Collins v FBD Insurance
On 9 March 2012, Mr Michael Collins was awarded €15,000 in damages by the Circuit Court for breaches of data protection legislation by FBD Insurance plc (FBD). It is the first time that an individual has been successful in requesting the Circuit Court to assess and award compensation for breaches of the Data Protection Acts 1988 and 2003, as amended (the DPA). We look at the significance of the case and the likely implications for businesses in Ireland.
Mr Collins, a member of the Travelling community, made a claim under a policy he had with FBD in respect of a stolen work van. The claim was refused by FBD on the basis that Mr Collins had failed to disclose previous criminal convictions when entering into his policy. Mr Collins challenged this decision on the basis that the proposal form he had completed did not inquire as to all of his previous criminal convictions and requested only relevant information relating to convictions for road traffic offences.
Under Section 4 of the DPA, Mr Collins sought a copy of his personal data held by FBD and in particular a copy of the proposal form in question. FBD refused to provide him with this information, claiming it had been lost, and Mr Collins made a complaint to the Data Protection Commissioner. Upon investigation at FBD offices in Bluebell, Dublin, the Commissioner discovered that FBD had in its possession a report about Mr Collins from a private investigator stating that Mr Collins had been convicted of a crime and had been sentenced to serve a period of time in prison. On foot of the investigation, the Commissioner found that FBD was in breach of the DPA. He found the failure of FBD to provide the private investigator report to Mr Collins was a breach of Section 4 of the DPA. It also transpired from District Court inquiries that the information contained in the report held by FBD was inaccurate.
A Code of Practice on Data Protection for the Insurance Sector was published by the Commissioner on 20 August 2008 and deals specifically with the use of private investigators by insurance companies and the steps that must be taken to ensure any such use is in accordance with the DPA. In 2010, the Commissioner ordered a company to release a private investigator report to a former employee, which was being withheld incorrectly on the grounds that it was legally privileged. The Commissioner was highly critical of the manner in which the private investigator had been engaged by the company (in particular, the absence of a written contract between the parties) and reaffirmed the right of access of data subjects in respect of private investigator reports.
Judge Jacqueline Linnane noted that under Section 7 of the DPA a data controller owes a duty of care to those data subjects whose personal data it processes. The judge held that there had been a breach by FBD of Section 2C of the DPA for failing to have a written contract in place with the private investigator to obtain and process personal data on its behalf and a breach of Section 4 for failing to provide Mr Collins with a copy of his personal data within the prescribed time period of forty days. The breaches of the DPA by FBD resulted in Mr Collins failing to have his insurance claim assessed and settled appropriately. In awarding Mr Collins €15,000 in damages, Judge Linnane was particularly critical of the manner in which the FBD had conducted itself in obtaining the information from the private investigator and in refusing to release the information to Mr Collins, upon his request. FBD has appealed the case to the High Court. The case is due to be heard on 5 October 2012.
The Collins case is significant as it the first time a data subject has been awarded damages by the Circuit Court for breaches of data protection law. It demonstrates that the courts are willing, in appropriate circumstances, to award significant amounts of compensation to those whose rights have been breached.
For businesses that fail to take their obligations under the DPA seriously, it could mean that data subjects, no longer satisfied simply in making a complaint to the Data Protection Commissioner, may also seek compensation directly from the courts where they feel their rights have been breached. Even if such actions do not result in awards of compensation, the taking of such actions, or the mere threat of such actions, will have a significant impact on the amount of time, resources and legal costs needed to deal with these issues. This is in addition to dealing with the inquiries of the Office of the Data Protection Commissioner and the significant PR damage that can result from such actions.
What Steps Can be Taken Now to Avoid the Consequences of Non-compliance?
In light of this judgment, it is essential that businesses are aware of their obligations to those persons whose personal data they hold, and have in place appropriate policies and procedures to monitor and ensure compliance, or face the consequences. Key obligations to be aware are:
- ensuring personal data held has been obtained and processed fairly;
- ensuring personal data held is kept for one or more specified and lawful purposes and is processed only in ways compatible with the purpose for which it was provided;
- ensuring personal data is accurate and kept up-to-date;
- ensuring personal data is not retained for longer than is necessary; and
- ensuring individuals are provided with copies of their personal data within forty days of receipt of a request.