Professional Documents
Culture Documents
Case Study 3: Data Controller’s failure to comply with Data Subject Access Request
We represented a client whose insurance company refused to pay out on foot of his policy on the
basis that he had not disclosed certain information on his policy form. We sought a Data Subject
Access Request to take up a copy of the insurance policy. Pursuant to the Data Protection Acts
1988 and 2003 data controllers are obliged to comply with such a request within a forty day time
limit. If they fail to comply they are in breach of the Acts. The insurance company in this case did
nit furnish the requested policy for some 22 months. They were found to be in breach of the Acts
and were directed to pay compensation to our client.
We had submitted a written access request on the 8th November 2012 with the requisite fee of
€6.35. We received correspondence from Dublin Bus on the 21st December 2012 and a letter on
the 3rd January 2013 which returned our cheque to the value of €6.35 being the fee payable in
respect of the access request.
Dublin Bus tried to argue that Justice Heddigan in Dublin Bus v. The Data Protection
Commissioner that the Plaintiff was entitled only to images of himself. We advised that at all times
we were only looking for images of our client. Dublin Bus then purported to charge a fee of
€94.99 in order to produce the required DVD. We contacted the Office of the Data Protection
Commissioner and informed them that we were of the view that Dublin Bus were in breach of the
Data Protection Acts and we requested a decision in this respect.
The Data Protection Commissioner formed the view that Dublin Bus had failed to supply our
client with a copy of the CCTV footage containing the image within the statutory period of 40
days and that Dublin Bus contravened the Data Protection Act 1988 and 2003 and in particular
Section 4 (1) (a) by not providing a copy of the relevant personal data (CCTV footage) within the
time limit specified in his access dated the 8th November 2012.
Case Study 5: Security of Data
In or about 2012 we were contacted by a client who instructed us that her previous solicitor had
not kept the file containing sensitive medical reports in relation to her daughter, safe and secure.
The client had lodged a complaint with the Data Protection Commissioner and an investigation
was carried out and a decision issued under Section 10 of the Data Protection Act 1988 and
2003.
The decision following an investigation found that our client’s former Solicitor had contravened
the Data Protection Acts 1998 and 2003 pursuant to Section 2(c) (iii) by failing to have a contract
in place with the Data Processor to ensure that it carried out the data processing only on and
subject to the instructions of the Data Controller and that the Data Processor complied with the
obligations equivalent to those on the Data Controller by Section 2 (i) (d) of the Data Protection
Acts 1988 and 2003.
We were instructed by the client and advised her in respect of her data protection rights. We
engaged with the solicitor who had breached the Data Protection Acts and we reached an
amicable resolution.
We advised our client that a breach of the Data Protection Acts 1988 and 2003 had occurred and
we lodged a complaint with the Data Protection Commissioner.
Following the investigation of our client’s complaint and having requested a decision pursuant to
Section 10 of the Data Protection Acts 1988 and 2003 the Data Protection Commissioner found
that our client’s G.P. had contravened the Data Protection Acts 1988 and 2003 pursuant to
Section 2 (1)(c)(ii) by further processing our client’s sensitive personal data in the form of medical
records unrelated to her knee injury.
This firm issued proceedings pursuant to Section 7 of the Data Protection Acts 1988 and 2003
seeking damages on behalf of the client and this matter is currently pending before the Courts. A
hearing date had been allocated for the case in late 2014 but was subsequently vacated. It is
listed for hearing in February 2015.
The following day our client took the printout of these emails to her employer and asked for an
explanation. No explanation was forthcoming and later that day our client received a call and was
informed that she should stay away from work until such time as the Board of Management had
time to discuss her matter. Our firm corresponded with her employer and her employer’s
solicitors in the hope of resolving the matter to no avail. We then forwarded the matter to The
Data Protection Commissioner for his assistance as we believed there was a very fundamental
and serious breach of The Data Protection Act under a number of headings.
The matter was reported to the Office of the Data Protection Commissioner and we can advise
that the matter subsequently settled between the parties before a decision could be made by the
Commissioner.
