BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

Irish Data Protection Commission Case Studies
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> CASE STUDIES 2013 - Data Protection Commissioner - Ireland [2013] IEDPC 15 (2013)
URL: http://www.bailii.org/ie/cases/IEDPC/2013/2013IEDPC15.html
Cite as: [2013] IEDPC 15

[New search] [Contents list] [Help]

Case Study 15: Client list taken by ex-employee to new employer
In January, 2013 we received a complaint from an individual in relation to receipt of unsolicited correspondence to her home address, from a company with whom she had no business relationship. The correspondence referred to the individual's existing pension plan with another company and offered a review of the individual's existing assets or advice concerning her future provision. The letter also indicated the sender's intention to phone the recipient to discuss the matter further. The individual stated that she was annoyed and aggrieved that her personal and financial details were now in the hands of a company of which she had no knowledge.
 
The individual contacted the company with which she had set up her pension plan and they confirmed to her that the person who had sent her the unsolicited letter had left their employment in December 2011.
 
Section 2 of the Data Protection Acts, 1988 and 2003 (the Acts), provides that personal data shall be fairly obtained and processed and shall not be further processed without the prior consent of the individual concerned. We asked the new employer to confirm whether the employee had brought in data relating to clients that he obtained from his time working in his previous employment. We also asked the new employer to confirm what consent, in line with the Data Protection Acts, it had to process such data.
 
Our letter also informed the new employer that it should be aware that contacting an individual by phone, for the purposes of electronic direct marketing, without first receiving their consent, is an offence under Statutory Instrument No 336 of 2011.
 
The new employer confirmed that, having conducted its own internal investigation into the matter, that approximately fifty former contacts of the employee were written to. It stated that no follow up phone calls were made. The new employer confirmed that any such data that the employee possessed had been destroyed and that no further attempts would be made to contact those individuals.
 
The complaint was resolved on an amicable basis when the company provided this Office with a letter of apology dated 28 January, 2013 to forward, on its behalf, to the individual concerned.
 
However, in early April, 2013 this Office received a data security breach notification from the former employer informing us that another of their clients had informed them that she had received a letter from one of its former employees soliciting business. The nature of the letter, although addressed to a different client, was similar to the incident previously investigated by this Office in January 2013. The letter was dated 15 January, 2013 thus predating the confirmation of 28 January, from the new employer, that the client data had been destroyed.
 
Our investigations of such instances are twofold. We contact the company responsible for sending the unsolicited correspondence and we also deal with the company responsible for the data, to determine whether the security procedures it has in place to protect against the unauthorised access and disclosure of personal data are sufficient.
 
In this instance we requested the former employer to inform us of the policies it had in place regarding the security of client information in circumstances where an employee is moving to a new employment. We also requested to be provided with a copy of the data protection element of the contract of employment.
 
When providing this Office with a copy of the Confidentiality and Solicitation agreement signed by the former employee, the former employer also provided us with a copy of another letter sent to one of their clients by the former employee. The letter was dated 15 April, 2013 and was similar in nature to the letters sent to individuals in January 2013.  However, on this occasion, the unsolicited correspondence made no reference to contacting the individual by telephone.
 
This information contradicted the confirmation we had received from the new employer in January 2013 that all data relating to the employee's previous employment had been destroyed. On becoming aware of this development, this Office had no option but to have two of our Authorised Officers carry out a site inspection, as provided under Section 24 of the Acts, at the premises of the company. To assist with the site inspection, we requested the former employer to provide us with a copy of the client list of the former employee.
 
The purpose of the site visit by the Authorised Officers was twofold. Firstly to ascertain how it happened that a letter dated 15 April, 2013 issued to a client of the former employer, despite assurance from the new employer, in a letter dated 28 January, 2013 that all client data from their employee's previous employment had been destroyed. Secondly to carry out a search of the company’s systems to satisfy ourselves that there was no further data in the company’s possession relating to the clients of the previous employer. Using the data provided by the original employer, the Inspection Team carried out a search on the computer systems for individuals’ names and addresses. The Inspection Team was satisfied that no further customer data remained.
 
We informed the new employer, on the morning of the site inspection, of our intention to visit his place of business that afternoon. We had not informed the new employer, prior to the site visit, of our knowledge of the letter dated 15 April, 2013. The new employer cooperated with the inspection.
 
Our investigation of the matter concluded on the basis of our receipt of written confirmation in May 2013 from the Managing Director of the new employer, stating that he fully accepted that breaches had occurred and outlining the actions his company was taking to prevent a recurrence. The Managing Director also confirmed that he personally oversaw the destruction of the data held by the employee.
 
This Office has noticed a significant increase in the number of data security breach notifications we are receiving in relation to this type of matter. We may first become aware of the matter via the receipt of a complaint from an individual relating to their receipt of unsolicited communications or from our receipt of a data security breach notification from the data controller. While there are obvious business related implications to such incidents, the focus of this Office's investigation concerns the basic principles of data protection relating to security, fair obtaining and processing of personal data.
 

BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/ie/cases/IEDPC/2013/2013IEDPC15.html