Resolution in AIB customer’s data breach action
Man’s address given to private detective by Department of Social Protection employee
After AIB wrote to him in Drogheda in 2015, Daniel Lannon made a complaint to the Data Protection Commissioner. Photograph: iStock
Daniel Lannon had claimed damages, including aggravated damages, against the Minister for Social Protection over alleged breach of his privacy and data protection rights in 2014. He also sought declarations that the department breached its duty of care in regards to his personal data.
The department denied liability but accepted that a former employee had passed on Mr Lannon’s data to a private detective.
On Thursday, following talks between the parties, Jim O’Callaghan SC, with Darren Lehane, instructed by Lawlor Partners solicitors, for Mr Lannon, told Mr Justice Tony O’Connor the action had been resolved and could be struck out with no order.
As part of the settlement, Conor Power SC, with Nick Reilly, for the Minister, read a statement to the court on behalf of his client. Counsel said the Department of Social Protection “acknowledges and regrets that data relating to Mr Lannon was released in contravention of the 1988 Data Protection Act by a former employee.”
“That employee had acted outside the scope of her employment and without the authority of the department,” the statement concluded.
Mr Justice O’Connor commended the parties for reaching a resolution and struck out the case.
During the three-day hearing, Mr Lannon claimed his personal data, including his address at Colpe View, Deepforde, Dublin Road, Drogheda, was accessed on August 22nd, 2014 by Caitríona Bracken, then an official of the department. She provided those details to a private investigator Michael Ryan, her brother in law, who had been hired by a solicitor’s firm acting on behalf of AIB.
Mr Lannon claims the information was used so AIB could serve legal proceedings on Mr Lannon at his Drogheda address.
Mr Lannon had not given the bank the Drogheda address and he instead used the address of a property he owned at Burnell Square, Malahide Road, Dublin for correspondence with AIB.
After AIB wrote to him in Drogheda in 2015, Mr Lannon made a complaint to the Data Protection Commissioner (DPC). The DPC later prosecuted Mr Ryan, and his company Glen Collection Investments Limited, who in October 2016 admitted certain data breaches and was fined €7,500 by the district court.
In its defence, the department accepted Ms Bracken had accessed Mr Lannon’s private data and provided it to Mr Ryan, but said it was not liable for her actions.
Ms Bracken of Kilkerrin, Ballinasloe, Co Galway was initially added by the department to Mr Lannon’s proceedings as a third party but the department early in the hearing dropped its claim against her. She had claimed the release of data to parties including private investigators was “commonplace”.
The department rejected her claim and said it took steps to ensure all of its employees were aware of their data protection obligations and it took any data breach very seriously. The court heard the department has disciplined and fired members of staff found to have wrongfully passed on information to third parties.