Anonymity vs. Accountability: The GDPR Debate in Public Service Interactions
In modern public service, a growing tension exists between a citizen’s right to transparency and a public employee’s right to safety. This issue has come to the forefront for those interacting with bodies or companies where support agents often operate under a policy of anonymity.
To understand why this happens and whether it constitutes a “reverse abuse” of data rights, we must examine the legal balancing act required by the General Data Protection Regulation (GDPR) and the Irish Human Rights and Equality Commission Act 2014.
1. The Principle of Transparency (Articles 12, 13, & 14)
Under GDPR, transparency is a core principle. Public bodies are “Data Controllers” and have strict obligations to inform citizens about how their data is being used.
We have Banks, Utility and Service Companies, Government Funded Organizations: GFO’s, like, Coimisiún na Meán and a whole host of others.
- The Argument for Disclosure: Critics argue that “transparency” should include knowing the identity of the person making decisions about your data. They contend that interacting with an unnamed official prevents a direct line of accountability, potentially breaching the spirit of Article 12, which requires communications to be “transparent and intelligible”.
2. The Right to Safety and Privacy (Article 15 & 23)
Public bodies have a concurrent “Duty of Care” to their employees. This duty is anchored in both employment law and the Public Sector Equality and Human Rights Duty, which mandates that public bodies protect the human rights of their staff as well as their service users.
- The Argument for Anonymity: Disclosing full names can expose staff to “doxing,” harassment, or personal targeting, especially in sensitive regulatory roles. GDPR Article 15(4) explicitly states that the right to access data should not “adversely affect the rights and freedoms of others,” which includes an employee’s right to a safe workplace.
But there is a reverse argument:
That “Duty of Care” also extends to the pubic.
The agency who has received the complaint or support request:
Support agent or agents could also expose the persons full name, not alone full names but addresses and other personal information to the public bringing about “doxing,” harassment, or personal targeting, or even sell the information to data brokers.
Where is the accountability, traceability, transparency, or legal protection for the public in all of this?
Some of these agents work from home and when you call they have all your personal data on a computer screen in front of them, which could include all your banking information.
There is also a growing situation where companies or agencies locate their support offices or agents in another country outside Ireland’s jurisdiction. This is deeply concerning and troubling, as it leaves personal data with no effective protection. In these cases, the pursuit of monetary profit appears to override the GDPR rights of Irish citizens, yet individuals are left powerless to object.
This is not acceptable, it is all one sided.
,
3. Accountability Without Names: The Case Reference System
To bridge the gap between transparency and safety, most Irish public bodies use pseudonymization or unique identifiers (such as Agent IDs or Case Reference Numbers).
- How it Works: While you may not know the agent’s name, the organization does. Every action taken by “Agent 123” is logged. If a complaint is made, the Data Protection Officer (DPO) or a senior manager can identify the individual internally.
- Legal Standing: This system is generally viewed as a proportionate measure. It satisfies the organization’s accountability requirements while minimizing the personal data (the staff name) shared with the public.
4. Is it a Breach of Human Rights?
Under Section 42 of the Irish Human Rights and Equality Commission Act, public bodies must “protect the human rights of their employees, customers, and service users“.
The support agencies hold all the cards, and the public seemingly have no rights.
“It satisfies the organization’s accountability requirements while minimizing the personal data (the staff name) shared with the public because when it comes to information and power“.
Support agencies appear to have complete control in this situation, with the public effectively stripped of any rights. Does this amount to an abuse of GDPR?
Tracking a support agent who may have left the company could become a costly legal nightmare for the average person.
If I’m not mistaken: Once the person has left the company, the employer is legally prohibited from releasing personal contact details, forwarding addresses, phone numbers, or even confirming the person’s current employment status in most jurisdictions. So where does this leave the public?
Below is an actual response from Coimisiún na Meán to a recent letter I wrote to them.
You can see clearly they will not disclose the person name who is replying but they can use my data as they wish, send it to other relevant regulatory bodies including the European Commission.
“In line with our data protection obligations, we do not provide the names of individual staff members”.
However, in the sentence below it states:
Privacy notice: “We may use the information provided by you to perform our functions and comply with our legal obligations”.
| Dear Sean, Thank you for contacting Coimisiún na Meán. In line with our data protection obligations, we do not provide the names of individual staff members. Privacy notice: We may use the information provided by you to perform our functions and comply with our legal obligations. This will include sharing information provided with the Service Provider the subject of the complaint, as part of the complaints process. We may also share your information, where permitted by law, to other relevant regulatory bodies including the European Commission. Any information shared will be subject to our privacy policy. For detailed information on our privacy policy, please read our privacy statement on complaints handling, supervision and enforcement (Available here: Privacy Statement – Coimisiún na Meán). Please note, your case number for future correspondence is (removed for personal reference) Kind regards, |
User Support Team
Foireann Tacaíochta Úsáideoirí
So where do we go from here? A letter to the Data Commissioner is definitely the first step.