BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
 |
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | |
Irish Data Protection Commission Case Studies |
||
|
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> Credit union commits several breaches by failing to update a member's address record [2008] IEDPC 14 URL: http://www.bailii.org/ie/cases/IEDPC/2008/14.html Cite as: [2008] IEDPC 14 |
||
[New search] [Printable RTF version] [Help]
Credit union commits several breaches by failing to update a member's address record [2008] IEDPC 14 (31 December 2008)
Credit union commits several breaches by failing to update a member's address record.
In March 2008 I received an unusual and complex complaint against a credit union. The credit union had sent correspondence for the complainant's ex-wife to the complainant's address. After receiving the registered correspondence at his home address, the complainant informed the credit union by phone that his ex-wife did not reside at his address, nor indeed had she ever resided at that address. In fact they had been living apart for twenty-two years. Despite this, two further pieces of correspondence from the credit union to his ex-wife arrived at the complainant's address on separate dates.
My Office wrote to the credit union in early April 2008 informing it that we were commencing an investigation of this complaint. The complainant was anxious to establish what personal data the credit union held in relation to him. He was genuinely concerned that the correspondence he was receiving was prompted by fraudulent use of his personal data by a third party. We advised him to submit a request to the credit union under section 3 of the Acts. Section 3 of the Acts provides that an individual may submit a request in writing to a data controller to be informed whether the data controller keeps personal data relating to the individual. If the data controller does have such data, section 3 provides that the data subject should be given a description of the data and the purposes for which it is kept. Under the provisions of the Acts a data controller must respond to such a request within twenty one days. The complainant took our advice but unfortunately did not receive a response from the credit union to the section 3 request that he submitted in mid-July 2008.
The credit union failed to reply to my Office's initial correspondence despite three separate reminders during the period April to July. One of my officials received a very unsatisfactory call from one of the elected members of the credit union which did not provide any response to the issues raised. This situation, coupled with the failure by the credit union to meet its statutory obligation to respond to the request under section 3 of the Data Protection Acts, led my Office to form the view that the credit union had little regard either for the data protection rights of the complainant or for my Office. For these reasons I instructed two of my senior officers, using the powers conferred on them by section 24 of the Data Protection Acts, to enter and inspect the premises of the credit union to obtain information relevant to the investigation of this complaint. In the course of their inspection, my authorised officers found records which confirmed that the complainant had indeed informed the credit union in June 2007, as he had indicated, that his ex-wife did not live at his address. No action had been taken by the credit union on foot of this information in terms of updating the address on file and, as a result, the complainant's address was used on two further occasions by the credit union to send letters intended for his ex-wife. My authorised officers also found the section 3 request that the complainant had submitted in July 2008 on the premises. They confirmed that the credit union had not taken any action in response to the request.
Subsequent to the inspection by my authorised officers, the credit union confirmed to my Office that a response issued to the complainant's section 3 request in mid-September 2008. This was over five weeks outside the statutory requirement. My Office was disappointed to discover that the credit union had copied its response to the section 3 request to four separate third parties. The complainant was entitled to have his request handled in a confidential manner. It was, to say the least, very disappointing that the credit union copied the response to the request to third parties who had no business in relation to it.
Following my Office's investigation, we found the credit union to be in breach of section 3(b) of the Data Protection Acts for failing to respond to the complainant's section 3 request within the statutory timeframe of twenty one days. We found that the credit union was also in breach of section 2(1)(d) of the Acts for its unauthorised disclosure of the complainant's personal data to third parties when responding to his section 3 request. The records of the credit union showed that the complainant first contacted it by telephone in June 2007 to inform it that his ex-wife did not live at his address. The credit union's subsequent failure to take action to remove the complainant's address from its records led it to process the complainant's personal data on two further occasions, constituting two additional breaches of his data protection rights under section 2A of the Acts. The failure of the credit union to remove the complainant's address from his ex-wife's records caused two further breaches. This time the credit union breached the data protection rights of the complainant's ex-wife, because it sent her personal data on two occasions in August 2007 and September 2007 to an address which it knew from June 2007 to be incorrect.
The sequence of events that culminated in my instruction to my authorised officers to use their powers under Section 24 of the Acts to progress the investigation of this complaint demonstrates the dismissive attitude shown by an elected member of the credit union towards my Office. This uncooperative approach by the credit union was disappointing and unacceptable. Thankfully my staff do not encounter such attitudes every day and, in the event, the staff and manager in the credit union were very co-operative to my authorised officers during their visit. Our approach to complaints, as provided under the Acts, is to try to reach an amicable resolution by engaging openly and honestly with the parties concerned. When a data controller fails to cooperate satisfactorily with an investigation conducted by my Office, I will use my legal powers without hesitation, as this case demonstrates. Neither I nor my staff will be deterred from taking the actions that we consider necessary.
As I reflect on this regrettable and time-consuming incident, I note that it comes down to the credit union's refusal to respond to a person with a genuine complaint. The complaint was well-grounded and reasonable and, if the credit union had demonstrated even a basic level of customer service, the matter would have been resolved quickly and without consuming the resources of my Office. In this respect, I accept that a credit union has a right to trace the location of a person with whom it needs to communicate for a genuine business reason and using reasonable means. For this reason I have no difficulty with the sending of the initial letter.
