Section 2(1)(c)(ii) of the Data Protection Acts 1988 and 2003 provides that a data controller shall not process personal data in a manner incompatible with the purpose for which it was collected by that data controller.
Data protection law is not user-friendly and the full meaning of that rule is not immediately apparent; but one straightforward implication is that personal data cannot generally be disclosed to another party without the consent of the data subject.
Toyota is implementing a massive product recall due to complaints that some of its accelerator pedals stick, while other brake functions are inconsistent.
RTÉ News reported tonight that all Toyota owners would be contacted by letter in the coming weeks informing them of the recall, including those who bought the car second hand or by private sale. How would they contact such Toyota owners? The report said that the owners’ details would be obtained from the vehicle licensing authorities. How does this sit with section 2(1)(c)(ii)?
There are exceptions to the no-disclosure rule: for example, section 8(d) allows disclosure where it is urgently required to prevent injury or damage to the health of a person or serious loss of or damage to property. The important word is “urgently” and guidance from the Irish Data Protection Commissioner says:
This provision does not authorise disclosures of personal information for general health research purposes, or for other medical purposes where there is no immediate or urgent risk to someone’s life or health. In such cases, the normal data protection rules apply, including the obtaining of consent where necessary. (My emphasis)
So, section 8(d) does not permit disclosure.
Section 8(e) permits disclosure when it is required by or under any law or order of court. One such law (with thanks to TJ for pointing it out) was the Finance Act 1993 (section 60) Regulations 1996, which prescribe motor manufacturers and distributors for the purposes of section 60(3) of the Finance Act 1993, thereby providing them with the permission to inspect the records of the vehicle licensing authorities.
The issue of disclosing car owner details to a manufacturer for the purposes of a safety recall has arisen in the past and in Case Study 3/99 the Data Protection Commissioner was satisfied that disclosure was permitted on the basis of the 1996 Regulations.
However, the 1996 Regulations have been revoked and supplanted a number of times over the years, resting with the Finance Act 1993 (Section 60) Regulations 2005. The 2005 Regulations do not mention motor manufacturers and distributors, unlike those regulations passed since 1996. In Case Study 3/99, the Data Protection Commissioner expressed concern at the unqualified access suggested by section 60 and recommended it be reviewed. Could this be why motor vehicle manufacturers and distributors were excluded from the 2005 Regulations?
If so, and if disclosure has not been permitted elsewhere in the law when the change was made in 2005, on what basis can the vehicle licensing authorities now disclose Toyota owner details?
A Clatter of the Law 
The 2005 Regulations do include disclosure to “persons for the purposes of road or personal safety initiatives” – is this wide enough to cover safety recalls?
Incidentally, the Regulations go on to say that disclosure may be made to “such other persons as may be approved from time to time”. However, this catch all provision seems to me to be so vague as to be invalid. S.60 of the 1993 Act permits disclosure to persons who are prescribed – and s.57 makes it clear that “prescribed” means “prescribed by the Minister by regulations”. The Act does not envisage that the Minister might give himself a general discretion to “approve” any other persons without doing so by regulations, thus avoiding scrutiny by the Dáil. (See s.58)
I expect, in the absence of any other enabling provision, reliance would be made on “persons for the purposes of road or personal safety initiatives”. In light of the Commissioner’s comments in 3/99, however, that category of persons is likely to be even more objectionable from a data protection perspective (likewise “such other persons”).