2 Data Protection Scenarios -- hypotheticals

Garth

I'm have a few debates with friends about the details of DP in Ireland. To clarify, I've made up 2 hypothetical situations and I'm just looking to see if anyone saw these differently than I do.

1. An Antique Car organisation makes available to the public a list of all members and their full postal addresses, at their car shows, for a price. What rights have I (a member of the public) to use this information without being in violation of DP? There are no disclaimers attached to the publication that say that the addresses are not to be used for marketing, etc. If I sent a circular to all these addresses advertising a similar activity, but run by another organisation, would that be permitted?

2. The same Antique Car organisation only allows members to exhibit their cars at the shows if the member allows the publication of their full postal address in the list that they sell to the public. If a member wants to exhibit but asks for his address to be withheld, he is told he cannot participate without giving permission for publishing his address. He feels his expensive antique car is at risk, as is his personal security, but enjoys participating in these events. Is he simply left unable to participate, or is the demand by the organisation inappropriate?

I assure you, there is no antique car organisation that has these issues (or if there is, I don't know who they are!). These are just to clarify different aspects of DP that I don't fully understand.

I am not seeking legal advice, just some interesting views on DP in Ireland.

seamus

Garth wrote:

1. An Antique Car organisation makes available to the public a list of all members and their full postal addresses, at their car shows, for a price. What rights have I (a member of the public) to use this information without being in violation of DP? There are no disclaimers attached to the publication that say that the addresses are not to be used for marketing, etc. If I sent a circular to all these addresses advertising a similar activity, but run by another organisation, would that be permitted?

I think they may depend on what the permission the organisation has to provide those details to you. Assuming that the organisation was not permitted to sell the details on, then you may not be permitted to use them for marketing purposes. I don't think you'll be in any particular trouble if you do, though you would be required to destroy the data.

If the organisation had permission to sell that information to you from its members for marketing purposes, then you may very well use that for whatever you wish. You would still be bound by the DPA in terms of correctness of data and removal of data, and also by the legislation that deals with penalties for unsolicited communications.

2. The same Antique Car organisation only allows members to exhibit their cars at the shows if the member allows the publication of their full postal address in the list that they sell to the public. If a member wants to exhibit but asks for his address to be withheld, he is told he cannot participate without giving permission for publishing his address. He feels his expensive antique car is at risk, as is his personal security, but enjoys participating in these events. Is he simply left unable to participate, or is the demand by the organisation inappropriate?

It may be "inappropriate", but that would be for a court to decide in reality. As a private organisation, they essentially have the right to establish their own rules.

Tom Young

Seamus, not sure I totally agree with you on the Private Organisations aspect of your comment. They are also subject to the acts as is anyone. There is a problem with general control in this area in my opinion.

The person who procures personal data above technically should only store the data with the explicit consent of the persons to whom the data is personal. Specific consent may not have been given to the Vintage Car organisation to distribute and utilise the data or lists in order to propagate some other service or product, or then again maybe the people listed are happy that their data be used.

Under the guidelines, personal data should be expunged from systems and lists 6 months after the expiry of the use of the information has elapsed. Persons solicited by the data processer should be allowed to opt-out of further communications from the data processer and so forth.

Any organisation is also subject to 'subject access requests' which effectively have the power to investigate and make a company comply with requests about personal data within (?) 40 days.

See link: http://ec.europa.eu/justice_home/fsj/privacy/docs/guide/guide-ireland%20%20_en.pdf see page 6 on the PDF for information.

The link is the EU marco guidance and we have our own S.I.s in respect of more discrete issues, 535 of 2003, you can get these on the dataprotection.ie site (if its working).

Don't be too in awe of it, most 'typically Irish' firms haven't a rashers about what they are supposed to do with data etc.

Enjoy.

johnnyskeleton

Just to add my two cents; the DP act does not apply to "personal data kept... by an individual only for recreational purposes" [s.1(4)(c)]. So it is arguable that if the similar activity is run for recreational purposes and not as a business venture the act does not apply.

Victor

This is what post office box numbers are for.