Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

CASE STUDIES 2014

  

Case Study 1: Prosecutions: Private Investigators

 
This Office initiated prosecutions in the private investigator/tracing-agent sector for the first time in 2014. These prosecutions arose from a detailed investigation that commenced in the summer of 2013. Arising from audits carried out in a number of credit unions at that time, the Office became concerned about the methods employed by some private investigators hired by credit unions to trace the current addresses of members who had defaulted on their loans. The Office launched a major investigation to identify the sources from which the private investigators had obtained the current address data. This investigation involved a wide range of public bodies and private companies. As a result of our findings, the Office established that personal data on databases kept by the Department of Social Protection, the Primary Care Reimbursement Service of the Health Service Executive, An Garda Síochána and the Electricity Supply Board had been accessed unlawfully and the information was disclosed thereafter to credit unions. Details of the prosecutions that ensued are as follows:
 
M.C.K. Rentals Limited and its Directors
M.C.K. Rentals Limited (trading as M.C.K. Investigations) was charged with 23 counts of breaches of Section 22 of the Data Protection Acts 1988 and 2003 for obtaining access to personal data without the prior authority of the data controller by whom the data is kept, and disclosing the data to another person. The personal data was kept by the Department of Social Protection (7 cases) and by the Primary Care Reimbursement Service of the Health Service Executive (16 cases). In all cases, the personal data was disclosed to various credit unions in the state.
 
The two directors of M.C.K. Rentals Limited, Ms Margaret Stuart and Ms Wendy Martin, were separately charged with 23 counts of breaches of Section 29 of the Data Protection Acts 1988 and 2003 for their part in the offences committed by the company. This Section provides for the prosecution of company directors where an offence by a company is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of, the company directors or other officers.
 
At Bray District Court on 6 October 2014, M.C.K. Rentals Limited pleaded guilty to five sample charges for offences under Section 22 of the Data Protection Acts 1988 and 2003. The Court convicted the company in respect of each of the five charges and it imposed a fine of €1,500 per offence. Company Secretary and Director Ms Margaret Stuart pleaded guilty to one sample charge for an offence under Section 29 of the Data Protection Acts 1988 and 2003. The Court convicted Ms Stewart in respect of that offence and imposed a fine of €1,500. Company Director Ms Wendy Martin pleaded guilty to one sample charge for an offence under Section 29 of the Data Protection Acts 1988 and 2003. The Court convicted Ms Martin in respect of that offence and it imposed a fine of €1,500.
 
This was the first occasion on which company directors were prosecuted by the Data Protection Commissioner for their part in the commission of data-protection offences by their company, and the proceedings in this case send out a strong warning to directors and other officers of bodies corporate that they may be proceeded against and punished in a court of law for criminal offences committed by the body corporate.
 
The investigation of this company uncovered wholesale and widespread “blagging” techniques used by the offenders, and this was the first prosecution by the Data Protection Commissioner of offenders engaged in such practices. The findings of the investigation carried out in this case expose the constant threat to the security of personal data that is in the hands of large data controllers and the vigilance that is required by front-line staff at all times to prevent unlawful soliciting of personal data, in particular by means of telephone contact, by unscrupulous agents. Data controllers across the state should regularly review their data-protection procedures to maximise the effectiveness of their security protocols in order to counter such criminal activity. They must ensure that all staff, and particularly those at the front line who handle telephone calls, are fully trained in the security protocols in order to be able to recognise and deal with the threat of information blagging or pretext calling if it arises.
 
Michael J. Gaynor
Michael J. Gaynor (trading as MJG Investigations) was charged with 72 counts of breaches of the Data Protection Acts 1988 and 2003. Twelve charges related to breaches of Section 22 of the Data Protection Acts for obtaining access to personal data without the prior authority of the data controller by whom the data is kept, and disclosing the data to another person. The personal data was kept by the Electricity Supply Board (9 cases) and by An Garda Síochána (3 cases). In all cases, the personal data was disclosed to various credit unions in the state. A further 60 charges related to breaches of Section 16(2) of the Data Protection Acts in respect of the processing of personal data of a number of individuals in circumstances where no record was recorded in respect of the accused in the public register maintained by the Data Protection Commissioner. Mr Gaynor is a former member of An Garda Síochána.
 
On 25 November 2014, at Dublin Metropolitan District Court, Michael J. Gaynor was convicted on two charges for offences under Section 22 of the Data Protection Acts 1988 and 2003. The Court imposed a fine of €2,500 in each of these two charges. Separately the defendant pleaded guilty to 69 charges (60 of which related to breaches of Section 16(2)) and these were taken into consideration in the sentence imposed.
 
This was the first prosecution to be completed by the Data Protection Commissioner of a data processor for processing personal data without having registered as a data processor on the public register of the Office of the Data Protection Commissioner. The investigation in this case uncovered access by the defendant to customer data held on databases held by the Electricity Supply Board. To access the personal data, the defendant used a staff contact in the Electricity Supply Board, which he had established during his previous Garda career.
 
These prosecutions send a strong message to private investigators and tracing agents to comply fully with data-protection legislation in the conduct of their business, and that if they fail to do so they will be pursued and prosecuted for offending behaviour. They also serve to remind all companies and businesses who hire private investigators or tracing agents that they have onerous responsibilities under the Data Protection Acts to ensure that all tracing or other work carried out on their behalf by private investigators or tracing agents is done lawfully. Specifically, in this regard, those operating in the credit union, banking, financial services, legal and insurance sectors should review their engagement of private investigators and tracing agents to ensure they have fully safeguarded all personal data against unlawful forms of data processing.
 
These investigations uncovered serious issues in relation to the hiring of private investigators or tracing agents by credit unions, particularly in respect of a lack of awareness on their part of how the private investigators were tracing members and, in some cases, in relation to the disclosure of PPS numbers by credit unions to private investigators. This Office has pursued all of these issues with the credit unions concerned and with their representative bodies in recent months. In addition, we have undertaken a range of follow-up work with the Department of Social Protection, the Health Service Executive, An Garda Síochána and the Electricity Supply Board on the implications of the data-security breaches that occurred in their organisations and on the measures required to deal with those breaches and to prevent a recurrence. This Office welcomes the fact that the Private Security Authority has proposed the introduction of regulation of private investigators.
 

