP who had been involved in the care of the complainant’s son. The GP subsequently wrote to another doctor who had also treated the complainant’s son, and had separately also treated the complainant, to inform them of the FOI request. That doctor replied to the GP’s letter and, in the reply, disclosed medical information concerning the complainant, who was not a patient of the GP.

In order to determine who the data controller was, the DPC sought confirmation of the capacity in which the complainant had consulted the doctor who disclosed the information in question. It was confirmed that the doctor only saw patients publicly and, on this basis, the DPC determined that the data controller was the HSE.

In response to the complaint, the data controller admitted that the personal data regarding the complainant was disclosed in error because the doctor mistakenly believed the complainant was also a patient of the GP. However, the HSE advised that the GP recipient would have been bound by confidentiality obligations in respect of the data received. The data controller also indicated that, because the doctor in question had retired, the issue could not be addressed with them personally. The HSE confirmed that its internal policies regarding data processing had been updated and improved since the incident involving the complainant.

The DPC noted that, when personal data is being processed by a data controller, there are certain legal requirements that the data controller must meet. Of particular relevance to this complaint were the obligations to process the personal data fairly and to have appropriate security measures in place to protect against unauthorised processing (disclosure). The DPC further noted that, because the personal data was of a medical nature (and thus benefitted from increased protection under the legislation), the standard to be met in terms of what was appropriate security was higher than that applicable to personal data generally.” In addition, the DPC confirmed that, because of the increased protection afforded to health data under data protection legislation, it can be processed only if certain specified conditions are met.

It was apparent that appropriate security measures were not in place when the unauthorised disclosure to the GP took place. The DPC noted that the disclosure was to a GP who was not involved in the complainant’s medical care, and further, that the letter in which the disclosure was made had a heading referring to the complainant’s son but contained medical information relating to the complainant in the body of the letter. The mistake was therefore evident on the face of the letter itself. The DPC noted the data controller’s argument that the GP was bound by confidentiality obligations; however, it held that while this was relevant in terms of the consequences of the unauthorised disclosure, it did not address whether the data controller had appropriate security measures in place.  The DPC also highlighted that the data controller was not able to address control measures related to the disclosure as the doctor in question had retired. The DPC held that this was suggestive of the fact that a general framework related to security of personal data was not in place at the time of the disclosure.

The DPC then looked at whether the requisite conditions to permit the processing of data regarding health had been met. The DPC decided that, because the data controller had failed to put forward any lawful basis for disclosing the personal data, it had also contravened data protection legislation in this regard.

The obligation to ensure security of personal data is evident in Article 5(1)(f) of the GDPR and is further specified in Article 32, which requires that a controller and a processor implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In considering appropriate security measures, data controllers and processors must take into account, amongst other things, the nature, scope, context and purpose of processing, as well as the risk of varying likelihood and severity for data subjects. In this regard, the GDPR recognises that health data, which is a “special category of personal data” under Article 9 of the GDPR, are by their nature particularly sensitive in relation to fundamental rights and freedoms and merit specific protection.

Data controllers should also be aware that, where a breach of security occurs leading to the accidental or unlawful unauthorised disclosure of personal data (a “personal data breach”), it must be notified to the DPC without undue delay in accordance with Article 33 of the GDPR. Where the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, it must also be communicated to the data subject without undue delay.

 

9)  Case Study 9: Appropriate security measures

This complaint concerned the alleged loss by the complainant’s bank of several items of correspondence relating to the complainant’s bank account, which had been hand-delivered to the bank by the complainant’s partner.

It was established that the bank was the data controller as it controlled the contents and use of the complainant’s personal data in connection with its provision of banking services to the complainant. The data in question consisted of (amongst other things) the complainant’s name, address and bank account information and was personal data as the complainant could be identified from it and it related to the complainant as an individual.

During the course of the examination of the complaint, the data controller maintained that the relevant documents had been misplaced within the bank and not externally and therefore argued that no personal data breach had occurred. The DPC noted that maintaining appropriate security measures for personal data is a key requirement under data protection law. It considered the nature of the personal data that was contained in the correspondence that went missing (the complainant’s name, address and bank account information) and noted that misplacing this information had the potential to cause significant risk to the complainant and the complainant’s financial affairs. The security measures that were in place in the data controller were not sufficient to ensure an appropriate level of security, given the nature of the personal data being processed.  As regards the data controller’s argument that the correspondence was lost internally, the DPC’s view was that a data controller’s technical and organisational measures to safeguard the security of personal data must take account of the fact that internal as well as external loss of personal data, or unauthorised access to it, can give rise to risks to people like the complainant.

