This complainant was involved in an incident in a carpark of a building in which they worked. A complaint was made by the manager of the car park to the complainant’s employer and images from the CCTV footage of the incident were subsequently obtained by the complainant’s employer. Disciplinary proceedings were then taken against the complainant arising out of the car park incident. The complainant’s manager and other colleagues of the complainant viewed the CCTV stills in the context of the disciplinary proceedings.

The complainant’s employer was the data controller in relation to the complaint, because it controlled the contents and use of the complainant’s personal data for the purposes of managing the complainant’s employment and conducting the disciplinary proceedings. The data in question consisted of images of the complainant and was personal data because it related to the complainant as an individual and the complainant was identifiable from it.

In response to the complaint, the data controller maintained that it had a lawful basis for processing the complainant’s personal data under the legislation because the CCTV images were used to enforce the employee code of conduct, which formed part of the complainant’s contract of employment. It also stated that, because of the serious nature of the incident involving the complainant, it was necessary for the data controller to investigate the incident in accordance with the company disciplinary policy, which was referred to in the complainant’s employment contract. The data controller also argued that the CCTV stills were limited to the incident in question and that only a limited number of personnel involved in the disciplinary process viewed them.

The DPC noted that data protection legislation permits the processing of a person’s personal data where the processing is necessary for the performance of a contract to which the data subject (the person whose personal data is being processed) is a party. The DPC noted the data controller here sought to argue that the use of the CCTV images was necessary for the performance of the complainant’s employment contract. However, the DPC was of the view that it was not ‘necessary’ for the data controller to process the complainant’s personal data contained in the CCTV images to perform that contract. For this argument to succeed, the data controller would have had to show that it could not have performed the complainant’s employment contract without processing the complainant’s personal data. As the data controller had failed to satisfy the DPC that this was the case, the data controller was judged to have infringed the data protection legislation.

The DPC also noted that, in addition to the requirement to have a lawful basis for processing, there are also certain legal principles that a data controller must comply with, when processing personal data. It highlighted that the processing must be adequate, relevant and limited to what is necessary in relation to the purposes for which the data is processed. The DPC noted the data controller’s argument that the CCTV stills were limited to the incident in question and that only a limited number of personnel involved in the disciplinary process viewed the stills.

However, the DPC was of the view that the data controller had failed to show why it was necessary to use the CCTV images. On this basis, there had been a further infringement of the legislation by the data controller.

This complainant was an employee of a shop located in a shopping centre and was involved in an incident in the shopping centre car park regarding payment of the car park fee. After the incident, the manager of the car park made a complaint to the complainant’s employer and images from the CCTV footage were provided to the complainant’s employer. The complainant referred the matter to the DPC to examine whether the disclosure of the CCTV images was lawful.

It was established that the shopping centre was the data controller as it controlled the contents and use of the complainant’s personal information for the purposes of disclosing the CCTV stills to the complainant’s employer. The data in question consisted of images of the complainant and was personal data because it related to the complainant as an individual and the complainant could be identified from it.

The data controller argued that it had a legitimate interest in disclosing the CCTV images to the complainant’s employer, for example, to prevent people from exiting the car park without paying and to withdraw the agreement it had with the complainant’s employer regarding its staff parking in the car park. The DPC noted that a data controller must have a lawful basis on which to process a person’s personal data. One of the legal bases that can be relied on by a data controller is that the processing is necessary for the purposes of legitimate interests pursued by the data controller. (This was the legal basis that the data controller sought to rely on here.) The DPC acknowledged that the data controller had in principle a legitimate interest, in disclosing the complainant’s personal data for the reasons that it put forward. However, it was not “necessary” for the data controller to disclose the CCTV stills to the complainant’s employer for the purposes of pursuing those legitimate interests. This was because the car park attendant employed by the data controller had discretion to take steps against the complainant, in pursuit of the legitimate interests, without the need to involve the complainant’s employer. For example, the car park attendant had discretion to ban the complainant from using the car park without involving the complainant’s employer. On this basis, the DPC determined that it was not necessary for the data controller to notify the complainant’s employer of the incident and provide it with CCTV stills. Accordingly, the data controller had no legal basis for doing so and had contravened data protection legislation.