Case Study 2: Prosecutions: Marketing Offences

 
Pure Telecom Limited
We received a complaint in March 2013 from an individual who received two marketing phone calls from Pure Telecom Limited on his landline telephone. The individual’s telephone number was listed on the National Directory Database opt-out register. It is an offence to make a marketing call to a telephone number listed on that register.
 
Pure Telecom Limited informed our investigators that it used the services of a third-party representative to make the marketing calls and it explained that the agent sourced the individual’s number themselves rather than using marketing data provided by Pure Telecom Limited. The company admitted that the third-party agent did not have consent to contact the complainant for marketing purposes.
 
At Dublin District Court on 3 February 2014, Pure Telecom Limited pleaded guilty to two charges concerning breaches of Regulation 13 (5)(b) of S.I. 336 of 2011 relating to two marketing phone calls to a phone number listed on the opt-out register. The Court imposed a conviction in respect of both charges and a fine of €500. It further ordered payment of the prosecution costs of the Data Protection Commissioner. The hearing was informed that the defendant had a previous conviction from 2010 for a similar offence.
 
Next Retail Limited
In February 2013, this Office received a complaint from an individual who received a number of unsolicited marketing emails from Next Retail Limited after she requested the company not to send her any more such emails. The complainant claimed to have unsubscribed firstly by using the unsubscribe link that was provided in a marketing email sent by the company and, following this, in four separate emails to the company requesting not to be contacted with marketing emails again.
 
Next Retail Limited informed our investigators that as it no longer used the services of the company that it had engaged to process unsubscriptions it was unable to explain what happened to the first unsubscribe request. With regard to the emails containing unsubscribe requests, the company confirmed that they did reach its complaints inbox but it was unable to trace where the emails went afterwards.
 
At Dublin District Court on 3 February 2014, Next Retail Limited pleaded guilty to two charges concerning breaches of Regulation 13(1) of S.I. 336 of 2011 relating to the sending of two unsolicited marketing emails without consent. The Court imposed a conviction in respect of one charge, with the second charge taken into consideration. A fine of €100 was imposed. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner.
 
Next Retail Limited subsequently appealed the severity of the sentence. On 19 March 2014, the Circuit Court affirmed the conviction and penalty previously imposed by the District Court and it noted the appellant’s intention to discharge the Data Protection Commissioner’s reasonable costs for the appeal.
 
Airtricity Limited
In May 2013, this Office received a complaint against Airtricity Limited from a person who received an unsolicited marketing phone call on his landline telephone, which was listed on the National Directory Database opt-out register. The complainant informed us that the purpose of the marketing call was to encourage him to switch energy supplier to Airtricity.
 
In response to our investigation, Airtricity admitted that the phone call had been made by a third-party contractor acting on its behalf. It explained that the error occurred when an old PC, on which the 2009 phone book was installed, was re-commissioned by the contractor. A spreadsheet containing the complainant’s phone number was still on the old PC and this led to the number being dialled in error.
 
At Dublin District Court on 3 February 2014, Airtricity Limited pleaded guilty to one charge concerning a breach of Regulation 13(5)(b) of S.I. 336 of 2011 relating to one marketing phone call to a phone number listed on the opt-out register. The Court imposed a conviction in respect of the charge and a fine of €75. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner.
 
The Carphone Warehouse Limited
In March 2013, we received a complaint from a customer of The Carphone Warehouse Limited after he received marketing text messages from the company despite having ticked the marketing opt-out box when he had previously made a purchase in one of its stores. The company informed our investigators that a systems error resulted in the customer being incorrectly included in its marketing list.
 
In April 2013, we received a complaint from another customer of The Carphone Warehouse Limited who received regular offers by text message from the company even though he had called the company on at least three occasions, asking that it stop. The company told our investigators that its system temporarily did not recognise the customer’s preference not to receive marketing due to an internal issue within the electronic filter process and this resulted in the customer’s phone number being accidentally selected for marketing campaigns.
 
At Dublin District Court on 3 March 2014, The Carphone Warehouse Limited entered a guilty plea in respect of five charges concerning breaches of Regulations 13(1) and 13(4) of S.I. 336 of 2011. The court imposed convictions in respect of four charges, with the fifth charge taken into consideration. It imposed fines of €1,500 in respect of each conviction. The defendant agreed to cover the prosecution costs of the Data Protection Commissioner. The hearing was informed that the defendant had two previous convictions from 2012 in relation to the sending of unsolicited marketing emails.
           
Valterous Limited (trading as Therapie Clinic and/or Therapie)
A former customer of Valterous Limited (trading as Therapie Clinic and/or Therapie) complained to this Office in June 2013 after receiving an unsolicited marketing text message despite having opted out of receiving such communications over three months earlier. Therapie explained to our investigators that the complainant’s contact details were on systems in two branches and that when the opt-out request was made the company removed their details from one database and did not realise they were also on another one, thus leading to a further unsolicited text message being sent to the same contact number.
 
In July 2013, we received a complaint from another former customer of Therapie who had received marketing text messages on several occasions. The complainant informed us that she sent a text message to opt out but the company continued to send her further marketing text messages. Our investigation found no evidence that Therapie had obtained consent at any time for the sending of marketing text messages to this individual. In relation to the sending of text messages after the former customer had opted out, Therapie explained that the individual should have texted the word “STOP” rather than the word “OPTOUT” at the time of attempting to opt out of the marketing database. We did not accept this as a valid excuse as the opt-out instruction on the marketing text message sent to the individual read “OptOut:086.......”.
 
At Dublin District Court on 3 March 2014, Valterous Limited (trading as Therapie Clinic and/or Therapie) pleaded guilty in relation to three charges concerning breaches of Regulation 13(1) of S.I. 336 of 2011 concerning the sending of unsolicited marketing text messages without consent. The Court imposed convictions in respect of two charges, with the third charge taken into consideration. It imposed fines of €1,500 in respect of each conviction. The defendant agreed to pay the prosecution costs of the Data Protection Commissioner. The Court was told that in 2012 Therapie Laser Clinics Limited (trading as Therapie Clinic and/or Therapie) was convicted for two offences in relation to the sending of unsolicited marketing text messages.

