BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
 |
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | |
Irish Data Protection Commission Case Studies |
||
|
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> Personal data is disclosed in a letter [2008] IEDPC 19 URL: http://www.bailii.org/ie/cases/IEDPC/2008/19.html Cite as: [2008] IEDPC 19 |
||
[New search] [Printable RTF version] [Help]
Personal data is disclosed in a letter [2008] IEDPC 19 (31 December 2008)
My Office received a complaint in February 2008 from a data subject stating that a letter containing personal information about him was disclosed by a public authority to a third party without his consent. The data subject was involved in a tenancy dispute with his landlord resulting in the matter being referred to a mediation body. A representative of the public authority was unable to attend a subsequent hearing at the mediation body and instead wrote to the solicitor acting for the data subject's landlord, outlining the position regarding the data subject's rent supplement entitlements. The representative of the public authority included a statement in the letter regarding, as he viewed them, malicious letters between the data subject and his office. This information was not related to the tenancy issue and the basis for its inclusion in this letter was not clear to my Office.
My Office contacted the public authority about this case and pointed out its obligations under the Data Protection Acts, 1988 & 2003. The public authority responded with a contention that the disclosure was proportionate. My Office did not accept this position given the nature of the dispute before the mediation body and the lack of any clear link between that dispute and the nature of the customer relationship between the data subject and the public authority. The processing of this personal information took place without the consent of the data subject. It was clearly unnecessary for the purposes of the legitimate interests pursued by the public authority and it did not meet any of the other requirements of section 2A of the Acts. Accordingly, we informed the public authority that we considered that the disclosure of this personal information was a contravention of the Acts.
To try to reach an amicable resolution of this complaint, my Office proposed that the representative of the public authority should issue an amended version of the letter which would omit the statement referring to the nature of communications between the public authority and the data subject. We proposed that this amended letter should be issued to the solicitor concerned with a request that he should replace the original letter with the amended version. In addition, we asked the public authority to write to the mediation body to request it to replace the original letter with the amended version. The data controller agreed to this course of action and the matter was concluded satisfactorily. All data controllers need to be very careful to ensure that only strictly relevant personal data is disclosed when it is necessary to discuss customers/patients with external parties.
