The Annual Report of the Irish Data Protection Commissioner has been published. It reveals a few interesting trends in both the approach of the Irish regulator and the level of activity in the data protection space in Ireland.
Here's a few we think are worth noting:
- Complaints Volume Steady: The overall number of complaints has decreased year on year, although primarily because quite a number of complaints last year related to the same investigation. Taking that into account complaints volume remains steady and totalled 910;
- Data Subject Access Request Compliance Below Standard: Over 50% of complaints relate to poor management by data controllers of data subject access requests – this should be a key area of focus for data controllers to ensure their employees know an access request when they see one. The ODPC considers this should be part and parcel of good customer service;
- Co-Operative Regulatory Regime: Ireland still has a relatively co-operative approach to regulation - the vast majority of complaints in 2013 were resolved without the need for a formal decision under Section 10 of the Data Protection Acts or without enforcement action being required. Overall 25 formal decisions were taken and fully upheld in 2013;
- Rise of Cross Border Data Security Breach: During 2013, 1,507 valid data breach notifications were recorded by the DPC's office. Most of these relate to email and postal addressee (human) error. Interestingly the ODPC is increasingly involved in security breaches with cross-border implications involving international tech corporations with a base in Ireland and also from domestic businesses offering services globally.
- Privacy Audits On the Rise: The DPC's office carried out 44 audits and inspections in 2013, a 10% increase on the previous year. The report identifies factors for selecting the targets of an audit, namely the amount and nature of the personal data processed by the organisation and the number of complaints and enquiries received by the DPC's Office. In respect of the audit of LinkedIn-Ireland the report is expected to be finalised in 2014.
- Websites Subject to Monitoring: The Global Privacy Internet Sweep involved the review of 79 different websites based on internationally agreed scoring criteria relating to privacy practices. A relatively small percentage of companies got top marks;
- Cookie Clarity? The requirement for a prominent notification that cookies are being used and the preparation of a statement on cookies including a listing of each of the types of cookie being dropped is referred to in the context of a compliance sweep. The DPC's office has published revised guidance on the topic;
Irish Government Reform Agenda Will Raise New Compliance Issues during 2014 – Watch this Space:
- The introduction of National Postcode System and the data protection implications of this remain unclear and under consideration;
- Smart Metering in Ireland in the consultative, design stage and Commission for Energy Regulation in 2013 has a data protection compliance team considering the privacy implications;
- The Credit Report Bill 2012 provides for the establishment of a Central Credit Register. The DPC's Office participated with the Department of Finance in safeguarding data protection provisions under the Bill. Draft Regulations that continue the data protection safeguards set out in the Bill will follow when the Bill has been enacted.
- The Health Identifier Bill 2013 proposes to create a seven digit number which identifies every individual availing of a health service. The DPC's Office provided assistance to the Department of Health with comments on the draft provisions from a data protection standpoint;
- The Water Services Act 2013 provides for the establishment of Irish Water which is the utility responsible for the establishment of a water metering system in Ireland. The data protection implications of the scheme remain under review;
- The Sport Ireland Bill 2013 provides for the transfer of medical and other personal data of athletes to countries that may not have sufficient safeguards in place for the proper protection of that data. Consultation with the Department of Sport is ongoing;
- The Criminal Justice (Forensic Evidence and DNA Database System) Bill 2013 provides for the establishment of a DNA database system and the Report highlights that an important safeguard is contained in the provisions that provide for a representative from the DPC's Office to be part of the independent oversight committee who will oversee the operation of the database.
As always, the case studies contained in the Annual Report offer a useful insight in to the approach of the Irish Data Protection Commissioner across a range of issues and are worth a read by data controllers and data processors alike.