Case Study 3: Excessive Data Collection by An Post

 
This Office received two complaints from members of the public concerning new requirements that were introduced in November 2013 by An Post in relation to direct-debit applications for payment of TV licence fees. A mandatory requirement was introduced to provide a recent bank statement with the direct-debit application and mandate form. An Post’s TV licence website explained that a copy of a bank statement was required to verify the bank-account details provided by the licensee for payment of their TV licence fee. It went on to state that the bank statement must show the BIC, IBAN and the full name and address of the bank-account holder. The complainants argued that requesting a copy of confidential financial information that appears on bank statements was excessive.
 
We investigated these complaints with An Post. By way of background, An Post explained that the new SEPA regulations impose significant new obligations on direct-debit originators such as An Post with the TV Licence Direct Debit Scheme. It said that the commercial risk attached to accepting direct debits is now the sole responsibility of An Post and therefore An Post has to verify the direct-debit details supplied by the customer. It stated that An Post does not have proof that the bank-account details exist, are accurate or that the account is owned by the person stated on the mandate. Accordingly, it developed its new bank-detail verification process to check the mandate details supplied, and in that new process it seeks extra documentation to verify that the bank-account details supplied by the applicant are accurate, complete and up to date. It also pointed out that it cannot process a direct-debit application without having valid BIC and IBAN numbers in respect of the account on which the direct debit is drawn. An Post indicated that, further to our correspondence, it had decided that customers who choose direct-debit payment are no longer required to submit details of their bank balances.
 
We considered the matter further and we advised An Post that applicants should either be allowed to submit a copy of only the portion of the bank statement containing the name, address, BIC and IBAN numbers or they should be allowed to blacken out all of the transaction information on any copies supplied. An Post agreed to implement our advice. It amended its TV licence direct-debit application form to include the following text: “You should ensure that financial transactions on your bank statement are fully masked or removed before you attach it to your application. All bank statements are destroyed once the first successful payment has gone through.” An Post also amended its website to reflect this change and to clarify that it does not require the balance on the bank statement to be shown. We were satisfied with the changes implemented by An Post and with the manner in which it dealt with the matter expeditiously once we had drawn it to its attention.
 
Organisations that seek copies of bank statements for purposes such as proof of current address, as a verifier of identify or other similar issues should bear in mind that such documents contain a range of financial information that is private to the individual to whom it relates. As a general rule, individuals must be permitted to blacken out or otherwise mask those financial details and transactions as they are irrelevant for the purposes of address verification, etc. This case study should serve as a reminder to organisations to consider all the implications and the potential to collect an excessive amount of personal data in circumstances where they seek copies of bank statements from customers or clients.
 

Case Study 4:  Disclosure of Employee Salary Details by the HSE

 
An employee of the Health Service Executive (HSE) complained in March 2014 concerning the alleged disclosure on two occasions of his salary details to his ex-wife. He informed us in his complaint that the matter came to his attention when his ex-wife went to court in the summer of 2013 in relation to maintenance issues, and in court she provided exact details from his payslips. In December of the same year, his ex-wife went back to court for a review of maintenance and on that occasion she produced a copy of his P60 along with his salary details for the previous four months.
 
We commenced an investigation of the matter by writing to the HSE. In response, the HSE accepted that on two separate occasions, in May 2013 and in November 2013, personal data relating to its employee was disclosed to a third party without his consent. It acknowledged that there was no legal basis for the disclosure of the personal data. It stated that it established who, within the HSE, made the first disclosure but it was not possible to establish who made the second disclosure. It explained that its payroll department had received a number of court orders directing the HSE to make maintenance payments to its employee’s ex-wife. It stated that numerous queries were raised by a firm of accountants and tax professionals called Accountax on behalf of its employee’s ex-wife. Those queries sought clarifications with regards to the payments made. It went on to state that, in relation to the first breach, a specific request was made seeking a copy of its employee’s most recent payslip showing the maintenance deductions from January 2013 to date. The HSE admitted that the requests for constant updates regarding maintenance payments ultimately resulted in the unauthorised disclosure of its employee’s personal data. The HSE accepted that in hindsight the only data that should have been released by its payroll department to its employee’s ex-wife (or to a person acting on her behalf) was a summary of payments made that related to the court orders.
 
We informed the HSE that we considered that the Data Protection Acts were breached when the personal data of its employee was disclosed to a third party without his consent. The HSE indicated that it wished to pursue an amicable resolution to the complaint and, to this end, it enclosed a letter of apology for the complainant. The data subject considered the letter of apology and he decided that he did not wish to accept it, opting instead to seek a formal decision of the Data Protection Commissioner on his complaint.
 
A decision of the Data Protection Commissioner was issued in August 2014. In his decision, the Commissioner formed the opinion that the HSE contravened Section 2(1)(c)(ii) of the Data Protection Acts 1988 and 2003 on two occasions by the further processing of the complainant’s personal data in a manner incompatible with the purpose for which it had been obtained. These contraventions occurred in May 2013 and in November 2013 when the HSE disclosed his personal information to a third party. Section 2(1)(c)(ii) of the Data Protection Acts 1988 and 2003 provides that data shall not be further processed in a manner incompatible with the purpose for which it was obtained. In this case, the HSE acknowledged that on two separate occasions the personal data was disclosed to a third party without the consent or knowledge of the data subject. Such disclosures constitute further processing of personal data.
 

Case Study 5: Excessive Data Collection by a Letting Agency

 
In July 2014, a prospective tenant complained about the collection of bank details, PPS numbers and copies of utility bills by a letting agency when applying to rent a property. The complainant stated that this information was in addition to the usual material, such as previous landlord’s reference, which one would expect to submit at application stage. She stated that she believed that if she did not supply all of the sought data up-front, her application would not be seriously considered by the letting agency. The complainant said that the practice of collecting such a broad range of personal data forces prospective tenants who are desperate to rent a property to submit this personal information at application stage even though they do not know if their application will be successful. She pointed out that the majority of applications are unsuccessful given the high demand for a limited supply of available rental properties in the Dublin area.
 
