The Data Protection Commissioner of Ireland (“DPC”) published her annual report for 2015 on 21 June, 2016. This is the second annual report of Helen Dixon and her first report after a full year as DPC. The Annual Report gives a valuable insight into the areas of focus for the Office of the Data Protection Commissioner (“ODPC”).

Last year was a pivotal year for the ODPC with the significant developments in European caselaw impacting on the way in which Irish business transfers data abroad as well as agreement being finally reached on the new General Data Protection Regulation (“GDPR”). Reflecting these increased responsibilities, the ODPC’s 2016 budget has seen an increase (from €3.65 million to €4.7 million) with further Government commitment to increasing the ODPC’s resources to keep pace with its responsibilities. Similarly, a move to new Dublin offices is also to take place in 2016.

Queries and Complaints to the ODPC

In 2015, the ODPC dealt with 14,427 queries, an increase of 6.87% from 13,500 queries in 2014. The ODPC also received 932 complaints in 2015 which were opened for investigation. This compares with 960 complaints in 2014, or a decrease in 2.92%. While the vast majority of complaints were resolved amicably, the ODPC made formal decisions in 52 cases and the complaint was upheld in 43 of those decisions. As has been the case for the last number of years, the largest single category of complaints related to data access requests, which accounted for 62% of the complaints made, as shown in the table below:

Type of Complaint

Percentage of Total

Number of Complaints

Access Rights

62% 578

Electronic Direct Marketing

11% 104

Disclosure

10% 94

Unfair Processing of Data

5% 49

Internet search-result delisting

2% 23

Use of CCTV Footage

2% 16

Failure to secure data

2% 16

Excessive data

2% 15

Right of rectification

1% 13

Accuracy

1% 10

Postal direct marketing

1% 7

Unfair processing of data

1% 5

Use of biometrics

<1% 2
TOTAL 100% 932

Data Breach Notifications

A data breach notification is a notification by a data controller to the ODPC informing them that the data controller’s security has been breached and/or data has been compromised. In 2015, the ODPC received a total of 2,376 data-breach notifications. This is an increase of 4.95% on the previous year. At present, only telecommunications and internet service providers have a legal obligation to notify the ODPC of a data-security breach although a Code of Practice introduced in 2011 sets out a number of recommendations for breach notifications to the ODPC.

It should be borne in mind however that the General Data Protection Regulation (“GDPR”) set to come into force in May 2018 will legally oblige all data controllers to notify the ODPC of any personal-data security breaches that occur.

It is of interest that in 2015, the highest category of data breaches (54%) reported under the Code of Practice was unauthorised disclosures such as postal and electronic disclosures, the majority of which occurred in the financial sector. Only 0.12% of the valid breach notifications were in relation to database hacking incidents or credit card scraping. This demonstrates the importance of implementation of data breach policies and training for staff, so that there is awareness of the types of incidents which might constitute a breach and may need referral to the DPC.

Enforced Subject Access Requests

The ODPC is continuing to clamp down on a practice whereby some employers require prospective job applicants to make a data access request to the Gardaí for their personal information. In this way, the employer gets access to data, to which they would not otherwise be entitled. As of 18 July 2014, section 4(13) of the Data Protection Acts 1988 and 2003 (the “DPA”) makes it an offence to compel an employee to make an access request of this nature. In 2015, the ODPC initiated investigations against 40 organisations across a range of sectors to identify and prevent companies engaging in such practices.

Privacy Audits

In 2015, the ODPC carried out 51 audits and inspections. Interestingly, just under half of these were ‘unscheduled inspections’ carried out under section 24 of the DPA. Unscheduled inspections arise from specific complaints made to the ODPC and the investigated data controller may be subject to an unannounced inspection or may be given advance notice. Some of the issues identified in the 2015 audits include:

  • Lack of data retention policy
  • Issues around CCTV usage including lack of signage and policy and excessive use
  • Lack of audit trails by organisations to guard against inappropriate access
  • Poor call handling procedures
  • Lack of clarity in relation to data controller / data processor contracts
  • Clear identification of the data controller where a debt collector has been engaged
  • Excessive use of biometric time and attendance systems.

