I thought it would be useful to set out some of the key findings of the Data Protection Commissioner’s report of 2011 published recently on 30th April 2012. Of interest at the outset are comments by the Data Protection Commissioner, Billy Hawkes who notes a shift in the nature and type of complaints received by his Office with individuals concerned about the security of their personal data and the uses made of that data by software and technology applications.
Summary of Report Highlights 2011
- the Data Protection Commissioner’s Office opened 1,161 complaints for investigation.
- Complaints concerning access rights (562) accounted for nearly half of the overall total reflecting a growing level of public awareness of the right of access to a copy of personal data.
- The report includes case studies of a number of specific investigations including excessive data collection by Swan Leisure Centre, unlawful use of CCTV by Westwood Swimming Ltd to monitor an employee and complaints about solicitors and private investigators not complying with access requests.
- The Office dealt with nearly 100 complaints or queries from individuals who received unwanted contact from candidates for election or political parties in the course of the General Election in 2011. As of 1 July, 2011 a previous exemption from normal data protection requirements for such contacts by electronic means is now removed.
- The report lists the 28 audits undertaken in 2011 and details the audit of Facebook Ireland, the most extensive and resource intensive audit yet undertaken by the Office.
New Rules for Private Investigators
The report highlightes that the decision by a data controller to engage the services of a private investigator to gather personal data surreptitiously about a data subject carries very serious risk of breaching the provisions of the Data Protection Acts, the general right to privacy protected by Bunreacht na hEireann, the European Charter of Fundamental Rights and the European Convention on Human Rights.
Case Study 13 concerned a complaint by a former employee of a company, who sought access to personal data contained in documentation relating to surveillance by a private investigator. The Commissioner noted that its office was frequently receiving complaints from data subjects wishing to access such reports which have been commissioned on them by private investigators
The company subsequently provided the complainant with a copy of his personnel file, but said it was withholding a security report on the grounds that it was a privileged communication with legal advisors in court proceedings. The Commissioner refused to accept the company’s position and eventually the company released the security report and associated photographs but maintained its right to restrict access under Section 5(1)(g) of the Data Protection Acts 1988 to 2003.
During the investigation the Commissioner established that there was no contract between the company and the private investigator. The Commissioner stated that it is unlawful for “an entity to pass any details of its employees to a private investigator for the purposes of surveillance or for any other purpose unless that entity has put a contract in place in line with section 2(c)(3) of the Data Protection Acts 1988 and 2003 which would render the private investigator to be a data processor”.
The report states that a data processor is a person who processes data on behalf of a data controller but who is not an employee, so a private investigator who gathers data on behalf of a data controller (e.g. an insurance company) becomes a data processor.
In summary the Data Protection Commissioner has ruled that where a data controller hires a private investigator to carry out surveillance and seek a background or other reports, the following rules need to be observed:
1. Prior to instructing a private investigator, a data controller should have a written contract with the private investigator. The contract should meet the requirement of section 2(c)(3) of the Data Protection Acts (“the Acts”)as highlighted above).
2. Processing of information must be in compliance with the Acts
3. The private investigator must comply with the Acts and not perform its functions in such a way as to cause the data controller to breach its obligations under the Acts.
4. Unauthorised processing, use or disclosure of personal data by private investigators is prohibited.
5. Where, under a contract, a private investigator processes personal data of an individual, he/she should only do so in accordance with specific instructions; only in so far as is necessary to fulfil his/her obligations under the contract; put in place measures to protect against loss, destruction, damage, disclosure or unlawful access; at the conclusion of the contract deliver all data to the data controller; not to disclose data to any party except with the expressed approval of the data controller; and not to seek to access personal data held by other data controllers which is not in the public domain without the consent of the data subject or otherwise permitted by law.
In summary the report highlights a number of issues which both data controllers and processors need to become familar with concerning their obligations under the Data Protection Acts. Full details of Case Study 13 containing the new rules are contained on page 63 onwards of the report.