We commenced an investigation of the matter with the letting agency concerned, seeking an explanation for the collection of such a broad range of personal data at application stage. In response, the letting agency said that it requested PPS numbers from applicants because this verifies that they are entitled to work in the state, and that bank details are required to show that a tenant has a bank account because they would be ineligible if they were not able to pay rent through a bank account. We told the letting agency that we could not see any basis for collecting bank details, PPS numbers or copies of utility bills at application or property-viewing stage and we urged it to cease the practice immediately. We questioned the letting agency further about using the PPS number to verify the applicant’s work status. It replied to the effect that the main reason it requests PPS numbers is that it is required for the Private Residential Tenancies Board (PRTB) registration form and it said that it cannot register a tenant without it. It went on to say that it is only an added assurance that the applicant is working and it stated that it does not verify the PPS number.
 
We accepted that personal data concerning bank details, PPS numbers and utility bills could be requested once the applicant had been accepted as a tenant. In October 2014, the letting agency confirmed, following our investigation, that it had ceased the requesting of this personal data prior to the property being let and it undertook that it would only request this information once the tenant had been accepted. The complainant informed us that she was very satisfied with the outcome of her complaint.
 
This case study is a classic example of the temptation of some data controllers to collect a whole range of personal data in case they might need it in the future. In this case, the letting agency collected a significant amount of personal data from every applicant who expressed an interest in renting a property even though, at the end of the process, only one applicant could be accepted as the new tenant and it was only in the case of that successful applicant that the full range of personal data was required. Section 2(1)(c)(iii) places an obligation on data controllers to ensure that personal data which they process is adequate, relevant and not excessive in relation to the purpose or purposes for which it is collected or are further processed. Data controllers must be mindful of this requirement and abide by it despite the temptation for convenience or other reasons to embark on an unnecessary broad data collection exercise.
 

Case Study 6: Disclosure of Financial Information by a Credit Union

 
A member of a credit union complained in 2013 in relation to the alleged disclosure of his loan and savings information by the credit union to his daughter. By way of background, the complainant explained that he was a guarantor on a credit union loan to his daughter. He received a letter from the credit union to inform him of difficulties that his daughter was experiencing with her loan. The purpose of the letter was to call on him, as the loan guarantor, to pay the balance of monthly repayments. He outlined that the letter was addressed to him and that it contained his membership number along with his savings and loan details, including balance outstanding. Soon afterwards, his daughter called to his house with a copy of the same letter as the credit union had also sent it to her. The complainant said that he considered this disclosure of his financial information to be a gross violation of his privacy.
 
We investigated the matter with the credit union concerned. It explained that the error that led to the disclosure occurred when the letter to the guarantor was issued under the guarantor’s membership number and not under the membership number of his daughter, whose loan it referred to. It explained that the computer system automatically brings across the account details of the membership number keyed in. The credit union admitted that a member of its credit-control staff inadvertently typed the letter under the guarantor’s membership number and, as a result, his account details were printed on the letter.
 
The credit union proposed that, as a means of trying to reach an amicable resolution of the complaint, it would issue a letter of apology to the guarantor. It also carried out staff training in regard to issuing letters to members, in particular letters to guarantors, and it re-circulated its data-protection policy to all staff. The complainant considered the offer and rejected it. He sought a formal decision of the Data Protection Commissioner on his complaint.
 
In April 2014, a decision issued to the complainant. In his decision, the Commissioner formed the opinion, following the investigation of the complaint, that the credit union contravened Section 2(1)(d) of the Data Protection Acts by providing details of the complainant’s membership account to a third party by means of a letter that was copied to the third party. Section 2(1)(d) obliges data controllers, among other things, to take appropriate security measures against unauthorised disclosure of personal data.
 
This case highlights the serious consequences for the complainant concerned arising from what appeared to be an innocuous error on the part of the staff member typing a letter for the complainant on his own account rather than on the account of his daughter, to whom the subject matter of the letter related. It serves as a reminder to data controllers generally to keep data-protection awareness to the forefront, with regular staff training for those whose work involves any form of data processing.
 

Case Study 7: Complaint of Disclosure by Permanent TSB Not Upheld

 
A complaint from a customer of Permanent TSB alleged that the bank had violated the Data Protection Acts by discussing their accounts and personal details with a third party, the complainant’s tenant, thereby causing financial loss and stress.
 
We investigated the allegation with Permanent TSB. In response, the bank informed us that it had made no contact with residents in the properties concerned to discuss the mortgage account details of the complainant concerned. It further stated that all telephone calls received from the tenant concerned had been listened to and at no time did any staff member discuss the details of the mortgage account with her. As part of our investigation we sought a copy of the recordings of phone calls that took place between Permanent TSB and the tenant. We listened to the call recordings and we were satisfied that no personal data relating to the complainant was passed to the tenant during the phone calls with Permanent TSB. Instead, the tenant was repeatedly told that Permanent TSB could not discuss anything with her without the written authority of the account holder. In one instance, the tenant offered to give her contact number to Permanent TSB but she was informed that it was not required as Permanent TSB would not be contacting her. This Office’s investigation found no evidence that Permanent TSB disclosed any personal data relating to the complainant to the third party concerned.
 
In a separate aspect to the same complaint, it was alleged by the complainant that Permanent TSB had sent correspondence to a previous residential address after it had been notified of a change of address. The complainant supplied us with a copy of a letter sent by them in August 2011 notifying the bank of the new address for correspondence and we were also supplied with copies of letters sent by Permanent TSB to the previous address after that date. In response to our investigation of this matter, Permanent TSB confirmed that it had received the August 2011 letter, which notified it of the new address, but it could offer no explanation as to why its systems had not been updated at that time to reflect this. It informed us that it was not until it received a further letter in January 2012 that the system was updated. To assist with trying to resolve the complaint, the bank offered a goodwill gesture as an acknowledgement of the delay encountered and of any stress the delay may have caused, but this was rejected by the complainant.
 
The complainant sought a formal decision on the complaint. With regard to the failure to update the contact address, having been requested to do so in August 2011, the Commissioner formed the opinion that Permanent TSB contravened Section 2(1(b) of the Data Protection Acts. This section obliges data controllers to comply with the requirement to keep personal data accurate and up to date.
 
With regard to the allegation of disclosure of the complainant’s personal data to a tenant, the Commissioner was unable to form the opinion that a contravention of the Data Protection Acts occurred in this instance.
 

