We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.

Bank escapes DPC censure for providing solicitor with data

07 Mar 2023 / data law Print

Bank escapes DPC censure for giving solicitor data

A decision by the Data Protection Commissioner (DPC) in 2022 hinges on the status of a solicitor as a regulated professional and officer of the court.

The DPC annual report details a case where, following a request from the solicitors of a joint-account holder, the bank (data controller) sent out bank statements that included the complainant’s personal data, to those solicitors.

The complainant was concerned that this disclosure did not comply with data-protection law.

Entitlement to access details

The bank set out its position to the DPC that any joint-account holder is entitled to access the details and transaction information of the joint account.

The bank further took the view that, in relation to solicitors who are acting for its customers, it is sufficient to accept written confirmation on headed paper that the solicitor acts for the customer as authority to engage with the bank as legal representative.

Data-protection law requires that personal data be collected or obtained for specified, explicit and legitimate purposes – and not be further processed in a manner that is incompatible with those purposes.

In this case, the DPC noted that the bank had obtained the complainant’s personal data to administer the joint account.

The DPC found that it was consistent with the bank’s terms and conditions for the joint account, and the account holder’s signing instructions (which allowed either party to sign for transactions without consent of the other account holder), that the administration of the account could be completed by one account holder.

Not incompatible

The DPC found that the disclosure of bank statements to the solicitors was not incompatible with the specified, explicit and legitimate purpose for which the complainant’s personal data had been obtained for the administration of the joint account.

Secondly, the DPC found that the bank had a lawful basis for the disclosure of the complainant’s personal data, regardless of whether the complainant had provided consent.

Finally, the DPC accepted the position of the bank, set out in its policies, that it was appropriate to accept written confirmation from a solicitor that they were authorised to act on behalf of an account holder, without seeking further proof.

The bank’s policy was acceptable, since a solicitor has professional duties as an officer of the court and as a member of a regulated profession.

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland