From Netflix to the HSE, private companies and public bodies have a mine of personal information about individuals. So how can we find what data they hold on us? Kevin Doyle and a team of Irish Independent reporters tried to find out
The bank was “extremely anxious”. I would have been too — but they never told me. While I was paying Ulster Bank tens of thousands of euro over the past four years for my mortgage, they never actually had the deeds to the house. Or at least that’s what they told the Legal Service Regulatory Authority (LSRA).
It was only after getting a dump of documents that I stumbled across a letter from last September showing the rows over my house that were secretly taking place behind my back.
Data can be boring. But it can also be revealing. Back in more innocent times, you had to go on ‘retreat’ or a long holiday to find yourself. Nowadays you can just ask the State or any of the companies you interact with every day to tell you what is really going on in your mind and your life.
At the start of the year, I carried out an experiment with the help of a number of Irish Independent colleagues. We sent ‘subject access requests’ to utility suppliers, phone companies, car retailers, shops, banks and state agencies to see what they held on us. Everyone from Sinn Féin to Spotify.
It’s a fairly simple process, although as we would learn, it’s dramatically easier to find out what international firms like Amazon and Netflix have on you than your local GP or politician. A request to the HSE was swiftly met with a response within 24 hours saying that while data protection legislation provides that a decision must be made within one month, they were experiencing “delays of 8-10 weeks” due to “a high volume of requests”.
Despite banks doing their best in recent years to weed customers out of their branches, AIB wouldn’t email my information. I had to physically go to their offices on Baggot Street in Dublin and collect a brown envelope.
As for the political parties who oversee the laws on GDPR, they are way behind private companies. Fine Gael required an old-fashioned form to be sent by post — although they say this has now changed.
The Labour Party told me they had no information on me at all, which is a puzzle since I get emails from their press office most days.
Sinn Féin was at the centre of controversy last year over its Abú system where some voters were profiled without their knowledge. The Data Protection Commissioner demanded changes after finding there was “no transparency” around the system.
The party now insists it has cleaned up its act in relation to data retention and told me: “We do not hold political opinion data or other personal data in respect of you.”
They did have more information than rival parties though with my home address and the fact I voted in 2019 and 2020 elections kept on file.
So what did I find out about myself? Actually a lot more than I expected. Some humorous hospital notes revealed how as a child I was good with food but I would not eat cabbage. That hasn’t changed.
Gardaí were able to show me notes of handing in a lost phone in 2015. I have no recollection of the good deed.
They also provided a photocopy of a handwritten note taken by an officers after my bicycle was stolen in 2014. The note is still on file but sadly the bike is long gone.
Seeing your Tesco receipts after the event can make you question where your head was at when you went grocery shopping.
Sky do record calls “for training and quality purposes”. And if you think Alexa is listening to you — well, you’re not paranoid.
Companies like Netflix and Spotify are able to return data requests electronically within a matter of days. Depending on your settings, these are likely to include a log of movies/songs that you’ve been watching as well as your account details.
Getting a handle on the amount of photographs, thoughts and ‘likes’ in the hands of Facebook and Twitter is next to impossible unless you are really looking for something specific from your past.
Ryanair have records of every flight I took with them and price dating back to 2014, and text messages from 2019.
But back to the piece of information that stopped me in my tracks — buried among realms of mortgage files from Ulster Bank.
It was a letter informing the solicitor who handled my home purchase in 2017 that she had been reported to the Law Society.
Other correspondence leading up to that moment showed the bank demanding the title deeds for my house. Under law, the deeds are meant to be lodged with Property Registration Authority (PRA) within four months of a mortgage being drawn down and then forwarded to the bank.
Naturally, I queried it with my solicitor and the bank but got varying versions of the what the issue was. When asked why I wasn’t informed about the complaint to the LRSA, Ulster Bank said it was “standard practice” not to engage with the customer directly on such issues.
I also asked whether the problem arose due to the upcoming sale of Ulster Bank’s performing mortgages to PTSB. The answer suggested that my case cropped up during routine work.
However, the bank is “completing required due diligence on loans” ahead of its closure in the Republic of Ireland. “The majority of the mortgage loans have had the required documents completed and returned by the solicitor. However, I cannot give specific numbers as this information is commercially sensitive,” a spokesperson said.
The complaint to the LRSA was ultimately withdrawn on October 10, 2021 after the bank said it had received “an acceptable response” from the solicitor.
My solicitor was of the view that the error was on the side of the bank. I’ll never fully know the rights and wrongs of it but I am left wondering how many other people are deliberately left out of the loop when problems like this arise.
We hand over so much of ourselves to institutions everyday but often have little knowledge of what is happening to it in the background. Yet we do have the right to know.
It takes a little work but any company that holds information like your location data from your phone, IP address or even CCTV footage of you must hand it over if you request it.
You might be surprised by what you find out about yourself.
