The Data Protection Commissioner's annual report for 1999 lists two complaints about the sharing of patient data with debt-collection companies.
One complainant was an elderly man who had attended a hospital for medical treatment. He paid some, but not all, of the amount for which he was billed. A debt-collection agency subsequently contacted him at home on his unlisted phone number. He felt that the transfer of his personal details to a third-party contravened the Data Protection Act.
The second complainant was a college student who had attended the same hospital and received a letter from the same debt-collection service, which made him fear being "blacklisted". The letter read:
"If within 48 HOURS our client has not received payment, we will be given full instructions on the accounts. I would point out that once we have been instructed your name will be placed on our CREDIT INFORMATION BUREAU. This could affect your ability to obtain credit and loans from other companies."
The Data Protection Commissioner held that the relationship between the hospital and the agency was a "bona fide principal-client relationship" and that the Act did not preclude the hospital from passing personal information to the agency.
The report continues: "It was pointed out that the agency had no entitlement to retain personal details regarding the hospital's patients, and that it certainly had no entitlement to use these details to create a credit reference 'blacklist'"
The Commissioner continued: "I pointed out my view that it is not permissible for a debt-collection agency, or indeed for any data controller, to misrepresent the purpose for which it keeps personal data, in order to put people under pressure to behave in a certain way. As a result of these discussions, the debt collection agency agreed to re-word its letters so as to avoid any misrepresentation of what it is entitled to do with personal data it keeps as agent of the hospital."