The complainant was a solicitor who engaged another solicitor to represent them in legal proceedings. The relationship between the complainant and the solicitor engaged by the complainant broke down and the solicitor raised a grievance about the complainant’s behaviour to the Law Society. In this context, the solicitor provided certain information about the complainant to the Law Society. The complainant referred the matter to the DPC, alleging that the solicitor had contravened data protection legislation.

It was established that the complainant’s solicitor was the data controller, as it controlled the contents and use of the complainant’s personal data for the purpose of providing legal services to the complainant. The data in question consisted of (amongst other things) information relating to the complainant’s legal proceedings and was personal data because the complainant could be identified from it and it related to the complainant as an individual.

The DPC noted Law Society’s jurisdiction to handle grievances relating to the misconduct of solicitors (by virtue of the Solicitors Acts 1954-2015). It also accepted that the type of misconduct that the Law Society may investigate includes any conduct that might damage the reputation of the profession. The DPC also noted that the Law Society accepts jurisdiction to investigate complaints made by solicitors about other solicitors (and not just complaints made by or on behalf of clients) and its code of conduct requires that, if a solicitor believes another solicitor is engaged in misconduct, it should be reported to the Law Society. The DPC therefore considered that the complaint made by the data controller to the Law Society was properly made and that it was for the Law Society to adjudicate on the merit of the complaint.

The DPC then considered whether the data controller had committed a breach of data protection legislation. In this regard, the DPC noted that data controllers must comply with certain legal principles that are set out in the relevant legislation. Of particular relevance to this complaint was the requirement that data must be obtained for specified purposes and not further processed in a manner that is incompatible with those purposes. The DPC established that the reason the complainant’s personal data was initially collected/processed was for the purpose of providing the complainant with legal services. The DPC pointed out that when the data controller made a complaint to the Law Society, it conducted further processing of the complainant’s personal data. As the further processing was for a purpose that was different to the purpose for which it was collected, the DPC had to consider whether the purpose underlying the further processing was incompatible with the original purpose.

The DPC confirmed that a different purpose is not necessarily an incompatible purpose and that incompatibility should always be assessed on a case-by-case basis. In this case, the DPC held that, because there is a public interest in ensuring the proper regulation of the legal profession, the purpose for which the complainant’s data was further processed was not incompatible with the purpose for which it was originally collected. On this basis, the data controller had acted in accordance with data protection legislation.

The DPC then noted that, in addition to other legal requirements, a data controller must have a lawful basis for processing personal data. The lawful basis that the data controller sought to rely on in this case was that the processing was necessary for the purposes of the legitimate interests pursued by the data controller. In this regard, the DPC held that the data controller had a legitimate interest in disclosing to the Law Society any behaviour that could bring the reputation of the legal profession into disrepute. Further, the data controller was required by the Law Society’s Code of Conduct to report serious misconduct to the Law Society). As a result, the DPC was of the view that the data controller had a valid legal basis for disclosing the complainant’s personal data and had not contravened the legislation.

Under Article 6 of the GDPR, a data controller must have a valid legal basis for processing personal data. One such legal basis, in Article 6(1)(f) of the GDPR, provides that processing is lawful if and to the extent that it is necessary for the purpose of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of the data subject. However, Article 6(4) of the GDPR provides that where processing of personal data is carried out for a purpose other than that for which the data were initially collected, this is only permitted where that further processing is compatible with the purposes for which the personal data were initially collected.

In considering whether processing for another purpose is compatible with the purpose for which the personal data were initially collected, data controllers should take into account (i) any link between the purposes for which the data were collected and the purposes of the intended further processing, (ii) the context in which the data were collected, (iii) the nature of the personal data, (iv) the possible consequences of the intended further processing for data subjects, and (v) the existence of appropriate safeguards.

An individual made a complaint against a parish church regarding the processing of the individual’s personal data arising from the live streaming and recording of a family member’s funeral service that the individual had attended. The individual also complained about a lack of transparency that the recording was taking place.

The individual complained to the DPC about the parish church’s response to their concern around the use of live streaming and recording for funeral services. In our examination of the complaint, the DPC engaged with the parish church to ascertain their lawful basis for processing and for clarification on their response to the data complaint. The parish church informed the DPC that live streaming of funeral services was used during Covid-19 restrictions and that they record funeral services when requested to do so by family members, which did happen in this complaint, usually when one cannot attend the funeral. The parish church informed the DPC they use one camera in a fixed location to make these recordings and for live streaming. The parish church removes the recordings from their website at the end of 30 days.