Guidance: CCTV and ‘Body-Worn’ Cameras

Unlawful CCTV usage remains a pitfall for many organisations, with significant emphasis on this issue in the 2015 Report. The ODPC updated its guidance on CCTV, ‘body-worn’ cameras and drones in 2015. CCTV video and images of individuals normally constitutes personal data. The ODPC Guidance Notes state that a data controller needs to be able to justify the obtaining and use of personal data by means of a CCTV system and have a proper written CCTV policy in place outlining the position regarding requests for access to footage by third parties.

It is very clear that the ODPC’s position is that the use of any surveillance equipment must comply with the transparency requirements of data protection law. Similar to CCTV cameras, the ODPC affirms that the use of body-worn cameras must be adequate, relevant and not excessive for the purpose for which the data is collected. Organisations should review their use of CCTV to ensure they are compliant with the updated guidance from the ODPC.

Engagement with Tech Multi-Nationals

In 2015, the ODPC engaged with technology multinationals, including Facebook, Google, LinkedIn, Microsoft and AirBnB in relation to existing and proposed features of their respective websites, e.g. management of ‘cookies’, online behavioural advertising, computer-automated ‘tagging’ of photos and general management of privacy details. The ODPC also engaged with a number of multinationals on their use of Binding Corporate Rules. These define an organisation’s global policy with regard to the international transfer of personal data within the same corporate group to entities located in countries which do not provide an adequate level of data protection.

Recent European Case Law and International Developments

The Court of Justice of the European Union (“CJEU”) delivered its findings in the Schrems and Facebook case. This case struck down the Safe Harbour Agreement which provided a framework for the transfer of personal data to the US. On 12 July 2016, the European Commission formally adopted the EU-US Privacy Shield, replacing the Safe Harbour Agreement. According to the European Commission, the new framework affords increased protection and forms of redress to EU residents whose personal data is transferred to the US. The Privacy Shield also provides legal clarity for businesses that depend on transatlantic data transfers.

In October 2015, the CJEU issued a ruling in the Smaranda Bara case (C-201/14). The case involved the sharing of data between Romanian tax authorities and the National Health Insurance Fund in Romania, for the purposes of collecting arrears information. It was held that EU law precludes the transfer and processing of personal data between two public administrative bodies without the data subjects having been informed in advance. On foot of this decision, the DPC issued guidance on the sharing of data in the public sector.

ODPC Case Studies

The Annual Report contains 12 case studies dealing with a range of issues, including direct marketing offences, failure to keep personal data up to date, the accidental disclosure of personal data to third parties and the use of CCTV in employee disciplinary proceedings. Two cases in particular show the importance of complying with the provisions of the DPA:

1. Case Study: Defence Forces failure to keep data secure.

This involved the review of an internal complaint of a member of the Defence Forces by a Military Investigating Officer (MIO). The MIO conducted an interview with the complainant and made notes of the interview. The notes in question were brought by the MIO to his private residence, an unsecure location. The notes were ultimately lost in a subsequent burglary and flooding of the private residence. The ODPC found the Defence Forces in contravention of section 2(1)(d) of the DPA. The case highlights the importance, for all employers, of having a proper system in place that records the taking and returning of files by employees and ensuring that any files that are removed are kept in a secure location.

2. Case Study: Supermarket’s excessive use of CCTV to monitor staff

This case involved a former staff member of a supermarket who was dismissed after she placed a paper bag over a CCTV camera in the canteen area. The staff member did so during an authorised break so that a colleague could style her hair. The ODPC found the supermarket to be in breach of section 2(1)(c)(iii) of the DPA due to excessive processing of the complainant’s personal data by means of a CCTV camera in a staff canteen. The case again highlights the need to ensure legitimate use of CCTV and to have a written policy in place governing such use.

2016 and Beyond

Providing a clear incentive for organisations to sharpen their focus on data protection compliance, the DPC notes that her office does not replace the requirement for organisations to procure their own expert advice and build their own capability to manage and drive compliance. The Annual Report also emphasises that the GDPR will explicitly put back onto organisations the clear obligation to properly organise themselves and their activities to ensure they are adequately protecting the individual’s fundamental right to privacy. With the approach of the GDPR in May 2018, organisations are advised to begin auditing their internal data management practices and procedures to position themselves to implement the changes under the GDPR.