Case studies: Data Protection
Case Study 1: Lost file by Data Processor
We represented a client whose file was lost by their former solicitor. The file contained sensitive medical documents which related to their daughter’s illness which was caused by medical negligence. The loss of the file had implications for a case the client had sought to take in relation to the medical negligence. The client was distressed due to the loss of the file in particular as it contained such sensitive information. We negotiated with the solicitor’s firm to quantify a figure which would adequately compensate them for the loss. Our client received a substantial settlement for breach of her data protection rights.
Case Study 2: Inappropriate use of Personal Data
We represented a client who disclosed personal information to a company with a view to availing of their services. Her information was subsequently lost and she was mistreated by the company in that they disregarded her concerns and refused to engage with her in relation to the lost data. The data included her name, address, phone number and bank details and the loss of same caused her much stress and anxiety. We negotiated on her behalf and she received a substantial settlement to reflect the loss suffered together with the distress and worry.
Case Study 3: Data Controller’s failure to comply with Data Subject Access Request
We represented a client whose insurance company refused to pay out on foot of his policy on the basis that he had not disclosed certain information on his policy form. We sought a Data Subject Access Request to take up a copy of the insurance policy. Pursuant to the Data Protection Acts 1988 and 2003 data controllers are obliged to comply with such a request within a forty day time limit. If they fail to comply they are in breach of the Acts. The insurance company in this case did nit furnish the requested policy for some 22 months. They were found to be in breach of the Acts and were directed to pay compensation to our client.
Case Study 4: Right of Access
Our client approached us in February 2013 in relation to a complaint that he had against Dublin Bus. Dublin Bus failed to comply with a written access request that our client had submitted to the Data Controller by letter dated the 8th November 2012.
The access request sought, among other things, a copy of all CCTV footage of an incident involving our client which occurred in February 2012 on the No. 16 bus.
We had submitted a written access request on the 8th November 2012 with the requisite fee of €6.35. We received correspondence from Dublin Bus on the 21st December 2012 and a letter on the 3rd January 2013 which returned our cheque to the value of €6.35 being the fee payable in respect of the access request.
Dublin Bus tried to argue that Justice Heddigan in Dublin Bus v. The Data Protection Commissioner that the Plaintiff was entitled only to images of himself. We advised that at all times we were only looking for images of our client. Dublin Bus then purported to charge a fee of €94.99 in order to produce the required DVD. We contacted the Office of the Data Protection Commissioner and informed them that we were of the view that Dublin Bus were in breach of the Data Protection Acts and we requested a decision in this respect.
The Data Protection Commissioner formed the view that Dublin Bus had failed to supply our client with a copy of the CCTV footage containing the image within the statutory period of 40 days and that Dublin Bus contravened the Data Protection Act 1988 and 2003 and in particular Section 4 (1) (a) by not providing a copy of the relevant personal data (CCTV footage) within the time limit specified in his access dated the 8th November 2012.
Case Study 5: Security of Data
In or about 2012 we were contacted by a client who instructed us that her previous solicitor had not kept the file containing sensitive medical reports in relation to her daughter, safe and secure.
The client had lodged a complaint with the Data Protection Commissioner and an investigation was carried out and a decision issued under Section 10 of the Data Protection Act 1988 and 2003.
The decision following an investigation found that our client’s former Solicitor had contravened the Data Protection Acts 1998 and 2003 pursuant to Section 2(c) (iii) by failing to have a contract in place with the Data Processor to ensure that it carried out the data processing only on and subject to the instructions of the Data Controller and that the Data Processor complied with the obligations equivalent to those on the Data Controller by Section 2 (i) (d) of the Data Protection Acts 1988 and 2003.
We were instructed by the client and advised her in respect of her data protection rights. We engaged with the solicitor who had breached the Data Protection Acts and we reached an amicable resolution.
