‘Documents revealed rows going on behind my back between my bank and solicitor’ – the mass of our data companies hold
Here are 10 stories collated from myself and my colleagues on the type of information that is held on us: (KD) — Kevin Doyle; (GG) — Gabija Gataveckaite; (AM) — Amy Molloy; (EM) — Eoghan Moloney.
My medical history is not complicated — but the HSE has hundreds of pages of mostly handwritten notes on me. There was an eye operation at the age of four, appendicitis when I was 12, a broken nose that needed ‘manipulation’ at the age of 16.
The latter two are events that I remember very well. The first, for a squint, I have a vague or imagined memory of. But what I wasn’t expecting to find in my files was that my mother considered leaving me with a lazy eye rather than sign off on the surgery.
Apparently, she fretted over whether to allow me to get surgery when I was aged three, going on four. Hospital notes reveal I was “cosmetically poor” due to a “right convergent squint”.
On foot of my discovery, she admitted it was months before she thankfully took the doctor’s advice and saved me from ending up cross-eyed. By August 1990, the medics concluded: “Kevin is cosmetically and visually satisfactory.”
A mother’s concern is something you don’t fully comprehend as a child but it’s in handwritten black and white in the notes. “I would be grateful if you assess him as a matter of urgency as his mother is very anxious,” a consultant ophthalmologist wrote at one point.
The records also settled an old score. My memory of getting a broken nose fixed as a teenager was that my mother took me out of hospital hours after the surgery without formally getting the green light from doctors. I always contended we were meant to wait for a final check from the surgeon. The notes prove I’ve been wrongly slagging my mother for 20 years about dragging me out of a hospital bed so she could be home for dinner.
Not being ‘known to Gardaí’ raised queries about data request — (KD)
Gardaí have two sections which deal with data requests. One does an initial trawl of their Pulse system where most interactions are recorded. A second unit can dig much deeper. Officers were extremely helpful but also confused by my request as my Pulse records were very mundane. In 2005, my ATM card was skimmed. In 2014, I reported a bicycle stolen from my apartment. A handwritten note of the incident is still on file. And apparently, though I don’t remember, I handed in a phone I found to Pearse Street Garda Station in 2015.
A garda rang to see what he was missing. He said requests are usually from somebody who is involved in a criminal case or who has written to the Commissioner about an issue.
In my work as a journalist I have had to give a number of statements to gardaí over the years but these did not automatically show up. One example I cited in my conversations with the officer looking after data was linked to the killing of Celine Cawley in 2008.
I had to make a formal statement to investigating detectives due to some reporting I did for the Evening Herald at the time. The garda committed to asking Store Street Garda Station whether a copy of my statement was still in existence but I never heard back, and decided to not use up garda resources pursuing it.
Be careful what you say — Alexa recorded my private chats — (KD)
“Alexa — shut up”. I’m prone to being a bit rude to my kitchen companion sometimes and she’s keeping track.
Amazon says their device is not designed to record conversations but it definitely can happen. A data subject request resulted in them sending me 363 recordings. The vast majority were genuine instructions such as “Alexa, play Vampire Weekend” or “Alexa, tell me the weather”. But in among them were snippets of domestic chats not intended for digital ears. On one occasion a recording suggests the use of the word ‘actually’ triggered Alexa to pay attention and thus record the room for a few seconds.
Amazon says there are “multiple layers of protection to make sure that your personal conversations stay private” but Alexa “may accidentally wake up”. They use the example of somebody saying “elect a new senator” resulting in the device thinking you are speaking to it.
If you are wondering what Amazon has on you, it is possible to check out your voice history in the privacy section of the Alexa app. Recordings can be deleted from there as well.
Susi still logs my parents’ income even though I’m years out of college — (GG)
I have long finished college but the Susi student grant system still has my parents’ income on file along with my passport and birth certificate.
Despite having graduated in 2019, the Susi system still has scanned PDF copies of all my sensitive documents nearly six years after I first submitted them.
This included my Lithuanian birth certificate, as well as a version of it translated into English, which I had to specifically pay for solely to apply for the grant.
A Susi spokesperson told me: “You last received a payment from Susi on May 17, 2019. This means that your application and supporting documents will be held until May 17, 2025.”
They said that as per its data policies, grant applications and “supporting documents” are kept for six years “from the last administrative act which is usually the last payment for applicants who have been awarded funding. However, subsequent correspondence may be subject to an extended retention period in line with the same policy”.
They said that data is kept for several reasons, including “grant administration, audit and evidence of decision making relating to an application.
“Before submitting an application, applicants must confirm they have read and understood Susi’s Data Protection Statement which outlines its requirement to retain personal data.”
Data access reveal secret doctors’ conversations about me — (GG)
A hospital data access request revealed the secret conversations that my hospital consultants were having about me, with one doctor calling me “pleasant” to my family GP.
After I was referred to see doctors in Dublin by my Roscommon GP, I was armed with a GP referral letter. However, the correspondence with my GP continued, but not through me, as I received treatment in Blackrock Clinic and later the Mater Hospital.
Doctors corresponded with my GP about the medicine I was using, my medical condition, my own medical history and what next steps needed to be taken. They also made notes about the medicine I was using and the prescribed medicine which I didn’t use.