The parish church apologised to the individual for any distress caused and particularly for not informing the individual of the 30 days only retention period. The parish church informs attendees at the beginning of services that they will be live streamed and have signs with this information at their entrance doors. The parish church implemented changes because of this complaint, including informing attendees during a service that it is being live streamed, including information on their live streaming and recording in parish newsletters and on their website, only responding to written requests for recordings and password protecting the recordings in future.

The DPC wrote to the individual and advised them under section 109(5)(c) of the 2018 Act that the parish church and those unable to attend a funeral service had a legitimate interest to view the service by live stream or recording. The DPC noted the 30-day retention period of the footage, the fixed restricted view of the camera and the changes the parish church had made arising from this complaint, including requiring a request for recording to be made in writing and password protecting these recordings. The DPC advised the individual that the response of the parish church was reasonable in the circumstances of this complaint and noted that the recording was requested by another family member of the deceased. Nevertheless, the DPC recommended under section 109(5)(f) of the 2018 Act that the parish church update the privacy policy available on its website with more information on the live streaming and recording of funeral services.

The DPC received a complaint from an individual regarding the publication of their photograph in an article contained in a workplace newsletter without their consent. The data controller, who was the individual’s public sector employer, informed the individual that it should have obtained consent to use the photograph in the workplace newsletter as this was not the purpose for which the photograph was obtained. The data controller also informed the individual that a data breach had occurred in this instance.

This complaint was identified as potentially being amicably resolved under Section 109 of the Data Protection Act 2018, with both the complainant and data controller agreeing to work with the DPC to try to amicably resolve the issue.

The data controller engaged with the DPC on the matter, and advised that it had conducted an internal investigation and determined that a data breach did occur and that consent should have been obtained to use the individual’s photograph in the workplace newsletter. The purpose(s) for which the photograph was initial obtained did not include publication in a newsletter. An apology from the employer was issued to the individual. However, the complainant did not deem this to be an appropriate resolution to the complaint at hand.

The DPC provided recommendations that a consent information leaflet be distributed to staff in advance of using photography, audio and/or video, and that a consent form for photography, audio and video be completed and signed prior to images or recordings being obtained, which the controller subsequently implemented. Article 5(1)(b) of the GDPR states that “personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’). The DPC was satisfied that the data controller further processed the individual’s personal data without their consent (or other legal basis) for doing so when it published the employee photograph in the workplace newsletter. The DPC issued an outcome letter advising the complainant of same. The DPC was satisfied with the organisational measures subsequently introduced and as such no further actions by the controller in this case was warranted.

In this case study, the risks to the fundamental rights and freedoms of the individual could not be deemed significant, but nonetheless the personal data processing upset the individual and is an infringement of GDPR in the circumstances. This underlines the need for all organisations to train staff — at all levels and in all roles — to be aware of the GDPR and take account of its principles.

We received a complaint against a private receiver who was appointed by a financial institution over the complainant’s property.

The complaint alleged infringements of the Acts on the basis that the receiver:

• Was not registered as a controller pursuant to section 16 of the Acts;
• Had no lawful basis for obtaining the complainant’s personal data from the financial institution;
• Further processed personal data unlawfully by disclosing information to a company appointed by the receiver to manage the receivership (the receiver’s “managing agent”);
• Opened a bank account in the complainant’s name;
• Obtained the property ID and PIN from Revenue which gave the receiver access to the complainant’s personal online Revenue account; and
• Insured the property in the complainant’s name.

Following an investigation pursuant to section 10 of the Acts, the DPC established that the receiver was appointed by the financial institution on foot of a Deed of Appointment of Receiver (DOA), which granted the receiver powers pursuant to the Conveyancing Act 1881, and pursuant to the mortgage deed between the complainant and the financial institution. On being appointed, the receiver wrote to the complainant informing them of their appointment as the receiver over the complainant’s property and provided a copy of the DOA. The receiver appointed a separate company as their managing agent to assist in the managing of the property. During the receivership, the receiver liaised with Revenue in order to pay any outstanding taxes on the property, such as the Local Property Tax (LPT). It was also established that the receiver opened a bank account for the purpose of managing the income from the property. The bank account name included the name of the complainant. It was further established that an insurance policy was taken out, in respect of the property. This insurance policy referred to the complainant’s name.

