Ireland’s new Data Protection Commissioner has highlighted a notable increase in the number of civil actions taken against organisations for a failure to protect the data protection rights of individuals.
Under Irish data protection law, a duty of care is owed to individuals by organisations that hold and process personal data. At a recent conference, the Data Protection Commissioner, Helen Dixon, referred to a number of recent cases taken against public and private sector organisations, the majority of which have settled out of court.
The cases included the disclosure by a pharmacist of CCTV footage of a woman buying a pregnancy test and the disclosure of excessive medical data by a GP to an insurance company.
The broad mix of sectors and organisations that have been affected by such actions is evidence of a heightened awareness amongst the general public of data protection rights and a growing willingness to enforce these rights by any means available.
Furthermore, 2014 also saw for the first time cases in which directors were personally prosecuted for an organisation’s breach of data protection.
Failure to comply with data protection laws can lead to regulatory sanction, financial loss and reputational damage for organisations. It is essential that an organisation understands the obligations it has to its customers, staff and any other individuals whose personal data it holds and processes.
Appropriate measures such as internal policies and procedures, physical and IT security as well as staff training should be put in place. Only these steps will help reduce the risk of civil action and director or management level prosecution.