Case Study 8: Patient Denied Right of Access by SouthDoc

 
We received a complaint in June 2014 from a firm of solicitors whose client had made an access request in May 2014 to the Practice Manager at South West Doctors-On-Call Limited (trading as SouthDoc) seeking a copy of his medical notes. In response to the access request, SouthDoc replied to the solicitors, stating that they are advised to contact the patient’s own GP, who holds a complete record for the patient. The solicitors wrote back to SouthDoc, pointing out that the access request was made to SouthDoc and that it was a separate request to any request their client may make to his own GP. The solicitors pointed out that SouthDoc was obliged to comply with the request. In submitting the complaint to this Office, the solicitors informed us that SouthDoc had not replied to their latest letter but had returned it to them unanswered.
 
We began an investigation by writing to SouthDoc. It responded by return post, indicating that the request for medical records had now been dealt with. Soon afterwards, the solicitors for the complainant supplied us with a copy of a letter they had received from SouthDoc stating that, further to the access request, the patient’s records had been forwarded to his own GP. The solicitors pointed out that SouthDoc had not complied with the access request as it was their client who requested the records, and it was not sufficient for SouthDoc to give them to his GP. We wrote to SouthDoc again, seeking an explanation. A few days later we received from SouthDoc a copy of a letter that it had issued to the patient’s solicitors, enclosing a copy of the patient’s medical records. We then concluded our investigation.
 
There are a number of after-hours or on-call service providers such as SouthDoc in operation in Ireland, all of which provide an essential medical service for the general public. In doing so, these service providers collect and process both personal data and sensitive personal data (data relating to the physical or mental health of the attending patient). For the purposes of data protection, it is important that patients and service providers understand that when a patient attends one of those services, they provide their personal data to an organisation (data controller) that is entirely separate to their usual GP practice. Accordingly, the records created by the service provider in respect of the patient’s attendance and treatment are new records in respect of which the service provider is the data controller. For that reason, the patient has a right to access those records directly from the service provider by making an access request for a copy of them. This right of access to the records of the service provider exists whether or not the service provider passes on details of the patient’s attendance and treatment to the patient’s GP. Furthermore, the service provider is obliged to supply a copy of the personal data directly to the requesting patient (or to the solicitor acting on his behalf, as in the above case) rather than to the patient’s own GP. (Access to medical records is subject to the provisions of S.I. 82 of 1989, which prohibits the supply of data to a patient in response to an access request if that would cause harm to his or her physical or mental health.)
 

Case Study 9: Excessive Data Collection by the Department of Agriculture

 
An individual complained to this Office about new requirements introduced by the Department of Agriculture to produce bank-account details in relation to registering premises to comply with the Diseases of Animals Act 1966–2001. He explained that horse owners are required to register the premises in which horses are kept with the Register of Horse Premises and he said he had no difficulty with that requirement. However, he objected to being asked to supply his bank-account details and he pointed out that there was no possibility of this information being needed by the Department as there were no schemes or grants that entitle horse owners to payment. He told us that he and his wife each own a horse and that both horses are kept purely for pleasure purposes. He said that he had expressed his concerns directly to the Department initially but the Department continued to insist that he submit bank details.
 
We sought an explanation from the Department of Agriculture. In its response, the Department referred to the government’s drive towards e-commerce and the fact that government departments can no longer issue payable orders. It said that payments due by the Department can only be made by way of electronic fund transfer to a bank account. Accordingly, all clients of the Department in receipt of payments are asked to supply bank details as a prerequisite for entry onto the Department’s Corporate Customer System. It said that as most of the Department’s clients are in receipt of payments or could potentially receive payments, it was decided that all new clients (applicants), including those who exceptionally might not currently qualify for payments, would be asked for their bank-account details.
 
We referred the Department to the provisions of Section 2(1)(c)(iii) of the Data Protection Acts, which places a requirement on data controllers to ensure that personal data shall be adequate, relevant and not excessive in relation to the purpose for which it is collected. We pointed out that the principle established by this provision required that personal data should be collected when required and not on the basis that it might be required at some future point. We received confirmation from the Department in February 2014 that the practice of seeking bank details in anticipation of possible future payments had ceased. We were informed that an information notice had been issued to staff, stating that customer bank details are required only where a customer will be in receipt of payments from the Department.
 
The complainant in this case raised a very valid complaint with this Office, having failed to resolve the matter directly with the Department himself. Insufficient thought appears to have been given at the outset to the concept of requiring bank details from every customer or potential customer of the Department – whether that information was needed or not. More disappointingly, however, was the fact that the Department did not review the situation and fix it after this individual drew the Department’s attention to his circumstances and the circumstances of others who keep horses for pleasure purposes – pointing out that the Department would never need to use his bank-account details as he was not an applicant for a scheme or grant. In the end, it took the intervention of this Office to persuade the Department to cease seeking excessive personal data and to comply with the principle that data collection shall be adequate, relevant and not excessive.
 

Case Study 10: Personal Data Disclosed by County Council

 
In April 2014, we received a complaint from an individual who alleged that her private email address was disclosed to third parties without her permission by Dun Laoghaire Rathdown County Council. The complainant had made a submission to the county council in respect of a local area plan. She found out about the disclosure when one of the parties to whom her email address had been disclosed made an unsolicited contact with her using her email address. She indicated that she was worried as she did not know how many people were in possession of her private email address as a result of the disclosure.
 
We commenced an investigation by writing to Dun Laoghaire Rathdown County Council. In response, the county council by way of background explained that it supplies notices, agendas and minutes of its meetings to parliamentary representatives in accordance with Local Government Act 2001 (Section 237A) Regulations 2003.
 
It went on to state: “It has been the practice of this Authority heretofore to supply copies of all reports that issue with these agenda, as this is how the agenda issues to our councillors. In accordance with the Planning and Development Act 2000 [as amended], Section 20(3)(c)(ii), a Manager's Report for a Local Area Plan must list the persons who made submissions or observations. In all cases a list of submitters is prepared, for internal use and file, which includes necessary contact details, home address and email address. It is our standard practice, however, to remove the email addresses before circulation to councillors. The home addresses are left on as councillors wish to see who in their constituency made a submission. In this case we inadvertently included the email and home addresses with the list of submitters. This was an error on our part, and not standard practice. What has been placed on our website, however, is the list without the contact details. In order to prevent a recurrence of this, we have reminded all staff not to include the contact details of submitters in reports which are circulated to councillors or placed on the website. Additionally, although as mentioned above the list that went to councillors usually contained the submitter's address for the councillors’ information, we will not include either home address or email address in any reports issuing to councillors. In addition to the above, and to further prevent the inadvertent release of personal information, the Council will cease the practice of issuing reports with the agenda which are supplied to parliamentary representatives.”
 