The DPC first considered whether a receiver was required to register as a data controller in accordance with section 16 the Acts, and whether the exemptions listed in the Data Protection Act 1988 (Section 16(1)) Regulations 2007 (the “Registration Regulations”) applied. The DPC held that a receiver was not required to register, as the exemption under regulation 3(1)(g) of the Registration Regulations applied to the receiver. Regulation 3(1)(g) exempted data controllers who were processing data in relation to its customers. Having considered the relationship between the complainant and the receiver, the DPC held that the exemption applied in respect of the receiver’s activities regarding the complainant.

Next the DPC considered whether the receiver had a lawful basis for obtaining the personal data from the financial institution, disclosing it to the managing agent, and whether such processing constituted further processing incompatible with the original purpose it was obtained pursuant to section 2(1)(c)(ii) of the Acts. The complainant had a mortgage with the financial institution, which had fallen into arrears. Under section 19(1)(ii) of the Conveyancing Act 1881, the financial institution could appoint a receiver once the debt on the mortgage had come due. Section 2A(1)(b)(i) of the Acts permits processing of personal data where the processing is necessary “for the performance of a contract to which the data subject is party”. The mortgage deed was a contract between the data subject and the financial institution, and in circumstances where the terms of the contract were not being adhered to, the appointment of the receiver by the financial institution was necessary for the performance of the contact. The DPC held that the receiver had a lawful basis for obtaining the complainant’s personal data from the financial institution.

The DPC also found that the receiver had a lawful basis pursuant to section 2A(1)(b)(i) of the Acts to disclose personal data to its managing agent, to assist in the day to day managing of the receivership. The DPC found that the financial institution obtained the complainant’s personal data for the purposes of entering into a loan agreement. This was specific, explicit and a legitimate purpose. The disclosure of the complainant’s personal data by the financial institution to the receiver, and by the receiver to the managing agent was in accordance with the initial purpose for which the personal data was obtained. This processing during the receivership did not constitute further processing pursuant to section 2(1)(c)(ii) of the Acts. The DPC assessed whether the receiver had a lawful basis to open a bank account in the complainant’s name. The complainant submitted that this account was opened without their knowledge or consent . Consent is one of the lawful bases for processing personal data under the Acts. The DPC considered whether the receiver otherwise had a lawful basis for processing under section 2A(1)(d) of the Acts, on the basis of legitimate interests. To assess this lawful basis, the DPC took account of the Court of Justice of the European Union (CJEU) case in Rīgas C-13/16(1) which sets out a three step test for processing on the basis of legitimate interests, as follows:

Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’ Case C-13/16

• The processing of personal data must be for the pursuit of a legitimate interest of the controller or a third party;
• The processing must be necessary for the purpose and legitimate interests pursued; and
• The fundamental rights and freedoms of the individual concerned do not take precedence.

The DPC held that the opening of the bank account was a reasonable measure to manage the income and expenditure during a receivership. The receiver submitted that referring to complainant’s name as part of the bank account name was necessary to ensure the receivership was carried out efficiently and to avoid confusion between different receiverships. While it would have been possible to open an account without using the complainant’s name, the DPC took account of the CJEU’s judgment in Huber v Bundesrepublik C-524/062 where the Court held that processing could be considered necessary where it allowed the relevant objective to be more effectively achieved. The DPC held that the reference to the complainant’s name on the bank account was therefore necessary, as it allowed for the more effective pursuit of the receiver’s legitimate interests.

With regard the third element of the legitimate interests test (which requires a balancing exercise, taking into account the fundamental rights and freedoms of the data subject), the DPC held that the reference to the complainant’s name on the account would have identified them to individuals who had access to the bank account or been supplied with the bank account name. The DPC balanced these concerns against the administrative and financial costs, which would result from the need for the receiver to implement an alternative procedure for naming accounts. On balance, the DPC did not find that the complainant’s fundamental rights took precedence over the legitimate interests of the receiver and as a result, the receiver had a lawful basis for processing the complainant’s name, for the purpose of the receiver’s legitimate interests.