Based on the above, it was considered that there had been a failure of the data controller to have appropriate security and organisational measures in place, to safeguard the complainant’s personal data, and that the data controller had therefore failed to act in accordance with the data protection legislation.

Under Article 5(1)(f) of the GDPR, personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful disclosure, using appropriate technical or organisational measures. The obligation to ensure security of personal data is further specified in Article 32, which requires that a controller and a processor implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In considering appropriate security measures, data controllers and processors must take into account, amongst other things, the nature, scope, context and purpose of processing, as well as the risk of varying likelihood and severity for data subjects.

Data controllers should also be aware that, where a breach of security occurs leading to the accidental or unlawful unauthorised disclosure of personal data (a “personal data breach”), this must be notified to the DPC without undue delay in accordance with Article 33 of the GDPR. Where the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, it must also be communicated to the data subject without undue delay.

 

10)  Case Study 10: Processing that is necessary for the purpose of legitimate interests pursued by a controller

This complainant was an employee of a shop located in a shopping centre and was involved in an incident in the shopping centre car park regarding payment of the car park fee. After the incident, the manager of the car park made a complaint to the complainant’s employer and images from the CCTV footage were provided to the complainant’s employer. The complainant referred the matter to the DPC to examine whether the disclosure of the CCTV images was lawful.

It was established that the shopping centre was the data controller as it controlled the contents and use of the complainant’s personal information for the purposes of disclosing the CCTV stills to the complainant’s employer. The data in question consisted of images of the complainant and was personal data because it related to the complainant as an individual and the complainant could be identified from it.

The data controller argued that it had a legitimate interest in disclosing the CCTV images to the complainant’s employer, for example, to prevent people from exiting the car park without paying and to withdraw the agreement it had with the complainant’s employer regarding its staff parking in the car park. The DPC noted that a data controller must have a lawful basis on which to process a person’s personal data. One of the legal bases that can be relied on by a data controller is that the processing is necessary for the purposes of legitimate interests pursued by the data controller. (This was the legal basis that the data controller sought to rely on here.) The DPC acknowledged that the data controller had in principle a legitimate interest , in disclosing the complainant’s personal data for the reasons that it put forward. However, it was not “necessary” for the data controller to disclose the CCTV stills to the complainant’s employer for the purposes of pursuing those legitimate interests. This was because the car park attendant employed by the data controller had discretion to take steps against the complainant, in pursuit of the legitimate interests, without the need to involve the complainant’s employer. For example, the car park attendant had discretion to ban the complainant from using the car park without involving the complainant’s employer. On this basis, the DPC determined that it was not necessary for the data controller to notify the complainant’s employer of the incident and provide it with CCTV stills. Accordingly, the data controller had no legal basis for doing so and had contravened data protection legislation.

Under Article 6 of the GDPR, personal data can be processed only where there is a lawful basis for doing so. One such legal basis is under Article 6(1)(f), which provides that processing is lawful if and to the extent that it is necessary for the purpose of the legitimate interests pursued by the controller or by a third-party, except where such interests are overridden by the interests or fundamental rights or freedoms of the data subject. Data controllers should be aware, however, that it is not sufficient merely to show that there is a legitimate interest in processing the personal data; Articles 5(1)(c) and 6(1)(f) require data controllers to be able to show that the processing in question is limited to what is “necessary” for the purpose of those legitimate interests.

 

11)  Case Study 11: Processing that is necessary for the purpose of performance of a contract

This complainant was involved in an incident in a carpark of a building in which they worked.  A complaint was made by the manager of the car park to the complainant’s employer and images from the CCTV footage of the incident were subsequently obtained by the complainant’s employer. Disciplinary proceedings were then taken against the complainant arising out of the car park incident. The complainant’s manager and other colleagues of the complainant viewed the CCTV stills in the context of the disciplinary proceedings.

