Irish Water has somehow got hold of a list of names and addresses of people, including details of the property owned by them or inhabited by them. It is important to know where the information originally came from but as I do not know the answer to that, I am assuming for the purpose of this article that the information came from either a central government office or a local government office.
The question is: Was it lawful to give this information to Irish Water?
Again, the usual disclaimer: this is not legal advice. It is just a personal opinion that I am sharing with anyone who might be interested. If you want to do something to or for Irish Water, consult a solicitor.
When you give your personal details to an organisation or individual, they have a duty to keep those details private and safe. This is known as ‘data protection’. The person or organisation that controls the contents and use of your personal details is known as a ‘data controller‘. The law imposes legal duties on the data controller as to how they are allowed to use that personal information.
The Act that deals with these sorts of issues is the Data Protection Act of 1988 as amended by the Data Protection (Amendment) Act of 2003. The 2003 Act significantly amended the original Act in order to bring Ireland in line with the EU Data Protection Directive 95/46/1995. True to form, the Irish government dragged its heels but eight years later the provisions of the Directive finally became Irish law and now, in 2014, the law is firmly established.
The next question to ask is: Does a name, address and property details constitute “personal data”, which is what the Act protects?
The Act defines “personal data” as: “data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller”.
Clearly your name and address is personal data as it enables you to be identified. In addition, a description of your property is also personal data as it is possible to find out the identity of the owner of property if you have the details of that property.
The next question is: Was the body that originally (and, I assume, legally) held the personal data allowed to pass it on to Irish Water?
To use the language of the Act, the person or organisation that originally held the personal data and passed them to Irish Water was the ‘data controller’. As the body receiving that personal data, Irish Water is the recipient of a “disclosure”, which definition includes “the transfer of such data”.
Was the data controller allowed to disclose the personal data to Irish Water?
Section 2(1) of the Act was amended by the 2003 Act and now reads:
“(1) A data controller shall, as respects personal data kept by him or her, comply with the following provisions:
(a) the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly,
(b) the data shall be accurate and complete and, where necessary, kept up to date,
(c) the data—
(i) shall have been obtained only for one or more specified, explicit and legitimate purposes,
(ii) shall not be further processed in a manner incompatible with that purpose or those purposes,
(iii) shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed, and
(iv) shall not be kept for longer than is necessary for that purpose or those purposes,
(d) appropriate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.”,
The provisions of (c) (i)-(iii) make it clear that the personal data can only be disclosed to another recipient if it is for the same purpose or necessarily implied purpose for which you handed over that data in the first place.
The office that enforces the Data Protection Act is the Data Protection Commissioner, and the Commissioner has been quite strict when interpreting Section 2.
In Case Study 8/98, the Commissioner had to decide whether a bank was allowed to give account details of a customer to a ‘close relative’ of the customer. The Commissioner noted that “the primary purpose for which the bank kept the complainant’s data was the administration of his account” and it could not be argued that “disclosure of the complainant’s details to his relatives would be necessary for the administration of the account.” Accordingly, the bank had contravened the Act.
Assuming that the data controller came by your personal data by legitimate means, it is highly unlikely that you handed over that data for a purpose that can be linked to paying for water. If you originally handed over your details for the purpose of property tax or bin collection charges or whatever, it is too much of a stretch to say that you must have realised that it would be used to charge you for water.
Therefore it can be argued that the disclosure of your personal data to Irish Water was in contravention of Section 2 of the Data Protection Act.
It does not end there. Section 8 of the Act allows “processing” (which definition includes disclosure) of personal data in certain instances: In other words, it is the list of exceptions to Section 2.
Section 8 says the following are justified instances of personal data disclosure:
(a) in the opinion of a member of the Garda Síochána not below the rank of chief superintendent or an officer of the Permanent Defence Force who holds an army rank not below that of colonel and is designated by the Minister for Defence under this paragraph, required for the purpose of safeguarding the security of the State,
(b) required for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid,
(c) required in the interests of protecting the international relations of the State,
(d) required urgently to prevent injury or other damage to the health of a person or serious loss of or damage to property,
(e) required by or under any enactment or by a rule of law or order of a court,
(f) required for the purposes of obtaining legal advice or for the purposes of, or in the course of, legal proceedings in which the person making the procesing is a party or a witness,
(h) made at the request or with the consent of the data subject or a person acting on his behalf.
Clearly (a) does not apply. (b) looks interesting but Irish Water is a private company (albeit almost wholly owned by the State), and is not “the State, a local authority or a health board”. I doubt that (c) or (d) apply.
However, (e) warrants careful scrutiny. Do the Water Services Acts authorise the disclosure to be made to Irish Water?
As mentioned in a previous blog, Section 20 of the 2013 Act gives both Bord Gáis Éireann (BGE) and Irish Water the same powers as were available to a water services authority under the 2007 Act, where these powers are necessary to meet this objective. Sections 31 and 32 of the 2007 Act are both long and detailed and they set out the many powers available to a water authority, which are now transferred to Irish Water. This includes the necessary powers to “obtain information from households” in receipt of water services and “other third parties” for the purpose of “creating a customer database”.
I do not think this wording is strong enough to allow a data controller to simply ignore the Data Protection Act. Usually when one Act is not to be affected by another Act, this exclusion is done expressly (i.e. in so many words).
Finally, section 24 of the 2013 Act says that BGE or Irish Water “have all such powers as are necessary or expedient for the performance of its functions under this Act”, whilst Section 25 says they may “do all such things as may be necessary or expedient for the purposes of the performance by it of water services functions under any enactment passed after the passing of this Act”.
Clearly, “all things” means all things legal and does not include breaking the law.
Now, to answer the question – has Irish Water contravened the Act?
On a strict reading of the law, Irish Water has not contravened the Data Protection Act. The organisation or person who handed over the personal data to Irish Water has broken the law if the disclosure was in contravention of Section 2.
Of course, the million dollar question is whether a contravention of the Data Protection Act subsequently taints all transactions made possible by the use of that personal data? In other words, does it allow you to throw away or burn the pack?
Unfortunately, the answer to that is probably “no”. A contravention of the Act gets you the penalty provided by the Act, rather than destroying everything in its path. Section 31 of the Data Protection Act provides that if a person is convicted of contravening the Act, he or she shall be liable on summary conviction, to a fine not exceeding £3,000, or on conviction on indictment, to a fine not exceeding £100,000. However, it goes on to say that the court can, in certain circumstances, order the destruction of that data.
Now all you have to do is find out:
1. Who gave that information to Irish Water?
2. How did they come to have that data in the first place?
3. Was the disclosure of this information in contravention of Section 2 of the Act?
Perhaps a TD could ask these questions in the Dail?