Among the cases dealt with by the Data Commissioner under the provisions of the Data Protection Act during 1997 were:
Case 1:
A company engaged consultants to evaluate some of its senior management posts. Knowing the consultants' reports were kept in computerised form, the occupants of a number of these posts made a request under the Act for copies of information relating to themselves.
The consultants did not respond within 40 days, as required, which prompted a complaint to the commissioner.
The consultants said it was the first time they had encountered a request under the Act for access to data arising from their work. As they had acted as agents for other organisations, it made their position "sensitive."
Some information was in the form of "scores". Disclosing this, they claimed, would amount to revealing commercial information of their own.
As the Act provided for the complainants' right of access to personal information, the consultants acceded to the request.
Data controllers faced with such requests sometimes argue that there are special circumstances which in some way entitle them to respond either in a limited way, or not all.
With some exceptions, as outlined in Section 5 of the Act, "the request must be responded to, no matter how inconvenient or disagreeable it may be for the data controller to do so."
Case 2:
Use of Electoral Register information for mailing lists
There was a significant number of complaints from people who received direct mailings by the use of details from the register. Complainants strongly felt this was an invasion of their privacy.
Two related to a promotion for an alcoholic drink, and several were prompted by letters from a financial institution new to the Irish market.
The matter fell outside the data commissioner's remit, however, as the Act does not apply to "personal data consisting of information that the person keeping the data is required by law to make available to the public." The only remedy, he suggested, was to request those responsible to desist from using their personal data for direct marketing.
In another case, a registered adoption agency trying to trace birth parents of adopted children sought a copy of the register from a local authority. Again, this was not a contravention as the register "in the hands of a local authority" is excluded from the Act.
The commissioner, nonetheless, expressed concerns about using the register for purposes other than those for which it was designed. If its use became widespread, the register could be brought into disrepute, "perhaps to the point where some people chose not to register to vote at all."
Case 3:
Ex-directory phone number obtained by insurance broker
Two people complained, separately, that a firm of insurance brokers had obtained ex-directory telephone numbers and used them to try to sell insurance products.
They considered this "an aggressive invasion of their privacy." Both speculated that the brokers had got their numbers in some illicit way, though neither offered any evidence of this.
The brokers, in reply to the commissioner, insisted that in most cases they obtained numbers from the telephone directory, but in some cases got them from referrals by existing clients.
Such clients were encouraged to suggest other people who might be interested in the company's products and services.
The commissioner found a contravention of the Act had not occurred. But he told the brokers they should in future retain a record of how details of prospective clients were obtained. They agreed to do so.