The complainant’s employer was the data controller in relation to the complaint, because it controlled the contents and use of the complainant’s personal data for the purposes of managing the complainant’s employment and conducting the disciplinary proceedings. The data in question consisted of images of the complainant and was personal data because it related to the complainant as an individual and the complainant was identifiable from it.

In response to the complaint, the data controller maintained that it had a lawful basis for processing the complainant’s personal data under the legislation because the CCTV images were used to enforce the employee code of conduct, which formed part of the complainant’s contract of employment. It also stated that, because of the serious nature of the incident involving the complainant, it was necessary for the data controller to investigate the incident in accordance with the company disciplinary policy, which was referred to in the complainant’s employment contract. The data controller also argued that the CCTV stills were limited to the incident in question and that only a limited number of personnel involved in the disciplinary process viewed them.

The DPC noted that data protection legislation permits the processing of a person’s personal data where the processing is necessary for the performance of a contract to which the data subject (the person whose personal data is being processed) is a party. The DPC noted the data controller here sought to argue that the use of the CCTV images was necessary for the performance of the complainant’s employment contract. However, the DPC was of the view that it was not ‘necessary’ for the data controller to process the complainant’s personal data contained in the CCTV images to perform that contract. For this argument to succeed, the data controller would have had to show that it could not have performed the complainant’s employment contract without processing the complainant’s personal data. As the data controller had failed to satisfy the DPC that this was the case, the data controller was judged to have infringed the data protection legislation.

The DPC also noted that, in addition to the requirement to have a lawful basis for processing, there are also certain legal principles that a data controller must comply with, when processing personal data. It highlighted that the processing must be adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed. The DPC noted the data controller’s argument that the CCTV stills were limited to the incident in question and that only a limited number of personnel involved in the disciplinary process viewed the stills. However, the DPC was of the view that the data controller had failed to show why it was necessary to use the CCTV images. On this basis, there had been a further infringement of the legislation by the data controller.

Under Article 6 of the GDPR, personal data can be processed only where there is a lawful basis for doing so. One such legal basis is under Article 6(1)(b), which provides that processing is lawful if and to the extent that it is necessary for the performance of a contract to which the data subject is a party. Data controllers should be aware, however, that it is not sufficient merely to show that there is a contractual basis for processing the personal data; Articles 5(1)(c) and 6(1)(b) require data controllers to be able to show that the processing in question is limited to what is “necessary” for the purpose of performance of the contract. 

 

12)  Case Study 12: Confidential expressions of opinion and subject access requests

This complainant made a data subject access request to their employer. However, the complainant alleged that their employer omitted certain communications from its response, wrongfully withheld data on the basis that it constituted an opinion given in confidence and did not respond to the request within the required timeframe as set out in the legislation.

The complainant’s employer was the data controller as it controlled the contents and use of the complainant’s personal data for the purposes of managing the complainant’s employment. The data in question consisted of the complainant’s HR file and data regarding the administration of the complainant’s employment. The data was personal data because the complainant could be identified from it and the data related to the complainant as an individual.

During the course of the examination of the complaint, the data controller identified additional documents containing the complainant’s personal data and provided these to the complainant. In relation to the document which the data controller had asserted constituted an opinion given in confidence, during the course of the investigation of this complaint, the individual who had expressed the opinion in question consented to the release of the document to the complainant, and so the document was provided by the data controller to the complainant.

Data protection legislation provides a right of access for a data subject to their personal data and, further, that access must be granted within a certain timeframe. Having investigated the complaint, the DPC was satisfied that the data controller had carried out appropriate searches and had provided the complainant with all the personal data, which the complainant was legally entitled to receive. The documents provided by the data controller to the complainant during the course of the examination of this complaint should have been furnished to the complainant within the timeframe provided for in the legislation.

Under Article 15 of the GDPR, a data subject has a right to obtain from a data controller access to personal data concerning him or her, which are being processed. The data controller must respond to a data subject access request without undue delay and in any event within one month of receipt of the request. However, section 60 of the Data Protection Act 2018 provides that the right of access to personal data does not extend to data which consist of the expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential to a person who has a legitimate interest in receiving the information.