The county council stated that it had issued a revised report, with all of the personal contact details removed, to all of the recipients and it asked that they delete the original version. The county council concluded by saying that in this case the information was disclosed accidentally and it said that it would endeavour to ensure that there will be no repeat of this incident by adhering to its standard procedure and by reminding all staff concerned of those procedures.
 
The complainant sought a formal decision on her complaint.
 
Section 2(1)(c)(ii) of the Data Protection Acts provides that personal data shall not be further processed in a manner incompatible with the purpose for which it was obtained. The data controller in this case, Dun Laoghaire Rathdown County Council, explained to our investigation that in accordance with the Planning and Development Act 2000, a County Manager's Report for a Local Area Plan must list the persons who made submissions or observations. The data controller further stated that in all cases a list of submitters is prepared for internal use, which includes contact details, home address and email address, and that it is its standard practice to remove the email addresses from this list before circulation to councillors. However, it was clear that in this particular instance the email addresses of the submitters was not removed from the circulation list. In making his decision, the Commissioner formed the opinion that Dun Laoghaire Rathdown County Council contravened Section 2(1)(c)(ii) of the Data Protection Acts. This contravention occurred by the further processing of the complainant’s personal data in a manner incompatible with the purpose for which it had been obtained when her email address was disclosed by Dun Laoghaire Rathdown County Council via the circulation of a report to county councillors, TDs and senators in relation to a local area plan.
 

Case Study 11: Eircom Fails to Meet Statutory Timeframe for Processing Access Request

 
A staff member of Eircom submitted a complaint to this Office in relation to the alleged failure of Eircom to comply with an access request submitted by him to the company in September 2013. In his access request, he specifically requested a copy of a particular letter that was sent on a date in February 2013 to Eircom's Chief Medical Officer.
 
We commenced the investigation of the complaint and we asked Eircom to respond to the access request without further delay. We were informed by Eircom that it had already provided the data subject with a copy of the letter that was the subject of his access request, and it subsequently provided us with a copy of its response to an access request. However, on further inspection of Eircom's response to that access request, it was unclear to us that the response was in relation to the particular access request that was the subject of the current complaint as the response issued to the data subject prior to the date of his access request. We asked Eircom to review the matter. Eventually, on 2 May 2014, we received an email from Eircom enclosing a copy of the response of that date to the data subject’s access request of 22 September 2013, supplying a copy of the document that the data subject had sought access to.
 
The complainant asked for a formal decision of the Data Protection Commissioner on his complaint. In making his decision, the Commissioner formed the opinion that Eircom Limited contravened Section 4(1)(a) of the Data Protection Acts by failing to supply the data subject with a copy of his personal data in response to his access request submitted on 22 September 2013 within the statutory period of 40 days. This contravention occurred when Eircom Limited released a copy of the data subject’s personal data to him on 2 May 2014 – which was outside the statutory period of 40 days.
 
As outlined elsewhere in this annual report, over half of the complaints received by this Office in 2014 were made by data subjects who experienced difficulties in accessing their personal data. One common theme that emerges in many of these complaints is lateness on the part of the data controller in processing the access request. The Acts lay down a period of 40 days for compliance with an access request and if this is not met, as in the case outlined above, the data controller contravenes the Data Protection Acts. The Office of the Data Protection Commissioner is very concerned about the prevalence of this particular contravention. In some instances, the data controller fails to even acknowledge receipt of the access request within the 40-day period. This means that the requester has no idea whether their access request is being dealt with or ignored. There have been many instances where the data controller has taken no action whatsoever in terms of processing the access request until this Office commences an investigation on foot of receiving a complaint from the data subject. Clearly, that is an undesirable situation. Data subjects have a statutory right to access their personal data held by a data controller by the simple means of submitting an access request, and the data controller has a statutory obligation to comply with that request within 40 days. A data subject should not have to resort to the extra step of lodging a complaint with the Office of the Data Protection Commissioner in order to have their statutory right of access enforced. Unfortunately, as the complaint statistics reveal, far too many data subjects are experiencing barriers and access-denying tactics on the part of data controllers.
 
In the above case, the data subject’s right of access was severely delayed. There is no justification for such a lengthy delay in any circumstances. Such a delay is particularly unacceptable in a situation where the requester simply sought a copy of personal data contained in one relatively recently created letter and where the data controller is a large telecommunications company that is well aware of the Data Protection Acts and receives and processes subject access requests on a regular basis. Eircom is the subject of several data-protection complaints every year across a range of issues, many of which relate to access requests. The Office of the Data Protection Commissioner expects to see a marked improvement in that company’s data-protection performance in the near future, particularly in the context of processing subject access requests in a timely manner.
 

Case Study 12: Third-Level Student Data Appeared on Third-Party Website

 

The Office received a notification from a data controller, in accordance with the Personal Data Security Breach Code of Practice. The notification alerted the Office to the fact that data relating to a large number of students had been discovered on a website that was unrelated to the data controller. The data related to the 2010 academic year.
 
The Office began an investigation of the matter. The data controller advised the investigation team that the information disclosed on the website included the name, email address and password of the student. The investigation team confirmed that there was no financial or sensitive data involved.
 
The data controller engaged an external security company to carry out its own investigation into the security breach.
 
Due to the passage of time, there were no server logs showing when or by whom the data had been uploaded to the website. However, the data controller was able to identify that the data published matched a file created for testing purposes in mid-2011. This file was then sent to a third-party service provider who was engaged in developing a management system for the data controller. The file was sent via unsecured email.
 
The third-party service provider informed the data controller that while there was a relationship between their staff and the website on which the data was published, they had conducted a very thorough review of the matter and could find no evidence to show that the file had been posted onto the website due to an act of omission on their part.
 