Here are 10 stories collated from myself and my colleagues on the type of information that is held on us: (KD) — Kevin Doyle; (GG) — Gabija Gataveckaite; (AM) — Amy Molloy; (EM) — Eoghan Moloney:
My mother thought about leaving me to be cross eyed — (KD)
My medical history is not complicated — but the HSE has hundreds of pages of mostly handwritten notes on me. There was an eye operation at the age of four, appendicitis when I was 12, a broken nose that needed ‘manipulation’ at the age of 16.
The latter two are events that I remember very well. The first, for a squint, I have a vague or imagined memory of. But what I wasn’t expecting to find in my files was that my mother considered leaving me with a lazy eye rather than sign off on the surgery.
Apparently, she fretted over whether to allow me to get surgery when I was aged three, going on four. Hospital notes reveal I was “cosmetically poor” due to a “right convergent squint”.
On foot of my discovery, she admitted it was months before she thankfully took the doctor’s advice and saved me from ending up cross-eyed. By August 1990, the medics concluded: “Kevin is cosmetically and visually satisfactory.”
A mother’s concern is something you don’t fully comprehend as a child but it’s in handwritten black and white in the notes. “I would be grateful if you assess him as a matter of urgency as his mother is very anxious,” a consultant ophthalmologist wrote at one point.
The records also settled an old score. My memory of getting a broken nose fixed as a teenager was that my mother took me out of hospital hours after the surgery without formally getting the green light from doctors. I always contended we were meant to wait for a final check from the surgeon. The notes prove I’ve been wrongly slagging my mother for 20 years about dragging me out of a hospital bed so she could be home for dinner.
Not being ‘known to Gardaí’ raised queries about data request — (KD)
Gardaí have two sections which deal with data requests. One does an initial trawl of their Pulse system where most interactions are recorded. A second unit can dig much deeper. Officers were extremely helpful but also confused by my request as my Pulse records were very mundane. In 2005, my ATM card was skimmed. In 2014, I reported a bicycle stolen from my apartment. A handwritten note of the incident is still on file. And apparently, though I don’t remember, I handed in a phone I found to Pearse Street Garda Station in 2015.
A garda rang to see what he was missing. He said requests are usually from somebody who is involved in a criminal case or who has written to the Commissioner about an issue.
In my work as a journalist I have had to give a number of statements to gardaí over the years but these did not automatically show up. One example I cited in my conversations with the officer looking after data was linked to the killing of Celine Cawley in 2008.
I had to make a formal statement to investigating detectives due to some reporting I did for the Evening Herald at the time. The garda committed to asking Store Street Garda Station whether a copy of my statement was still in existence but I never heard back, and decided to not use up garda resources pursuing it.
Be careful what you say — Alexa recorded my private chats — (KD)
“Alexa — shut up”. I’m prone to being a bit rude to my kitchen companion sometimes and she’s keeping track.
Amazon says their device is not designed to record conversations but it definitely can happen. A data subject request resulted in them sending me 363 recordings. The vast majority were genuine instructions such as “Alexa, play Vampire Weekend” or “Alexa, tell me the weather”. But in among them were snippets of domestic chats not intended for digital ears. On one occasion a recording suggests the use of the word ‘actually’ triggered Alexa to pay attention and thus record the room for a few seconds.
Amazon says there are “multiple layers of protection to make sure that your personal conversations stay private” but Alexa “may accidentally wake up”. They use the example of somebody saying “elect a new senator” resulting in the device thinking you are speaking to it.
If you are wondering what Amazon has on you, it is possible to check out your voice history in the privacy section of the Alexa app. Recordings can be deleted from there as well.
Susi still logs my parents’ income even though I’m years out of college — (GG)
I have long finished college but the Susi student grant system still has my parents’ income on file along with my passport and birth certificate.
Despite having graduated in 2019, the Susi system still has scanned PDF copies of all my sensitive documents nearly six years after I first submitted them.
This included my Lithuanian birth certificate, as well as a version of it translated into English, which I had to specifically pay for solely to apply for the grant.
A Susi spokesperson told me: “You last received a payment from Susi on May 17, 2019. This means that your application and supporting documents will be held until May 17, 2025.”
They said that as per its data policies, grant applications and “supporting documents” are kept for six years “from the last administrative act which is usually the last payment for applicants who have been awarded funding. However, subsequent correspondence may be subject to an extended retention period in line with the same policy”.
They said that data is kept for several reasons, including “grant administration, audit and evidence of decision making relating to an application.
“Before submitting an application, applicants must confirm they have read and understood Susi’s Data Protection Statement which outlines its requirement to retain personal data.”
Data access reveal secret doctors’ conversations about me — (GG)
A hospital data access request revealed the secret conversations that my hospital consultants were having about me, with one doctor calling me “pleasant” to my family GP.
After I was referred to see doctors in Dublin by my Roscommon GP, I was armed with a GP referral letter. However, the correspondence with my GP continued, but not through me, as I received treatment in Blackrock Clinic and later the Mater Hospital.
Doctors corresponded with my GP about the medicine I was using, my medical condition, my own medical history and what next steps needed to be taken. They also made notes about the medicine I was using and the prescribed medicine which I didn’t use.
One consultant called me a “pleasant 19-year-old lady”. The data access also showed a full track record of every appointment letter sent to me, as well as scans of all prescription leaflets.