With regard to the allegation that the receiver had gained access to the personal Revenue account of the complainant, the DPC found that the receiver did not gain access to the complainant’s personal online Revenue account as alleged. The receiver was acting as a tax agent in relation to the LPT and this did not allow access to a personal Revenue account. In relation to the insurance policy being taken out in the complainant’s name the DPC held that the receiver did not process personal data in this instance.

During the course of the investigation, the DPC also examined whether the receiver had complied with the data protection principles under section 2 of the Acts. In this regard, the DPC examined the initial correspondence the receiver had sent to the complainant notifying them of their appointment. This correspondence consisted of a cover letter and a copy of the DOA. The cover letter and DOA were assessed in order to determine whether the receiver had met their obligation to process the personal data fairly . Section 2D of the Acts required an organisation in control of personal data to provide information on the identity of the data controller, information on the intended purposes for which the data may be processed, the categories of the data concerned as well as any other information necessary to enable fair processing. The DPC held that the correspondence was sufficient in informing the complainant of the identity of the data controller (and original data controller). However, the DPC held that, while a receiver was not required to provide granular information on each purpose for which personal data was to be processed, the receiver should have given a broad outline of the purposes for which the personal data was intended to be processed, and this was not done in this case. It was also held that the receiver should have provided the categories of personal data they held in relation to the complainant, but this was not done. In light of this, the DPC held that the receiver had not complied with section 2D of the Acts.

This decision of the DPC demonstrates that private receivers and their agents may lawfully process personal data of borrowers, where such processing is necessary in order to manage and realise secured assets. Individuals should be aware that their information may be processed without their consent in circumstances where a deed of mortgage provides for the appointment of a receiver. At the same time, receivers must comply with their obligations under the Acts and GDPR to provide individuals with information on processing at the outset of the receivership. The decision is currently the subject of an appeal by the complainant to the Circuit Court.

1. Valsts policijas Rīgas reģiona pārvaldes kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’ Case C-13/16
2. Heinz Huber v Bundesrepublik Deutschland Case C-524/06
3. The processing of personal data was considered in a similar case where the same complainant made a complaint against the managing agent in this case. In that decision the DPC held that the managing agent had legitimate interest in processing the complainant’s personal data for the purposes of insuring the property.

In April 2018, we received a complaint from a data subject who had ceased to be a customer of the data controller. However, she had discovered that her data was still being processed as she continued to receive bills from the data controller. The complainant had received verbal and written assurances that she did not owe the amount being billed.

However, he complainant subsequently received a text message from a debt-collection company, asking that she contact them. When the complainant phoned the debt-collection company, it refused to provide her with any information regarding the alleged debt until she provided them with personal data verifying her identity, which she refused to do. Later the same day, the complainant received a letter from the debt-collection company confirming that it was seeking to recover monies owed by her to the data controller.

This complaint was identified as potentially capable of amicable resolution under Section 109 of the Data Protection Act 2018, with both the complainant and data controller agreeing to work with the DPC to try to amicably resolve the matter. Company A confirmed with the DPC that an error had caused the complainant’s account balance to appear outstanding but that when the error was identified by the data controller, the outstanding balance was removed from the account. The data controller also confirmed that it had instructed the debt-collection company to cease any collection activities, and also to delete any data associated with the complainant.

While the complainant was satisfied with the ultimate outcome, the DPC emphasised to the data controller that the complainant had previously been informed on at least two occasions that the matter had been resolved. Despite this, her data had been unfairly processed by being passed to a debt-collection company without there being any justification for such disclosure.

In recognition of its failings, the data controller apologised to the complainant, provided certain assurances to her that the matter would have no effect on her credit rating, and made donations to charities of her choice.

For a controller to lawfully engage a processor to process personal data, there must be a justification for the processing of the personal data in the first place. In this case, the controller had disregarded previous concerns raised by the complainant that bills were being issued to her despite her no longer receiving services from the controller and had failed to look into the continued use of her personal data for billing purposes in circumstances where she was no longer a customer.

The DPC encourages individuals to raise data protection concerns directly with the controller in the first instance so that they can address them. However, data controllers frequently ignore or disregard direct attempts made by a data subject to raise complaints until the DPC becomes involved. This is unacceptable and, as part of each organisation’s accountability obligations, it should have meaningful and efficient measures in place to deal with and address data protection complaints when raised directly by a data subject, without the need for the data subject to resort to DPC intervention.

