The Data Protection Commissioner (the DPC) has published his Annual Report for 2012. On launching his report the DPC highlighted, in particular, his concerns over the issue of sharing personal data in the public sector.
Whilst the DPC accepted the benefits of such data sharing in terms of efficient delivery of public services, he stated that such data sharing must be done in a manner that respects the rights of individuals to have their personal data treated with care and not accessed or used without good reason. The Report includes a special report on an investigation of data sharing through the INFOSYS system provided by the Department of Social Protection, which revealed significant failures to comply with the Data Protection Acts 1988 and 2003 (the Acts).
The DPC’s Office received 1,349 complaints for investigation during 2012, 606 of these complaints concerned unsolicited direct marketing, and 442 complaints concerned access rights. The vast majority of complaints were resolved amicably without the need for a formal decision or enforcement. The Commissioner made a total of 36 formal decisions, and 195 prosecutions were taken against 11 entities.
Data Security Notifications
The DPC’s Office dealt with 1,666 personal data security breach notifications. The E-privacy Regulations, S.I. 366 of 2011, introduced a mandatory requirement for telecommunications companies and Internet Service Providers (ISPs) to notify the DPC, without undue delay, of a data security breach and to also notify any individuals adversely affected by such a breach. In September 2012, two telecommunications companies were prosecuted for failing to meet their legal obligations in this regard. The Report notes that in the first year of S.I. 336 of 2011 being in effect, a total of 60 data security breach notifications were received from telecommunications companies and ISPs.
The Report notes that the DPC’s Office has taken a more proactive stance in relation to potential data security breaches and has initiated investigations into matters that have been identified through mention in areas such as social media sites.
Over two thirds of all breach notifications received by the Office involved letters being issued by post, either to an incorrect address or containing a third party’s personal data. The majority of such notifications were received from the Financial Sector, such breaches having occurred due to bank accounts being set up incorrectly and change of addresses not being processed correctly.
The DPC can carry out scheduled audits and on-the-spot inspections to ensure compliance with the Acts and to identify possible breaches. During 2012, 40 audits and inspections were carried out. The Report contains a summary of the findings and recommendations of a series of inspections carried out by the DPC of financial institutions, in regard to their reporting processes to the Irish Credit Bureau.
The Report includes case studies of eighteen specific investigations undertaken by the DPC, which provide useful guidance on a range of data protection issues, including:
· Unacceptable delay in processing access request;
· Right of access to personal data despite existence of legal proceedings;
· Customer data transfer in the context of the sale or transfer of a business;
· Whether an employer can the nature of an illness to be specified in a medical certificate; and
· Client list taken by ex-employee to new employer.