 

13)  Case Study 13: Processing of health data

The complainant was a member of an income protection insurance scheme and had taken a leave of absence from work due to illness. The income protection scheme was organised by the complainant’s employer. In order to claim under the scheme, the complainant was required to attend medical appointments organised by an insurance company. Information relating to the complainant’s illness was shared by the complainant with the insurance company only. However, a third party company (whose involvement in the claim was not known to the complainant) forwarded information to the complainant’s employer regarding medical appointments that the complainant was required to attend. The information included the area of specialism of the doctors in question.

It was established that the insurance company was the data controller as it controlled the contents and use of the complainant’s personal data for the purposes of managing and administering the complainant’s claim under the insurance scheme. The data in question included details of the complainant’s illness, scheduled medical appointments and proposed treatment and was deemed to be personal data because the complainant could be identified from it and it related to the complainant as an individual.

During the course of the investigation, the data controller argued that the complainant had signed a form, which contained a statement confirming that the complainant gave consent to the data controller seeking information regarding the complainant’s illness. When asked by the DPC to clarify why it had shared the information regarding the complainant’s medical appointments with the third party company (who was the broker of the insurance scheme), the data controller advised it had done so to update the broker and to ensure that matters would progress swiftly.

The data controller stated it had a legislative obligation to provide the complainant with certain information. In particular, that the data controller was obliged to inform the complainant as to the recipients or categories of recipients of the complainant’s personal data. The DPC pointed out that, while the data controller had notified the complainant that it might seek personal data relating to them, it had failed to provide sufficient information to the complainant as regards the recipients of the complainant’s personal data.

Data protection legislation also requires that data, which are kept by a data controller, be adequate, relevant and limited to what is necessary in relation to the purposes for which the data were collected. The DPC examined the reason given by the data controller for disclosing information about the nature of the complainant’s medical appointments (i.e. to update the broker and to ensure matters progressed smoothly). The DPC was of the view that it was excessive for the data controller to disclose information regarding the specific nature of the medical appointments, including the specialisms of the doctors in question, to the third party company.

The DPC pointed out that, under data protection legislation, data concerning health is afforded additional protection.  The DPC was of the view that, because the information disclosed by the data controller included details of the specialisms of the doctors involved, it indicated the possible nature of the complainant’s illness and thus benefitted from that additional protection. The DPC confirmed that, because of the additional protection, there was a prohibition on processing the data in question, unless one of a number of specified conditions applied. For example (and of relevance here), the personal data concerning health could be legally processed if the complainant’s explicit consent to the processing was provided to the data controller. The DPC then considered whether the complainant signing the claim form (containing the paragraph about consent to the data controller seeking information, as described above) could be said to constitute explicit consent to the processing (disclosure) of the information relating to the complainant’s medical appointments. The DPC noted that it could be said that the complainant’s explicit consent had been given to the seeking of such information by the data controller. However, the complainant had not given their explicit consent to the giving of such information by the data controller to third parties. On this basis, the DPC held that a further contravention of the legislation had been committed by the data controller in this regard.

Under Article 13 of the GDPR, where personal data are collected from a data subjects, the data controller is required to provide the data subject with certain information at the time the personal data are obtained, such as the identity and contact details of the data controller and, where applicable, its Data Protection Officer, the purpose and legal basis for the processing and the recipients of the data, if any, as well as information regarding the data subject’s rights. This information is intended to ensure that personal data are processed fairly and transparently. Where the personal data have been obtained otherwise than from the data subject themselves, additional information is required to be provided to the data subject under Article 14 of the GDPR. This information must be given in a concise, transparent, intelligible and easily accessible form.

Additionally, the data minimisation principle under Article 5(1)(c) requires that personal data be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. This means that the period for which personal data are stored should be limited to a strict minimum and that personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.

Finally, data controllers should note that personal data concerning health is considered a “special category of personal data” under Article 9 of the GDPR and is subject to specific rules, in recognition of its particularly sensitive nature and the particular risk to the fundamental rights and freedoms of data subjects which could be created by the processing of such data. The processing of medical data is only permitted in certain cases as provided for in Article 9(2) of the GDPR and sections 45 to 54 of the Data Protection Act 2018, such as where the data subject has given explicit consent to the processing for one or more specified purposes.

