The Data Protection Commissioner, Billy Hawkes recently launched his data protection report for 2012 on 20th May 2013. A full copy of the report is available at this link. The report notes that one of the major themes in the 2012 report concerned the issue of sharing personal data in the public sector. Appendix 4 of th 2012 report sets out the full audit report carried out by the data protection office of external public agency access to the Department of Social Protection INFOSYS database which uncovered significant breaches of the data protection legislation in relation to access to and governance of personal data. These breaches were widely reported in the media at the time.
In addition the Report notes that Investigation and Enforcement, Guidance and Education, Audits/Inspections and Notifications (Registration) activity increased significantly in 2012 and that data protection issues related to the activities of multinational companies continued to absorb an increased amount of resources.
The press release on the data protection website notes that during 2012:
- the Office opened 1,349 complaints for investigation which exceeded 2011’s record high number with an increase of 188. A total of 864 complaints were concluded in 2012.
- Complaints from individuals in relation to difficulties gaining access to their personal data held by organisations accounted for just under one-third of the overall complaints investigated during 2012.
- There was a marked increase in the number of complaints under the Privacy in Electronics Regulations during 2012 (up from 253 in 2011 to 606 during 2012). In this regard Electronic Direct Marketing received 44.93% of the complaints for 2012.
Case Studies and Prosecutions
Part 2 of the Report sets out a number of very interesting case studies including Case Study 5 which concerned a High court ruling that personal data could be accessed by the litigant. Case study 8 also concerned the extensive use of CCTV in a nursing home. In this case remote access was carried out by use of a smart phone. The data protection commissioner determined that there was no justification for the use of remote access technology to link to CCTV cameras. It was ordered that the remote access technology be terminated. Interestingly Case study 14 concerned a client list removed by an ex-employee to a new employer. This is becoming an increasingly contentious area and the data protection commissioner noted “…there appears to be a misconception by some employees that the customers are their customers rather than that of the data controller i.e. the employer…”. He further warned that “data controllers must be aware that where they process data which has been brought into the organisation by a new employee from their previous employment, without the consent of the individuals, they are in breach of the Data Protection Acts”.
The report also sets out the prosecutions of three Insurance Companies for Data Protection Registration offences after social welfare data, sourced via a private investigator, was found on insurance claim files held by those companies. In addition a number of companies were prosecuted for unsolicited marketing offences.
The report notes that 20 inspections and audits were carried out in 2012 and that in general there was a reasonably high awareness of and compliance with data protection principles.
Data Security Breaches
In 2012 the notifications in respect of data security breaches increased to 1666 notifications. For the first time the annual report contains a selection of case studies regarding a number of Data Security Breach investigations, including:
- First prosecution taken under updated security and breach notification requirements for telecommunication companies – Eircom (trading as eMobile) and Meteor arising from the theft of two unencrypted laptops containing personal data of over 10,000 customers.
- Notification of postal breaches by Allied Irish Banks
We would strongly urge our readers to review the 2012 report and in particular the case studies in part 2 which contain important guidelines on increasingly complex areas such as the use of CCTV in the workplace, removal of client lists from the workplace, unsolicited marketing, transfer of customer data and disclosure of student personal data by a secondary school.