An individual made a complaint to the DPC concerning the data controller’s use of CCTV footage to investigate an incident in which the individual was involved. The individual had organised an event in a leisure facility (the data controller), and displayed signage in relation to Covid-19 procedures to assist attendees. At the end of the event, the individual inadvertently removed a different sign also in relation to Covid-19 procedures when removing the signage they had installed for the event. The data controller reviewed its CCTV footage to establish who had removed the sign. The complainant was of the opinion that the data controller did not process their personal data in a proportionate or transparent manner, and that it did not comply with its obligations as a data controller in how it investigated the incident. Accordingly, the individual lodged a complaint with the DPC.

The DPC intervened to seek to resolve the matter informally and the parties reached an amicable resolution when the leisure centre agreed to undertake an audit of its use of the CCTV system and to restrict access to review CCTV footage to designated staff members. The individual thanked the DPC for handling their complaint in a professional and helpful manner and further stated that they were reluctant to submit the complaint initially as they are aware of the volume of complaints the DPC deals with and the accompanying constraints on resources. The complainant stated that they felt confident that the issue will not arise in the future as a result of the involvement of the DPC . The individual wished to express their appreciation and acknowledge the DPC’s efficiency in dealing with the matter.

The complainant in this case study was a former employee of a statutory service provider, whose work involved driving to locations assigned by his employer. Where this gave rise to claims for overtime or subsistence, the complainant would complete forms provided by the employer, detailing items such as relevant dates and places, dispatch reference numbers, and the amounts claimed. The employer made use of a dispatch system intended to ensure the most efficient use of drivers and vehicles, particularly as they provided response in emergency situations. This system logged the performance and completion of service calls, when vehicles were out on calls or back at base, and when drivers were on or off duty.

The complainant had made a claim for overtime and subsistence. The employer rejected this because of inconsistencies between the details on the complainant’s claim form and those recorded on the employer’s dispatch system . The complainant objected to the use of data from the dispatch system for this purpose and complained to The Data Protection Commission (DPC).

The DPC considered whether the use of data from the dispatch system to verify overtime and subsistence claims was in line with fair processing requirements. The fairness of the processing was to be assessed by reference to whether the complainant and fellow employees had been made aware of the employer’s use of the data for that purpose, whether that processing was compatible with the purpose for which the data was collected, and whether the employer had a legal basis for that processing.

The employer did not have a written policy on the use of the dispatch system . Instead, it relied on the “general awareness” of employees that the system was used for that purpose. The employer pointed out that such use had been noted in an arrangement with its employees’ trade unions some years previously. The DPC noted that overtime and subsistence claims required employees to include relevant dispatch reference numbers from the dispatch system. The DPC took the view that the inclusion of relevant dispatch system reference numbers in overtime and subsistence claims indicated that employees were aware that the data was used not just for logistical processing but also to verify their claims . Even if the major purpose of the dispatch system was to aid logistics, its use to verify overtime claims was not incompatible with that purpose, as that data was the only means available to the employer to verify claims.

The DPC noted that applicable financial regulations required the employer to verify overtime and subsistence claims. The processing to verify overtime and subsistence claims was necessary not just to comply with that legal obligation, but to perform the complainant’s employment contract and for reasons of legitimate interests of the employers.

The Garda Síochána Ombudsman Commission (GSOC) sent a letter containing the outcome of its investigation into a complaint to an address where the person who made the complaint no longer resided. The DPC established the letter was posted to the address where the individual lived at the time of a previous complaint that they had made to GSOC. The individual in question had subsequently informed GSOC they no longer lived at that address and that with regard to the new complaint they were only contactable by email.

The DPC liaised extensively with GSOC regarding this complaint . GSOC reported the data breach to the DPC through the normal breach reporting channels . To avoid this type of incident happening again, GSOC advised the DPC that an email issued internally to all staff advising of the importance of ensuring the accuracy of personal data entered onto the Case Management System (CMS) . GSOC also outlined that it sent a separate email to all line management in the GSOC Casework section advising them of the necessity to accurately input personal data on the CMS and to amend this information whenever updated information is received .