Our evaluation of the information showed that the data controller, when creating student accounts, used generic passwords when generating the student accounts. The password was the date of birth of the student. While students could change their passwords, they were never advised to change them.
 
While it could not be determined exactly how the data appeared on the website, it was evident that there had been a breach of the Data Protection Acts, in that appropriate security measures were not in place to prevent the unauthorised disclosure of personal data.
 
Our investigation also found that the use of live data for testing purposes was not in accordance with data-protection best practices. Where live data is being used by an organisation for testing purposes, there would have to be a strong justification for such use and we were not aware of any justification applicable in this particular case. The Office recommended that the data controller cease the use of live personal data for testing and either anonymise the data or create a fictitious data set for testing purposes.
 
The transmission of such student data via an unsecured channel is also inconsistent with the Data Protection Acts. It was found that, during the development of the management system, personal data, including passwords, was exchanged between the data controller and the service provider, using an unsecured channel. The data controller advised my Office of the fact that they now transmit such data via a secure mechanism. The Office recommended that this mechanism be brought to the attention of all staff.
 
Another issue discovered during our investigation that caused great concern was the use of a generic password. The fact that the date of birth of the student was assigned as their password meant that any individual who had access to the date of birth of another student could access the user account of that student. The Office recommended that the data controller communicate with students, advising that they change their password and that the new password be a minimum of 12 characters and include upper- and lower-case characters, numerals and special characters, such as a symbol or punctuation mark.
 

Case Study 13: Data Controller Discloses Personal Data to Business Partner

 

The Office received notification from a data controller advising that an email had been issued to a business partner which included personal data that should not have been disclosed.
 
The data controller advised the Office that it had entered into a business agreement with a third-party company to provide anonymised data to allow for a feasibility assessment of a proposed business venture. An email was issued to the third-party company which included the names of individuals in addition to the agreed anonymised data. This allowed for the third-party company to identify the individuals involved.
 
The data controller, in notifying this Office, stated that the third-party company had provided assurances that the data had been deleted.
 
The Office commenced an investigation of a data-security breach, under Section 10 of the Data Protection Acts.
 
Given the nature of the data involved and additional information received by a third party, this Office decided to visit the premises of the third-party business partner to satisfy ourselves that the data had been deleted and not further processed.
 
An investigation team, using our powers under Section 24 of the Data Protection Acts, arrived unannounced at the premises of the business partner. The team obtained documents in relation to the business agreement; these showed that only anonymised data had been sought. The team also obtained reports that had been created on foot of the receipt of the personal data. It was evident from these reports that, while personal data was available to the third party, it had not been used in the preparation of the reports and had no impact on the reports.
 
The team then examined the computer systems of the company and discovered several instances of the email it had received which contained the personal data.
 
The Commissioner felt it appropriate to issue an Enforcement Notice to the third-party company, requiring them to engage an external IT security company to delete any and all copies of the personal data it had received. The IT security company was to provide my Office with a report on the completion of the work. This report was duly received and this Office was satisfied that all copies of the personal data had been securely deleted.
 
The investigation found that personal data had been disclosed without consent or a legal basis. The investigation also noted that non-business related email accounts had been used by members of staff of the data controller in the conduct of business matters. The data controller was advised to prevent the use of non-business email accounts as the data controller could not control any data that would be transmitted through these non-business accounts.
 

Case Study 14: Employee of Financial Institution Resigns Taking Customer Personal Data

The Office received a notification from a data controller, in accordance with the Personal Data Security Breach Code of Practice. The notification stated that an employee had tendered their resignation and the data controller then discovered that the employee had emailed a spreadsheet to their personal email account prior to their resignation. The spreadsheet contained details of customers, including their employment details, salaries, contact details and medical consultant.
 
The data controller provided the name and home address of the employee.
 
The Office was also contacted by the umbrella organisation of the data controller seeking assistance on how to advise their member.
 
The Office verified, through the Companies Registration Office, that a business was operating from the home address of the employee. We then contacted the employee on the basis that they were now operating as a data controller in their own right. We sought clarification from the employee as to the consent they had to process any personal data they obtained from their previous employment.
 
The employee advised the Office that, as part of their employment, they were asked to use their own laptop and personal phone for all business dealings. The employee also advised that they had not yet started canvassing for clients. The employee also confirmed that they had deleted all the personal data they held in relation to their previous employment.
 
We also engaged with the data controller who had made the notification in relation to the security procedures that were in place to protect customer data in its possession. The Office noted that the employment contract contained appropriate data-protection clauses. However, of concern was the fact that employees were using their own equipment for business purposes. In such circumstances, the data controller has little or no control over that data held on personal equipment.
 
The data controller introduced further procedures and policies on foot of the issue to prevent a repeat of this type of incident, including the introduction of software to password protect any data records being emailed. Furthermore, all employees must sign an undertaking on termination of employment that all data has been returned and will not be further processed.
 

Case Study 15: Theft of Unencrypted Laptop

 
The Office received a data-security breach notification during the year from a medical professional relating to a stolen laptop.
 
The notification advised that the laptop was password protected, but not encrypted. The notification also advised that the data stored on the laptop related to a medical study that was undertaken in 2009 and included audio files of interviews carried out with the study subjects which contained limited information. It was determined that a file listing the subjects of the study contained an ID number rather than the name of the individual. However, a further file that correlated the ID number with the subject name was also stored on the laptop. This file was also password protected.
 
It was noted that, before the study began, approval was obtained from the relevant Ethics Committee that covered the storage of data.
 
This Office advised the data controller of our guidance in relation to the notification of the affected individuals. In this particular case, the data controller advised the Office that it was of the view that notification to affected individuals would cause more distress than help to the affected individuals. This view was offered by the relevant medical professional overseeing the project. This Office must note the opinion of a medical professional who has a professional relationship with the affected individuals. We assume this decision is taken weighing the potential effects of an unauthorised disclosure of this data against the potential distress of the individual being notified of the security breach.
 
The Office, however, noted that laptops are now being encrypted. This case highlights the fact that data-protection considerations need to be constantly monitored. What may have been an acceptable standard five years previous may not now be acceptable, and security arrangements must be periodically reviewed.
 