An amicable resolution was reached between the respective parties in relation to the outcome of
this case.
A complaint was made to the Office of the Data Protection Commissioner and an investigation
was carried out. It became clear that the former wife of our client, a departmental employee, had
inappropriately accessed his details. In the course of the investigation it became apparent that
there were 12 instances of unauthorised access into the client’s records between February 2004
and July 2009 by a member of staff who did not have a legitimate reason to do so.
The Commissioner’s decision that the Complainant’s personal data was further processed by the
Department of Social Protection in contravention of Section 2 (1)(c)(ii) of the Data Protection Act
1988 and 2003 on 12 separate occasions.
This matter is currently awaiting a hearing date before the Court which is expected to be in the
early part of 2015.
On or about the 5th day of April 2012 the client again rang the Data Controller to say the supply
had not been provided and the Defendant made no effort to contact the client to explain the
delay. After several further phone calls the Data Controller informed the client of the loss of her
sensitive personal information. The client attempted to resolve the matter but the Data Controller
would not engage in any proper or meaningful talks to resolve the issue and in fact the Data
Controller informed the client that her sensitive personal data had been found but once the client
asked to see a copy of the Customer Agreement Form then in fact was told that it had not been
shredded.
The client contacted the Data Protection Commissioner on or about the 4th May 2012 and a
decision was issued in 2012. The Data Protection Commissioners Office found that the Service
Provider contravened the Data Protection Acts 1988 and 2003 having contravened Section 2
(1)(d) of the Data Protection Acts by failing to take appropriate security measures against the
unauthorized destruction or loss of our client’s data.
We entered into negotiations with the service provider and an amicable resolution was reached.
There was a possible threat of a prosecution in relation to a possible breach of SI 336 g 2011
Acts 1988 and 2003 of the Communities (Electronic Communications Networking Services)
(Privacy and Electronic Communications Regulations 2011).
The client and we engaged with the Office of the Data Protection Commissioner to reach an
amicable resolution to this matter.
Despite this, the credit union did not amend their records and attended at his parents’ house and
thereafter discussed his financial affairs with his father. Our client was outraged at the breach of
his data protection rights and this matter is currently the subject of a complaint before the Data
Protection Commissioner’s Office.
We advised our client to make a complaint to the Data Protection Commissioner and the Data
Protection Commissioner commenced an investigation in April 2014. Due to the data breach our
client’s ex-wife was in a position to attend Court and provide exact details pertaining to our client
which she should not have had. It was acknowledged in the course of the investigation by the
Data Protection Commissioner that the HSE had provided a copy of our client’s sensitive
personal data to a third party and our client subsequently sought the Data Protection
Commissioner to issue a formal decision under Section 10 of the Data Protection Act 1988 and
2003.
The Data Protection Commissioner formed the opinion that the HSE contravened the Data
Protection Acts 1988 and 2003 pursuant to Section 2 (1) (c)(ii) by further processing our client’s
personal data in a matter incompatible with the purpose for which it had been obtained.
These contraventions occurred on two separate occasions in May 2013 and November 2013
when the HSE disclosed our client’s personal information to the third party. This matter is
currently the subject of litigation.
They were instructed in January 2011 and we came on record in December 2012. Having made
a formal complaint about the initial incident to the Office of Data Protection Commissioner, a
decision was subsequently granted by the ODPC to reflect that the pharmacy contravened the
Data Protection Act 1988 2003 pursuant to Section 2 (1) (c) (ii) by disclosing her personal data to
a third party without her knowledge or consent. The contravention occurred when recognizable
images of our client captured by the CCTV system in the pharmacy were disclosed to her former
husband in or about late 2010.
We attempted to resolve the matter amicably with the pharmacy concerned but no agreement
could be reached and proceedings subsequently issued. The matter came before the Circuit
Court in November 2012 and after a half day hearing the case settled and the woman secured
damages pursuant to Section 7 of the Data Protection Acts.