One consultant called me a “pleasant 19-year-old lady”. The data access also showed a full track record of every appointment letter sent to me, as well as scans of all prescription leaflets.
Annoyingly, the Mater Hospital sent me a link to download the documents after I put in the data access request which was only valid for 30 days so when I sat down to write my story, I had to request the link again — which in fairness I received very quickly.
They aren’t lying when they say calls are recorded ‘for training and quality purposes’ — (AM)
An automated message from a sales company informing you that a call is being recorded for quality and training purposes is pretty standard. But a recent data request to my motor insurance company revealed that those calls can be kept on file for years.
When I asked Aviva Insurance in January to provide any data it holds in relation to me, I received an audio recording of a 15-minute phone conversation from September 7 last year when I was looking to take out car insurance.
I phoned to enquire about an online quote and ended up taking out cover there and then. The recording also included the details on my debit card as I paid over the phone. The long number on the card, the expiry date and the CVC numbers were all called out.
After doing a little research, I learned that an EU directive came into effect in January 2019 which imposed more stringent requirements on financial service providers to record any call that could result in a commercial transaction. Under the terms of the directive, the firm must keep a copy of any recordings and communications with every client for seven years.
From the dark ages… DCU wanted a €6 cheque to process my request —(GG)
Dublin City University (DCU) initially asked not only for a physical copy of my information request to be posted to its Data Protection Office, but for a cheque for €6.35 to be attached with the form.
As I pay for nearly everything via Apple Pay or through online bank transfers, I can’t remember the last time I even saw a chequebook.
The data access form on the DCU website last January clearly stated: “…a fee payment of €6.35 must accompany this application form. The fee payment must be made by cheque. Cheques are to be made payable to Dublin City University. Unfortunately, we cannot accept payment by cash, credit card, ATM card or by a direct bank transfer”. Most institutions do not insist on fees. It is your data after all. However, some months later, the university seems to have updated its data access requests, because a new form on the university’s website does not request a payment, chequebook or otherwise. It is still in PDF format though, which means it needs to be printed out, filled in, scanned and emailed — or posted — to the college.
A spokesperson for DCU said that the form which requested chequebook payment — which I found easily online last January — has not been in use since 2018. “There may be a rogue version of it that pops up on a Google search but it is completely out of date and not the one that is currently available via the Data Protection Office,” said a spokesperson.
“Unfortunately, this can happen when old copies of forms are not deleted or overwritten when they’re no longer valid.”
The university does not charge for data requests “any more” and that this ended since GDPR was put in place in May 2018.
Wondering what to watch next… Netflix already knows — (KD)
Companies like Netflix, Spotify and Apple make it really simple to access your information. They have online portals where you can log on and request a copy of the data they hold. It should land within in your email within a few days rather than the month it can take other companies or state agencies.
Naturally they hold your billing information — but they are also working hard to retain your ‘content interaction’ history so it can target movies or TV shows directly at you based on previous viewing.
One to watch for the future is how they keep note of information associated with the last time a particular device was used to stream from your Netflix member account from a particular IP address. The company want to clamp down on shared accounts.
Council hasn’t let go of my shameful parking record — (AM)
While I’m ashamed to admit it, I have had my fair share of clamping incidents/parking fines over the years. My belief that the ticket inspector won’t be out because it’s raining, or that I won’t get a fine because I’m only popping into the shop for five minutes, has failed me on a handful of occasions.
When I asked Wexford County Council for any data it holds on me in relation to my car, which I’ve had since 2014, I got back a breakdown of the fines I’ve received — but only the most recent ones. I could not remember the registration details of my previous vehicles, so the data I received doesn’t paint the whole picture.
The council keeps a record of the date the fine was issued, when it was paid and they have photographs of the car with the ticket behind the windscreen wiper as proof that the fine was given. In other words, if you have an embarrassing parking record — the council won’t let it go!
HSE sent me ‘all records’ — but they are pathetically incomplete — (EM)
Medical records released to me by the HSE under the Freedom of Information Act were pathetically incomplete with no files on multiple hospital visits including treatments for serious injuries as a child.
When receiving a response to a Freedom of Information request, the HSE advised that I would be granted access “in full” to all records the executive held on me.
When the files arrived, there were glaring omissions. There appeared to be no records on file for at least five hospital visits as a child, including serious injuries such as a broken elbow, a tetanus shot for a dog bite and a test for meningitis.
All of the hospital visits omitted pertain to one hospital, with some treatments and operations chronicled correctly by the hospital, though there were also no records of many visits, including for the application of a cast for a fractured elbow and the removal of the cast weeks later.
As a child I also suffered two head injuries which required stitches on both occasions, as well as further assessments and scans. No records of these exist nor does any record of the extent of the head injuries.
When asked how this could occur, the HSE did not respond.
How do I find out what data an organisation has on me?
It’s very simple. You have the right under law to find out if your personal data is being processed by a company or state agency and for what purpose.
To obtain details, send an email or a letter to their data controller. Your letter/email should state that you are making a ‘subject access request’. Some larger companies may allow you to automatically download your personal information via their website but most public bodies will ask for ID or other ways of verifying your identity. You should then get copies of any information they hold on you within four weeks.