Does a phone company have to tell you whether or not the police has accessed your data?

In a recent decision the Data Protection Commission confirmed that a telephone company had to tell a subscriber whether or not details of his phone usage had been accessed by the police unless it could actually demonstrate that there would be prejudice to a criminal investigation or prosecution.

A redacted copy of the decision has been posted on www.datasubject.ie with the permission of the data subject.

This is an important decision which opens the door to greater transparency around police access to telecoms subscriber information retained under the Communications (Retention of Data) Act 2011. Under this regime there is limited oversight via the Complaints Referee – who crucially can neither confirm nor deny whether an access request unless there has been unlawful access.

This new decision of the Data Protection Commission now confirms that individuals can look for confirmation of whether an access request has been made by a state agency under the 2011 and this request can only be refused if a phone or internet company can show that it would be prejudicial to a criminal or related matter for the request to be answered.

In this particular case we acted for the data subject who had asked the telecom provider, Eir, to say whether or not a state agency had requested access to his information which Eir retained under the 2011 Act. Eir refused to answer the request citing provisions of the 2011 Act and a general policy concerning access to retained data.

The Commissioner found that this request was a valid subject access request and that Eir had failed to answer it within the prescribed time. In addition the Commissioner found that the generic policy relied on by Eir did not constitute a valid statement of reasons and in addition Eir had not informed the data subject about his right to complain to the Data Protection Commissioner.

Once the complaint was lodged Eir sought to rely on section 5(1)(a) of the Data Protection Acts 1988 to 2003 which restricts the right of access in relation to personal data “kept for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders …. , in any case in which the application of that section to the data would be likely to prejudice any of the matters aforesaid

Ultimately Eir admitted that it could not show that any of the listed matters would likely be prejudice and that it could not rely on this restriction to the right of access.

Click here to access a copy of the decision.