Case Study 6: Disclosure
We were instructed by a client in July 2012 concerning an allegation that her personal medical information held by her General Practitioner was disclosed to a third party. The third party was an insurance company that sought information pertaining to our client’s knee injury and had a consent form signed by her to allow her G.P. to release any “relevant medical information”. The G.P. concerned furnished a full copy of her file to the third party concerned and disclosed other sensitive medical information, none of which were related to the knee injury.
We advised our client that a breach of the Data Protection Acts 1988 and 2003 had occurred and we lodged a complaint with the Data Protection Commissioner.
Following the investigation of our client’s complaint and having requested a decision pursuant to Section 10 of the Data Protection Acts 1988 and 2003 the Data Protection Commissioner found that our client’s G.P. had contravened the Data Protection Acts 1988 and 2003 pursuant to Section 2 (1)(c)(ii) by further processing our client’s sensitive personal data in the form of medical records unrelated to her knee injury.
This firm issued proceedings pursuant to Section 7 of the Data Protection Acts 1988 and 2003 seeking damages on behalf of the client and this matter is currently pending before the Courts. A hearing date had been allocated for the case in late 2014 but was subsequently vacated. It is listed for hearing in February 2015.
Case Study 7: Improper Processing
In or about October 2008 a client contacted the firm regarding a complaint, in relation to her employer having read her emails and having printed out her emails from her personal email (her Yahoo Account). She had been employed in her position for the previous eight years and on attending at the building at 3 a.m due to an alarm activation, a possible break-in, she discovered a print-out from her personal email account on her employer’s desk. Other emails were also printed out from our client’s work computer. Our client did not print out those emails herself and it was therefore clear to her that her employer had accessed her personal email account.
The following day our client took the printout of these emails to her employer and asked for an explanation. No explanation was forthcoming and later that day our client received a call and was informed that she should stay away from work until such time as the Board of Management had time to discuss her matter. Our firm corresponded with her employer and her employer’s solicitors in the hope of resolving the matter to no avail. We then forwarded the matter to The Data Protection Commissioner for his assistance as we believed there was a very fundamental and serious breach of The Data Protection Act under a number of headings.
The matter was reported to the Office of the Data Protection Commissioner and we can advise that the matter subsequently settled between the parties before a decision could be made by the Commissioner.
An amicable resolution was reached between the respective parties in relation to the outcome of this case.
Case Study 8: Further Processing
We received a complaint from our client in May 2012 that his PPS number has been used by an operative within the Department of Social Protection. The operative concerned was his former wife and he was very concerned as to why she was accessing his private personal information.
A complaint was made to the Office of the Data Protection Commissioner and an investigation was carried out. It became clear that the former wife of our client, a departmental employee, had inappropriately accessed his details. In the course of the investigation it became apparent that there were 12 instances of unauthorised access into the client’s records between February 2004 and July 2009 by a member of staff who did not have a legitimate reason to do so.
The Commissioner’s decision that the Complainant’s personal data was further processed by the Department of Social Protection in contravention of Section 2 (1)(c)(ii) of the Data Protection Act 1988 and 2003 on 12 separate occasions.
This matter is currently awaiting a hearing date before the Court which is expected to be in the early part of 2015.
Case Study 9: Retention
Our client approached us April 2012. She was approached by a service provider in an unsolicited sales call to her home on or about the 8th March 2012. The Agent made a sales presentation and the client accepted the Agent’s offer of a domestic supply from the Data Controller. The contract was concluded when the client completed a Customer Agreement Form and the Agent helped the client to complete this form and the client provided sensitive personal information. This included name, address, phone number, gas meter reading details and bank account details. The client was also asked to provide her name and address, bank account number and sort code and the client signed a form. On or about the 27th March 2012 the client rang the Data Controller as the supply had not been provided. The Data Controller informed the client that there was a backlog of applications and that the order would be processed as soon as possible.