 

14)  Case Study 14: Access requests and legally privileged material

This complaint concerned an alleged incomplete response to a data subject access request. The background to this complaint was that the complainant had submitted an access request to the trustees of a pension scheme (the “Trustees”). As part of its response to the access request, the Trustees referred to a draft letter relating to the complainant; however, this draft letter was not provided to the complainant.

It was established that the Trustees were the data controller as they controlled the contents and use of the complainant’s personal data for the purposes of the complainant’s pension. The data in question consisted of (amongst other things) information about the complainant’s employment and pension and was personal data because it related to the complainant as an individual and the complainant could be identified from it.

The data controller sought to argue that the draft letter was legally privileged and that therefore the data controller was not required to provide it to the complainant. The DPC sought further information from the data controller regarding the claim of legal privilege over the draft letter. In response, the data controller did not clarify the basis on which privilege was asserted over the draft letter, however, it agreed to provide the data to the complainant.

It was decided therefore that the data controller had failed to establish an entitlement to rely on the exemption in respect of legally privileged data. Accordingly, the letter should have been provided to the complainant in response to the complainant’s access request within the timeframe set out in the legislation.

Under Article 15 of the GDPR, a data subject has a right to obtain from a data controller access to personal data concerning him or her, which are being processed. The data controller must respond to a data subject access request without undue delay and in any event within one month of receipt of the request. However, the right of access to one’s personal data does not apply to personal data processed for the purpose of seeking, receiving or giving legal advice or personal data in respect of which a claim of privilege could be made for the purpose of or in the course of legal proceedings. Where a data controller seeks to assert privilege over information sought by a data subject under Article 15, the DPC, examining a complaint in relation to the refusal, will require the data controller to provide considerable information, including an explanation as to the basis upon which the data controller is asserting privilege, so that the validity of the claim can be properly evaluated.

 

15)  Case Study 15: Processing in the context of a workplace investigation

The complainant was involved in a workplace investigation arising out of allegations made by the complainant against a colleague. The complainant’s employer appointed an independent consultancy firm (the “Consultancy Company”) to carry out the investigation and the findings of the Consultancy Company were subject to a review by an independent panel.

After the conclusion of the workplace investigation, the complainant made a data access request to their employer and a number of documents were provided in response to this request. However, the complainant was of the view that the request was not responded to fully. For example, the complainant claimed that the witness statements (that had been taken during the investigation) that were provided to the complainant were factually incorrect and that certain documents were not provided to the complainant (such as access logs to the complainant’s personnel files). The complainant further alleged that their employer had disclosed details of the complainant’s work performance, sick leave arrangements and copies of the complainant’s pay slips to the complainant’s colleagues. Finally, the complainant claimed that their employer had failed to comply with the complainant’s requests for rectification of the witness statements (which the complainant alleged were factually incorrect).

It was established that the complainant’s employer was the data controller as it controlled the complainant’s data in the context of the workplace investigation. The data in question consisted of the complainant’s payroll information, information relating to the complainant’s sick leave and witness statements relating to the complainant. The data was personal data because it related to the complainant as an individual and the complainant could be identified from it.

In response to the complainant’s allegation that their access request was not responded to fully, the data controller stated that, in relation to the witness statements, the complainant was provided with the copies of the original witness statements that were held on the complainant’s file. In relation to the access logs, the data controller was of the view that these did not constitute personal data (because they tracked the digital movement of other employees on the data controller’s IT systems). In relation to other miscellaneous documents that the complainant alleged had not been received, the data controller indicated that, if the complainant could specify details of these documents, it would consider the complainant’s allegation further.

Regarding the complaint that the data controller had disclosed details of the complainant’s work performance to colleagues of the complainant, the data controller argued that the complainant’s performance would have been discussed with the complainant’s managers and therefore was disclosed for legitimate business reasons. Regarding the complaint around disclosure of details regarding the complainant’s sick leave, the data controller noted that was not aware of any such disclosure. Finally, in relation to the allegation that the complainant’s payslips were disclosed, the data controller argued that they were provided to an employee of the data controller to be reviewed in the context of a separate case taken by the complainant.

The complainant also made a request for rectification of witness statements, which the complainant alleged, were factually incorrect. However, the data controller advised that what was recorded in the witness statements represented the views of the people involved and, on this basis, refused to amend the witness statements.

