A property owner complained to the PCPD that, notwithstanding her repeated objections, staff of an estate agency had been approaching her through her home and mobile telephone numbers in an effort to persuade her to sell her property through the agency. She had also written to request them not to contact her in future, but the request was ignored.
The Commissioner's views on the matter
The PCPD found that the company had acted in breach of DPP4, in that it had not taken reasonably practicable steps to ensure that personal data (namely, the identity card number) of the ex-employee were protected from accidental or unauthorized use. The company agreed to delete the identity card number from the messages and a warning notice was issued to it.
Personal data collected in the course of employment should only be used for purposes related to the employment. When an employee resigns, the use of his personal data for the purpose of notifying customers is regarded as being a use of the data for a directly related purpose. However, the personal data used for such a purpose should be limited to those data which are sufficient to fulfill the purpose of notification. The disclosure of the employee's name and position in the company should be sufficient to identify the employee in the notification. Disclosing the employee's identity card number is unnecessary and may lead to possible misuse of that number for fraudulent or other improper purposes.