This week sees the Irish Data Protection Commissioner, Billy Hawkes, release his annual report for 2012.
The report summarises activities of the Commissioner’s Office during 2012 and like his UK counter part focuses on investigations and audits undertaken and provides a commentary on the impact of European and International Data Protection activities.
As with the UK the use and sharing of personally identifiable information (PII), especially in the public sector has been a major issue.
The Commissioner accepts that data sharing can bring benefits in terms of efficient delivery of public services but cautions that it should be done in a way that respects the rights of individuals to have their personal data treated with care and not accessed or used without good reason. Appendix 4 of this year’s report contains the full audit report carried out by the Office of external public agency access to the Department of Social Protection INFOSYS database* which uncovered significant breaches of the data protection legislation in relation to access to and governance of personal data
In the 2011 Annual Report the Commissioner drew attention to the increased demand on the resources of the Office. The Commissioner in his 2012 report points to the Government’s response by providing additional staffing and funding to the Office. In addition, the Government has also given a commitment to keep the resourcing of the Office actively under review to ensure that any additional resources required will be made available. The Commissioner acknowledges that his Office is now well placed to discharge its current statutory responsibilities. Given the likely increased role for the Office, which will emerge from the new “one-stop-shop” arrangement being proposed at EU level for oversight of multi-national companies, the Commissioner welcomes the commitment to ongoing review of further resource requirements.
During 2012, the Office opened 1,349 complaints for investigation, exceeding last year’s record high number with an increase of 188. Complaints from individuals in relation to difficulties gaining access to their personal data held by organisations accounted for just under one-third of the overall complaints investigated during 2012. There was a marked increase in the number of complaints under the Privacy in Electronics Regulations during 2012 (up from 253 in 2011 to 606 during 2012).
The report includes case studies of a number of specific investigations including:
- Prosecution of three Insurance Companies for Data Protection Registration offences after social welfare data, sourced via a private investigator, was found on insurance claim files held by those companies.
- Prosecution of a number of companies for unsolicited marketing offences
- High Court ruling that Dublin Bus must supply copy of CCTV footage requested under the right of access
Breakdown of complaints
|Electronic Direct Marketing||44.93%||606|
|Unfair Processing of Data||2.59%||35|
|Unfair Obtaining of Data||0.96%||13|
|Use of CCTV Footage||2.37%||32|
|Failure to secure data||2.59%||35|
|Excessive Data Requested||1.78%||24|
|Unfair Retention of Data||1.26%||17|
|Postal Direct Marketing||0.74%||10|
Number of complaints since 2003
Data Breach Notifications
During 2012, the Office dealt with 1,666 personal data security breach notifications. This is again an increase in the numbers dealt with compared to previous years. Of the 1,666 notifications received, it was found that 74 cases were not deemed to be personal data security breaches on the part of the data controller making the notification. This was due to either appropriate security measures, such as encryption, being in place to protect the data or to individuals failing to update their contact details with the data controller, resulting in letters issuing to an incorrect address. A total of 1,592 valid data breach notifications were therefore recorded. This is an increase of over 400 on last year.
The introduction, in July 2011, of S.I. 336 of 2011 made it a legal requirement for telecommunication companies and Internet Service Providers (ISPs) to notify this Office, without undue delay, of a data security breach and to also notify affected individuals of such a breach. In September 2012, two telecommunications companies were prosecuted for failing to meet their legal obligation in this regard. In the first full year of S.I. 336 being in effect, a total of 60 data security breach notifications were received from Telecommunications companies and ISPs.
Due to the year on year increase in the number of data security breach notifications received by the Office, additional resources were allocated to the area. A Technology Advisor has also been appointed to allow the Office properly investigate the more complex Information Technology (IT) related matters that are brought to its attention. During 2012, we have taken a more proactive stance in relation to potential data security breaches and have initiated investigations into matters that have been identified through mention in areas such as social media sites.
While the complexity of certain data security breaches increases, it is the more mundane situation of correspondence being issued to an incorrect address that continues to account for the largest percentage of data security breaches. Over two thirds of all breach notifications received by the Office involved letters being issued by post, either to an incorrect address or containing a third party’s personal data.
The annual report includes a number of “case studies” detailing specific organisations who sustained breaches.
In the course of 2012, 40 audits and inspections were carried out by this Office. This is an increase on the previous year – 2011 – in which 33 audits were completed in total. Included in the list of the audits/inspections, is the INFOSYS investigation which, although initially a ‘desk audit’, eventually led to a large number of meetings and visits to agencies within the public sector who had access to INFOSYS.
Examples of who was audited is below:
- An Garda Síochána
- Facebook-Ireland (follow-up review)
- Ulster Bank (reporting procedures with the Irish Credit Bureau)
- Permanent TSB (reporting procedures with the Irish Credit Bureau)
- National Irish Bank (reporting procedures with the Irish Credit Bureau)
- Bank of Ireland (reporting procedures with the Irish Credit Bureau)
The report is 127 pages long with almost 80% focusing on specific case studies. It make interesting reading. The full document can be found here.