Case Study 16: Compromise of Adobe Network

           
Adobe Systems Software Ireland Ltd notified this Office in October 2013, in accordance with the Personal Data Security Breach Code of Practice, of a data-security breach regarding an unauthorised access to their systems. Personal data was compromised and the attacker also took Adobe software source-code elements.
 
Two data controllers were affected: Adobe US and Adobe Systems Software Ireland Ltd (Adobe Irl). We engaged in a coordinated investigation with the Office of the Privacy Commissioner of Canada and we were co-joined in our investigation by the Office of the Australian Information Commissioner.
 
Nature of Data Compromised
Adobe Irl created three classifications of individuals affected:
 
•           Payment-card users, i.e. those whose encrypted payment-card numbers were accessed during the breach. The data involved was encrypted payment-card data – approximately 3.65 million payment cards (1 million controlled by Adobe Irl) relating to approximately 3.1 million individuals.
 
•           Active users, i.e. those who had logged in to Adobe systems at least once in the two years prior to the discovery of the breach. The data involved was: email address and current encrypted password – 41 million (reduces to 33 million, as 8 million email notifications were undeliverable) (20.5 million controlled by Adobe Irl).
 
•           Non-active users, i.e. those who had not logged in to Adobe in the two years prior to the discovery of the breach. The data involved was: email address and current encrypted password – 71 million (reduces to 46.5 million due to 25 million email notifications undeliverable) (28.5 million controlled by Adobe Irl).
 
How the Breach Occurred
The attack was a sophisticated and sustained intrusion of Adobe’s computer systems. Attackers identified and removed data from a backup server that stored the compromised data described above. Adobe states it has no evidence to show that unencrypted card details were taken. Forensic consultants engaged by Adobe supported this conclusion.
 
When Adobe learned of the security breach, they began an investigation of the cause of the issue and also initiated a series of measures including the following:
 
·         Disconnected the impacted database server from the network
·         Blacklisted IP addresses from which the attacker accessed their systems
·         Reset passwords for all potentially affected users (including active, non-active)
·         Changed passwords for relevant administrator accounts
·         Notified the banks processing customer payments for Adobe, so they could work to protect customers’ accounts
·         Reported the breach to law-enforcement authorities
·         Employed a third-party company to conduct an investigation of the cause of the security breach of its systems and to identify what data may have been compromised
·         Took actions to reduce the risks related to the theft of certain source-code elements
·         Issued notifications to affected individuals, beginning on 3 October 2013, which alerted customers to the security breach
 
Passwords
At risk: the attacker posted some data that was exfiltrated on a website and included the email address and encrypted password of certain Adobe users. A number of research articles have demonstrated that some passwords have been deciphered by reference to password hints and repeated passwords (i.e., the same password used by more than one user). One article highlighted an organisation that had checked the compromised usernames and deciphered passwords against its own platform and found a significant number of these credentials would have worked on its own platform. The organisation contacted some of its affected users, alerting them to the issue, and also confirmed the scenario to this office. At issue here is that while Adobe enforced a password change on its own site and advised users to change their passwords elsewhere, it is evident that not all users followed such advice.
 
Hints: Parts of the data exfiltrated by the attacker were the password hints of a small percentage of users. These hints were stored in clear text and associated with the username (email address). This information, along with an analysis of the encrypted passwords, will allow for the identification of certain simple passwords. However, as previously noted, Adobe reset the passwords for all impacted users.
 
Storage: The Office queried why passwords were stored in one system in an encrypted manner rather that hashed and salted. Encrypted passwords can be unencrypted, which would allow a data controller to see the passwords of users, or attackers, if they gained access. Adobe stated it was actually hashing and salting passwords within a new system for a number of years prior to the discovery of the security breach, but decided to also keep the database in the old system as a backup measure in case of issues with the new system. Passwords in the old system’s database had been encrypted.
 
Retention of Card Data with Customer Records
Customers who used payment cards to purchase Adobe products or services had their card details (encrypted) stored with the customer account within one particular system. Card numbers have now been replaced with a token system. This process began prior to the discovery of the security breach and was completed shortly thereafter. The token, which is encrypted, represents the payment-card number within the customer record and Adobe systems transmits the encrypted token to a third-party service provider, whose systems are located outside Adobe’s network, for payment processing.
 
Notifications to Affected Individuals
Adobe provided the Office with a list of when they notified each class of affected individuals and the relevant notification. In addition, Adobe publicly announced the 2013 breach in posts on its website, which included discussion of the theft of source code. The various notifications did advise individuals to monitor their credit-card statements and change their password if it was used on another site.
 
When we queried why notifications did not issue to those individuals where only contact details were compromised and did not include password or payment-card data, Adobe replied that it believed that notice in this scenario would lead to over-notification and notification fatigue and that there is not a significant risk of harm with respect to a compromise of this type of data element. The Code of Practice recommends that affected users are notified, so that each affected individual can consider the consequences for themselves and take appropriate measures.
 
This Office would expect that if a similar incident were to occur in the future, Adobe, or any other data controller, would automatically include all individuals for whom personal data had been compromised in its notification process.
 
Conclusion and Findings
Adobe fully cooperated with our investigation of the security breach reported to us on 2 October 2013. Adobe took appropriate action on discovery of the attack to prevent further access to their systems as required under Section 2(1)(d) of the Data Protection Acts 1988 and 2003. It also enforced a password change for its users to protect against unauthorised access to account data. Adobe’s quick reaction on learning of the security breach prevented the attacker from exfiltrating unencrypted payment-card details.
 
Adobe’s transitioning from the use of encrypted passwords in the old system to the use of hashed and salted passwords in the new system could have been achieved more effectively and expeditiously than was the case. Of concern to those users who provided password hints, Adobe stored these in plain text rather than in an encrypted format, some of which have been compromised.
 
This Office is cognisant of the fact that data controllers such as Adobe will always be a target for attackers and new attack methods are constantly being devised.
 
This Office found that Adobe was in breach of Section 2(1)(d) of the Acts by failing to have in place appropriate security measures to protect the data under its control, despite its documented security programme. It was also recommended that Adobe engages a third party to carry out an independent review of its systems.
 
Adobe has since put in place substantial improvements in its security protocols, practices and procedures, and this Office is satisfied that it now has appropriate procedures in place to minimise the possibility of a similar security breach in the future.