On or about the 5th day of April 2012 the client again rang the Data Controller to say the supply had not been provided and the Defendant made no effort to contact the client to explain the delay. After several further phone calls the Data Controller informed the client of the loss of her sensitive personal information. The client attempted to resolve the matter but the Data Controller would not engage in any proper or meaningful talks to resolve the issue and in fact the Data Controller informed the client that her sensitive personal data had been found but once the client asked to see a copy of the Customer Agreement Form then in fact was told that it had not been shredded.
The client contacted the Data Protection Commissioner on or about the 4th May 2012 and a decision was issued in 2012. The Data Protection Commissioners Office found that the Service Provider contravened the Data Protection Acts 1988 and 2003 having contravened Section 2 (1)(d) of the Data Protection Acts by failing to take appropriate security measures against the unauthorized destruction or loss of our client’s data.
We entered into negotiations with the service provider and an amicable resolution was reached.
Case Study 10: Direct Marketing
In or about 2013 we received a call from a telecommunications company which had a concern in relation to a possible prosecution for marketing offences.
There was a possible threat of a prosecution in relation to a possible breach of SI 336 g 2011 Acts 1988 and 2003 of the Communities (Electronic Communications Networking Services) (Privacy and Electronic Communications Regulations 2011).
The client and we engaged with the Office of the Data Protection Commissioner to reach an amicable resolution to this matter.
Case Study 11: Accurate and Up to Date
I was contacted by a client who felt that a credit union had not updated his records. He advised that he had previously advised the credit union of his change of address and change of his contact details.
Despite this, the credit union did not amend their records and attended at his parents’ house and thereafter discussed his financial affairs with his father. Our client was outraged at the breach of his data protection rights and this matter is currently the subject of a complaint before the Data Protection Commissioner’s Office.
Case Study 12: Medical Data
We were approached by a client in early 2014 who was a doctor. He advised that he was of the view that the HSE had furnished inappropriate sensitive data pertaining to him to his former wife.
We advised our client to make a complaint to the Data Protection Commissioner and the Data Protection Commissioner commenced an investigation in April 2014. Due to the data breach our client’s ex-wife was in a position to attend Court and provide exact details pertaining to our client which she should not have had. It was acknowledged in the course of the investigation by the Data Protection Commissioner that the HSE had provided a copy of our client’s sensitive personal data to a third party and our client subsequently sought the Data Protection Commissioner to issue a formal decision under Section 10 of the Data Protection Act 1988 and 2003.
The Data Protection Commissioner formed the opinion that the HSE contravened the Data Protection Acts 1988 and 2003 pursuant to Section 2 (1) (c)(ii) by further processing our client’s personal data in a matter incompatible with the purpose for which it had been obtained.
These contraventions occurred on two separate occasions in May 2013 and November 2013 when the HSE disclosed our client’s personal information to the third party. This matter is currently the subject of litigation.
Case Study 13: CCTV
In or about the 7th December 2012 we were approached by a client who believed that her data protection rights may have been breached by virtue of the fact that CCTV footage of her purchasing a pregnancy kit in a pharmacy was disclosed to her husband. The incident complained of arose in or about late 2010 but the Solicitors instructed by the client did not have the necessary expertise in data protection.
They were instructed in January 2011 and we came on record in December 2012. Having made a formal complaint about the initial incident to the Office of Data Protection Commissioner, a decision was subsequently granted by the ODPC to reflect that the pharmacy contravened the Data Protection Act 1988 2003 pursuant to Section 2 (1) (c) (ii) by disclosing her personal data to a third party without her knowledge or consent. The contravention occurred when recognizable images of our client captured by the CCTV system in the pharmacy were disclosed to her former husband in or about late 2010.
We attempted to resolve the matter amicably with the pharmacy concerned but no agreement could be reached and proceedings subsequently issued. The matter came before the Circuit Court in November 2012 and after a half day hearing the case settled and the woman secured damages pursuant to Section 7 of the Data Protection Acts.