BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
 |
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | |
Irish Data Protection Commission Case Studies |
||
|
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> Legal powers used to ensure compliance with an access request [2008] IEDPC 6 URL: http://www.bailii.org/ie/cases/IEDPC/2008/6.html Cite as: [2008] IEDPC 6 |
||
[New search] [Printable RTF version] [Help]
Legal powers used to ensure compliance with an access request [2008] IEDPC 6 (31 December 2008)
In December 2007 I received a complaint from a data subject regarding a refusal by X.X. to comply with his access request. One day after the submission of his access request, X.X. informed the data subject in an email that it was not prepared to give him access to records related to his membership. However, it did not claim any of the limited exemptions to the right of access under the Data Protection Acts. Where a data controller refuses to comply with an access request it must notify the data subject and explain the reasons for refusal in accordance with the exemptions in the Acts. The data controller must also inform the data subject that they may complain to the Data Protection Commissioner about the refusal.
My Office commenced an investigation of the complaint by writing to X.X. However, X.X. failed to respond to any of our letters, emails or phone calls. In effect, it failed to cooperate with my statutory investigation. For this reason I served an enforcement notice on X.X. in March 2008 pursuant to section 10 of the Acts. The enforcement notice was served on the basis that I believed that X.X. had not complied with an access request and was therefore in contravention of Section 4 (1) of the Acts. An enforcement notice is a legal notice that must either be complied with within twenty one days or be appealed to the Circuit Court. Failure to comply with an enforcement notice is an offence liable to a fine on summary conviction in the District Court of €3,000. X.X. was required to comply with the terms of the enforcement notice by providing the data subject with a copy of all of the personal data that he sought, subject to any exemptions which it could legitimately claim under the Acts.
X.X. responded to the enforcement notice by informing my Office that the file records which it held in regard to the data subject related only to his health club membership. Copies of these records were given to him on the date he commenced his membership and when he subsequently renewed it. In response, my Office told X.X. that we were aware, on the basis of information supplied to us by the data subject, that it held other information relating to the data subject in respect of comments and complaints made by him. My Office also pointed out to X.X. that the issue of whether the data subject was already in possession of copies of his health club membership records was not relevant to their compliance with the access request. We clarified that copies would have to be provided to him in response to his access request.
My Office subsequently received a letter from X.X. concerning the enforcement notice. In this letter, X.X. challenged the statement in the enforcement notice that it was in breach of section 4(1) of the Data Protection Acts. Among other things, X.X. stated that there was no valid access request from the data subject because it claimed that the data subject had made his request verbally and not in writing as required by the Acts. X.X. also claimed that a copy of the data subject's file was made available to him in response to his verbal request. The file contained a copy of the data subject's agreement with X.X. and correspondence related to the renewal of his membership. This was all the personal data it held relating to the data subject. On this basis, X.X. sought the cancellation of the enforcement notice.
My Office contacted the data subject who confirmed that he had submitted his access request in writing by registered post to X.X. The data subject had also received from X.X. a scanned copy of his access request as an attachment to the initial email which it had sent to him refusing him access to his data. In view of this my Office told X.X. that I would not cancel the enforcement notice.
I considered that the situation that had arisen was unacceptable. I instructed two of my authorised officers, using the powers conferred on them by Section 24 of the Data Protection Acts, to visit the premises of X.X. in C. X.X. cooperated with the inspection. My authorised officers found a copy of the data subject's written access request as well as a significant amount of personal data relating to the data subject. None of this data had been supplied to him.
On the basis of the inspection, my Office informed X.X.'s solicitors that we were completely satisfied that their client had breached both sections 4(1) and 4(7) of the Acts concerning the data subject's access request. Their client had also committed an offence by failing to comply with an enforcement notice. The Acts mandate me, in certain circumstances, to try to reach an amicable resolution to a complaint. Soon afterwards, an amicable resolution was achieved. X.X. provided the data subject with copies of all the personal data it held relating to him. The company apologised to the data subject for failing to provide the personal data on time and for the inconvenience caused to him as a result. As a gesture of goodwill, X.X. donated a sum of €300 to a charity of the data subject's choice.
I was satisfied with the overall outcome of this complaint. However, it is unacceptable that a data controller would ignore correspondence and phone calls from my Office in the course of the investigation of a complaint. I use my legal powers sparingly but, in this case, I felt it necessary to use two separate legal powers in an effort to uphold the rights of the data subject. Had this access request been handled correctly by the data controller, the matter could have been resolved within a short time. In the course of their inspection my authorised officers found that the personal data was readily available on the computer of the data controller. It could easily have been copied and prepared for issue to the data subject with less than one hour's work. Instead, for reasons that I believe related to unhappiness about a customer service complaint, the data controller chose to refuse the request and to show disregard for my Office's investigation. I will not accept this attitude from any data controller. Thankfully, I do not encounter such attitudes on a regular basis. However, as this case demonstrates, I will use my legal powers without hesitation if it is necessary for the investigation of a valid complaint to my Office.
