The Data Protection Commissioner has published his Annual Report for 2009. In the Report the Commissioner notes his disappointment with continuing data security problems in both public and private sector organisations. There was a 47% increase in the number of data security breach reports received by the Commissioner's Office in 2009. The most common cause of reports was theft or loss of IT equipment, but there were also number of reported incidents involving postal and electronic mailing breaches.
The Commissioner reiterates in his Report that he welcomes the practice of voluntarily reporting data security breaches to his Office, although there is currently no specific obligation on organisations to inform either his Office or the individuals affected. He notes that the final report of the High Level Group on Data Breach Notification, which was set up to advise on whether changes to data protection legislation are necessary in this area, is expected shortly.
The Report highlights that his office brought several successful prosecutions in 2009, mostly for repeat offences in relation to unsolicited electronic communications. The Commissioner warns that he will continue to exercise his powers of prosecution in 2010 against those entities that commit offences in relation to electronic marketing.
The Report includes a list of occasions when the Commissioner felt obliged to resort the use of his legal powers to advance an investigation. This involves the serving of an Information Notice or an Enforcement Notice. Publication of these lists is aimed at encouraging organisations that are the subject of complaints to co-operate fully with the Commissioner's Office in relation to their statutory investigations.
In addition to carrying out investigations in response to specific complaints, the Commissioner's Office has power to conduct scheduled audits, as well as unscheduled inspections. Thirty organisations were audited during 2009. The Commissioner intends to continue this level of audit frequency in 2010. According to the Report, organisations are chosen for audit on the basis of complaints received by the Commissioner's Office, or specific allegations in media reports, or simply because an organisation is representative of a particular sector. The Report lists those organisations audited in 2009.
The Report also includes a number of case studies of specific investigations undertaken by the Office of the DPC during 2009, including:
- Disclosure of personal information by an airline due to inappropriate security measures
- Prosecution of a gym and a restaurant for unsolicited direct marketing text messages
- Excessive penalty point information sought by an insurance company from individuals seeking motor insurance quotes
- A paternity test result sent to the wrong address
- The use of postcards to communicate with customers regarding overdue accounts
- An employer covertly surveilling an employee
The Report is available from the Data Protection Commissioner's website: www.dataprivacy.ie