The DPC was of the view that there were five issues to be examined by it in relation to the complaint. The DPC’s view on each of these issues is summarised below (under headings representing each of the five issues).

Access request

The DPC noted that the complainant had made a valid access request. However, having considered the matter, on balance, the DPC was of the view that there was no evidence available to suggest that the data controller unlawfully withheld information. The DPC noted, however, that the complainant’s data access request had not been dealt with in the timeframe required under the legislation. In this regard, the data controller had committed a data protection breach.

Under Article 12(3) of the GDPR, a data subject has a right to obtain from a data controller access to personal data concerning him or her, which are being processed. The data controller must respond to a subject access request without undue delay and in any event within one month of receipt of the request.

Alleged unauthorised disclosure of the complainant’s personal data

Controllers must have a lawful basis, under data protection legislation to process personal data, including the disclosure of that data to a third party. In relation to the disclosure of details regarding the complainant’s work performance, the DPC was of the opinion that such processing was lawful as it was for legitimate business reasons. Regarding the issue of disclosure of sick leave details, the DPC concluded that it did not have sufficient information relating to the alleged incident in order to determine whether a breach of the legislation had occurred. In relation to the disclosure of the complainant’s payslips, the DPC was of the view that the disclosure was lawful. This was because the payslips were disclosed in order to assist the data controller in defending a separate legal claim brought by the complainant, against it.

Under Article 6 of the GDPR, a data controller is required to have a legal basis for processing (including disclosing) any personal data. The available legal bases for processing include (a) that the data subject has given consent, (b) that the processing is necessary for the performance of a contract to which the data subject is a party, (c) that the processing is necessary for compliance with a legal obligation to which the data controller is subject, (d) that the processing is necessary in order to protect the vital interests of an individual, (e) that the processing is necessary for the performance of a task carried out in the public interest, or (f) that the processing is necessary for the purposes of legitimate interests pursued by the data controller or by a third-party.

Fair processing

There is an obligation on data controllers to process personal data fairly. During the course of its investigation, the DPC asked the data controller to confirm how it complied with its obligations to process the complainant’s data in a fair manner, in relation to each of the alleged disclosures of the complainant’s personal data. The data controller failed to provide the information required and in these circumstances, the DPC considered that the data controller failed to process the complainant’s data, in line with fair processing obligations.

Under the GDPR, personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. That principle requires that the data subject be provided with certain information under Articles 13 and 14 of the GDPR in relation to the existence of the processing operation and its purposes. Data subjects should be made aware of risks, rules, safeguards and tights in relation to the processing of their personal data. Where personal data can be legitimately disclosed to another recipient, data controllers should inform the data subject when the personal data are first disclosed of the recipient or categories of recipients of the personal data.

Right to rectification

Under Data Protection legislation, there is a right to rectification of incorrect personal data. However, here the data controller had confirmed that what was recorded in the witness statements represented the views of the people involved. The view was taken that where an opinion is correctly recorded and where the opinion is objectively based on matters that the person giving the opinion, would reasonably have believed to be true, the right to rectification does not apply. 

Under Article 5 of the GDPR, personal data being processed must be accurate and, where necessary, kept up to date and data controllers are required to ensure that every reasonable step is taken to ensure that personal data that are inaccurate, having regard to the purpose for which they are processed, are erased or rectified without delay. Under Article 16 of the GDPR, a data subject has the right to obtain from a data controller without undue delay the rectification of inaccurate personal data concerning him or her. However, under section 60 of the Data Protection Act 2018, this right is restricted to the extent that the personal data consist of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential to a person who has a legitimate interest in receiving the information.

Retention of the complainant’s personal data

The DPC asked the data controller to outline the legal basis for the retention (i.e. processing) of the complainant’s personal data relating to the workplace investigation. The data controller advised that this data was being retained in order to deal with the complainant’s requests and appeals under various statutory processes. On this basis, the DPC was of the view that the retention of the complainant’s personal data was lawful as it was for legitimate business reasons.

Under the GDPR, not only must a data controller have a lawful basis for initially obtaining an individual’s personal data, but it must also have an ongoing legal basis for the retention of those data in accordance with Article 6, as set out above. Under Article 5(1)(e) of the GDPR, personal data which is in a form permitting the identification of data subjects must be kept for no longer than is necessary for the purposes for which they are processed.