Annoyingly, the Mater Hospital sent me a link to download the documents after I put in the data access request which was only valid for 30 days so when I sat down to write my story, I had to request the link again — which in fairness I received very quickly.
They aren’t lying when they say calls are recorded ‘for training and quality purposes’ — (AM)
An automated message from a sales company informing you that a call is being recorded for quality and training purposes is pretty standard. But a recent data request to my motor insurance company revealed that those calls can be kept on file for years.
When I asked Aviva Insurance in January to provide any data it holds in relation to me, I received an audio recording of a 15-minute phone conversation from September 7 last year when I was looking to take out car insurance.
I phoned to enquire about an online quote and ended up taking out cover there and then. The recording also included the details on my debit card as I paid over the phone. The long number on the card, the expiry date and the CVC numbers were all called out.
After doing a little research, I learned that an EU directive came into effect in January 2019 which imposed more stringent requirements on financial service providers to record any call that could result in a commercial transaction. Under the terms of the directive, the firm must keep a copy of any recordings and communications with every client for seven years.
From the dark ages… DCU wanted a €6 cheque to process my request —(GG)
Dublin City University (DCU) initially asked not only for a physical copy of my information request to be posted to its Data Protection Office, but for a cheque for €6.35 to be attached with the form.
As I pay for nearly everything via Apple Pay or through online bank transfers, I can’t remember the last time I even saw a chequebook.
The data access form on the DCU website last January clearly stated: “...a fee payment of €6.35 must accompany this application form. The fee payment must be made by cheque. Cheques are to be made payable to Dublin City University. Unfortunately, we cannot accept payment by cash, credit card, ATM card or by a direct bank transfer”. Most institutions do not insist on fees. It is your data after all. However, some months later, the university seems to have updated its data access requests, because a new form on the university’s website does not request a payment, chequebook or otherwise. It is still in PDF format though, which means it needs to be printed out, filled in, scanned and emailed — or posted — to the college.
A spokesperson for DCU said that the form which requested chequebook payment — which I found easily online last January — has not been in use since 2018. “There may be a rogue version of it that pops up on a Google search but it is completely out of date and not the one that is currently available via the Data Protection Office,” said a spokesperson.
“Unfortunately, this can happen when old copies of forms are not deleted or overwritten when they’re no longer valid.”
The university does not charge for data requests “any more” and that this ended since GDPR was put in place in May 2018.
Wondering what to watch next… Netflix already knows — (KD)
Companies like Netflix, Spotify and Apple make it really simple to access your information. They have online portals where you can log on and request a copy of the data they hold. It should land within in your email within a few days rather than the month it can take other companies or state agencies.
Naturally they hold your billing information — but they are also working hard to retain your ‘content interaction’ history so it can target movies or TV shows directly at you based on previous viewing.
One to watch for the future is how they keep note of information associated with the last time a particular device was used to stream from your Netflix member account from a particular IP address. The company want to clamp down on shared accounts.
Council hasn’t let go of my shameful parking record — (AM)
While I’m ashamed to admit it, I have had my fair share of clamping incidents/parking fines over the years. My belief that the ticket inspector won’t be out because it’s raining, or that I won’t get a fine because I’m only popping into the shop for five minutes, has failed me on a handful of occasions.
When I asked Wexford County Council for any data it holds on me in relation to my car, which I’ve had since 2014, I got back a breakdown of the fines I’ve received — but only the most recent ones. I could not remember the registration details of my previous vehicles, so the data I received doesn’t paint the whole picture.
The council keeps a record of the date the fine was issued, when it was paid and they have photographs of the car with the ticket behind the windscreen wiper as proof that the fine was given. In other words, if you have an embarrassing parking record — the council won’t let it go!
HSE sent me ‘all records’ — but they are pathetically incomplete — (EM)
Medical records released to me by the HSE under the Freedom of Information Act were pathetically incomplete with no files on multiple hospital visits including treatments for serious injuries as a child.
When receiving a response to a Freedom of Information request, the HSE advised that I would be granted access “in full” to all records the executive held on me.
When the files arrived, there were glaring omissions. There appeared to be no records on file for at least five hospital visits as a child, including serious injuries such as a broken elbow, a tetanus shot for a dog bite and a test for meningitis.
All of the hospital visits omitted pertain to one hospital, with some treatments and operations chronicled correctly by the hospital, though there were also no records of many visits, including for the application of a cast for a fractured elbow and the removal of the cast weeks later.
As a child I also suffered two head injuries which required stitches on both occasions, as well as further assessments and scans. No records of these exist nor does any record of the extent of the head injuries.
When asked how this could occur, the HSE did not respond.
It’s very simple. You have the right under law to find out if your personal data is being processed by a company or state agency and for what purpose.
To obtain details, send an email or a letter to their data controller. Your letter/email should state that you are making a ‘subject access request’. Some larger companies may allow you to automatically download your personal information via their website but most public bodies will ask for ID or other ways of verifying your identity. You should then get copies of any information they hold on you within four weeks.