BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!

 

We received a complaint in March 2012 in relation to the alleged failure of O2 (a Telecommunications company) to comply with an access request made to it in January 2012 seeking a copy of call records in respect of a mobile phone number from November 1999 to the date of the access request. In response to an access request, a data controller must supply the personal data to the individual within forty days of receiving the request.

 

We commenced our investigation initially by way of telephone contact with O2 during which we were assured by the company that it would immediately contact the requester's legal representatives to progress the matter of the access request. O2 subsequently wrote to the requester's legal representatives requesting a fee of €6.35 for the processing of the access request. It also informed them of the two year retention period applying to such data as set out in the Communications (Retention of Data) Act, 2011 and it informed them that call records beyond two years were not available.

 

The requester rejected the suggestion that there were limitations on the availability of call records beyond two years. They were informed by O2 that it was not simply a technical limitation but a legislative limitation and obligation incumbent on it on foot of the Communications (Retention of Data) Act, 2011 which obliges telecommunications service providers not to retain any such call data after a period of two years has elapsed.

 

In April 2012 O2 provided us with a copy of a letter which it sent to the requester's legal representatives informing them, among other things, that the mobile number for which the data was requested was an unregistered number. We urged the requester's legal representatives to provide O2 with any information available to substantiate ownership of the mobile number.

 

During the course of a subsequent conference call with O2 we established that the telephone number used by O2 when conducting its initial search of its database contained an incorrect digit. A further search by O2 using the correct digit established that the phone number was registered to the requester. We instructed O2 to commence the process of retrieving the call records immediately. O2 informed us in August 2012 that the retrieval process had been completed and that a copy of the call records for the previous two years had been provided to the requester's legal representatives in response to the access request.

 

The requester's legal representatives subsequently requested a formal decision under Section 10 of the Data Protection Acts. The Commissioner found in his decision that O2 contravened Section 4(1)(a) of the Data Protection Acts by not providing the relevant personal data within the time limit specified in respect of the access request submitted to it in January 2012.

 

There were several failings on the part of O2 in the processing of this access request:

                       

The Data Protection Acts provide at Section 4(1)(c)(i) that a fee may be payable to the data controller in respect of an access request. O2 requested the fee of €6.35 more than two months after the receipt of the access request and it did not commence processing the request until the fee was received. As the application of the fee is entirely discretionary on the part of the data controller, it is our view that if the data subject does not submit the fee with the access request, the onus lies on the data controller who intends to apply the fee to request payment at the earliest possible opportunity within the forty day statutory period.

 

In the meantime, the data controller should continue to process the access request with a view to meeting the forty day timeframe for release of a copy of the personal data, subject to the fee being received within that timeframe. If the fee is not submitted until after the statutory timeframe, the data controller is not obliged to release a copy of the data sought until it receives it. However, a data controller may not delay the processing of a data access request and the release of a copy of personal data by failing to request payment of the fee until the statutory timeframe of forty days has either elapsed or is about to elapse within a few days.

 

                       

The data retrieval process did not commence until the end of May 2012, four months after the receipt of the access request. This was due to O2's delay in requesting the fee and the fact that its initial search for records was conducted using an incorrect number. As a result of these delays, four months of data which the data subject wished to access was no longer in existence by the time the data retrieval process commenced.

 

                       

The data retrieval process was completed in August 2012. By O2's own admission and due to technical limitations all such requests made to O2 can take up to ten weeks to process. Therefore, had the retrieval process commenced as soon as the access request was received, the 40 day statutory timeframe in which such requests must be complied with would still have been exceeded - thereby resulting in a breach of Section 4(1)(a) of the Acts.