The Data Protection Commissioner (“DPC”) recently published his Annual Report for 2012. The report highlights how busy the DPC has been throughout 2012 with activity across all of the DPC’s main functions (investigation and enforcement, guidance and education, audits/inspections and registration) increasing significantly. Key issues raised in the report include the following:
Complaints and Investigations
The DPC received 1,349 complaints in 2012 which reflected an increase of approximately 16% on 2011. The main complaints related to unsolicited electronic marketing (45%). A further 33% of complaints related to data access rights. Other complaints related to unfair processing of personal data, unfair obtaining of personal data, failure to secure data and unfair retention of data.
In connection with its investigations, the DPC issued a number of enforcement notices which oblige data controllers, subject to criminal penalty, to comply with directions of the DPC. The vast majority of these enforcement notices related to obliging data controllers to comply with data access requests received from individuals. The DPC also issued three information notices which obliged data controllers to provide the DPC with any information needed by the DPC to carry out its functions.
The DPC carried out 40 privacy audits and inspections in 2012, which included a significant audit on An Garda Siochana as well as an audit on the activities of various banks in connection with their reporting procedures with the Irish Credit Bureau. Another particular focus related to the Infosys social welfare database and whether access to the database was carried out in a way which was proportionate, relevant and not excessive.
Sharing of Data in the Public Sector
In connection with the DPC’s audit of the use of the Infosys social welfare database, the DPC highlighted what he found to be a “disturbing failure of governance” in relation to access to the database. The DPC indicated that data sharing in the public sector should have a clear basis in law. He also expressed the view that any such sharing should be made clear to individuals along with the purposes for which the data is being shared, that there should be a clear justification for individual data sharing arrangements and that public bodies should be conscious of the need to ensure that only the minimum amount of personal data is shared in order to achieve the stated public service objective. The DPC also indicated that there should be strict access and security controls in place along with secure disposal when data was no longer needed.
Data Breach Notifications
During 2012, the DPC dealt with 1,666 security breach notifications, which was an increase of over 400 on the previous year. Of those notifications, only 74 cases were not deemed to be security breaches on the part of the data controller making the notification.
The introduction in July 2011 of SI 336 of 2011 (the Electronic Privacy Regulations) made it a legal requirement for telecoms companies and ISPs to notify the DPC of data security breaches. September 2012 marked the first criminal prosecutions by the DPC against two telecoms companies (eircom and Meteor) for data security breaches which concerned stolen laptops.
It is noteworthy however that notwithstanding the increasing complexity of certain data security breaches, it was more mundane data security incidents which were the primary source of notifications to the DPC. For example, the largest percentage of data security breaches continued to relate to situations where correspondence was issued to an incorrect postal address. Other breach notifications related to the theft of IT equipment and website security issues.
One new area on which the DPC has focused is the issue of staff leaving the employment of one company and joining another, bringing with them details of the customers of their original employer. This is an interesting development as previously the main focus from a legal perspective was whether (i) the departing employee was liable for misuse of confidential information (as an equitable breach of confidence or breach of a confidentiality obligation in his employment contract) and (ii) whether the new employer was liable for breach of confidence as a third party recipient of confidential information contractual or was otherwise liable for inducing breach of contract by the departing employee.
The DPC however focussed on the data protection issues which arise in such circumstances, including (i) the obligation of the original employer to keep personal data safe and secure and (ii) the obligation of the new employer to ensure that it collects and processes personal data fairly. In addition, there is the potential for the new employer to commit a criminal offence under the Electronic Privacy Regulations 2011 by sending marketing communications to non-customers without the prior consent of those customers. Case study 14 of the DPC’s report focused on just such an issue where an employee left his employment with one garage to join a competitor garage and took with him the customer list from his original employer.
Prosecutions for Registration Offences
Case Study 1 of the DPC Annual Report focused on the DPC’s prosecution of three insurance companies for the processing of personal data in contravention of section 19 of the Data Protection Acts (processing of data not specified in the annual registrations of such insurance companies). The prosecution concerned the use by such companies of third party private investigators who had gained access to information held on the computer systems of the Department of Social Protection.
The insurance companies were prosecuted because they had not included references to the processing of social welfare data in their registrations.
Customer Data Transfer in course of Business transfer
Case Study 10 of the Annual Report related to complaints which a number of householders made in relation to the transfer of their details from Dublin City Council to Greyhound Recycling and Recovery. This arose in connection with the transfer of the Council’s commercial and domestic waste collection business to Greyhound. In connection with the transfer, letters were issued to householders indicating that Greyhound was taking over control of bin collections. The complaints focused in particular on the transfer of personal data without the knowledge or consent of individuals.
The DPC carried out an investigation of the matter and concluded that whilst the core elements of the sale of the business did not breach the Data Protection Acts, the notification letter was sent to customers too late (after data had transferred) and therefore that the full requirements of the fair collection and processing requirements of the Data Protection Acts were not met.
It seems from the case study that a primary requirement in connection with the transfer of personal data as part of a general business transfer is to ensure that customers are notified of the transfer as soon as possible, preferably prior to the personal data being transferred.
Unsolicited marketing prosecutions
The DPC also brought a number of criminal prosecutions against companies for unsolicited e-mail or text message marketing, including against Advance Tyre Company, the Fitzgerald pub group, Therapie Laser Clinic, Meteor, 3 and Carphone Warehouse. Guilty pleas were made in all cases and fines from €1,000 to €5,000 (or equivalent contributions to charity) were levied.