The Data Protection Commissioner recently published his Annual Report for 2013. The report will be the current Commissioner’s final report, prior to his retirement in August. Following the recruitment of additional staff to the Office of the Data Protection Commissioner (“DPC”), the DPC has continued to increase activity across all of the DPC’s main functions such as investigation and enforcement, guidance and education, audits/inspections and notifications. Key issues raised in the report include the following:
Complaints and Investigations
The DPC received 910 complaints in 2013 which reflected a decrease of approximately 33% from 1,349 in 2012. The main complaints related to data access request (57%) and a further 22% of complaints related to unsolicited electronic marketing. Other complaints related to disclosures of data, unfair processing of personal data, unfair obtaining of personal data and failure to secure data.
The DPC issued a number of enforcement notices in connection with investigations, obliging data controllers, subject to criminal penalty, to comply with directions – most commonly to comply with data access requests. The DPC also issued three information notices in 2013.
CCTV in Crèches
The DPC highlighted the use of CCTV as a policy issue, in particular in relation to crèches and noted that use of CCTV in crèches for security at the perimeter of the premises can be legitimate but that any other uses must be fully justified as the majority of personal data processed will relate to minors. The DPC confirmed that there is no legal basis for use of CCTV to resolve issues of quality of staff or supervision.
The DPC confirmed that it is not lawful for a charity to add a donor’s phone number automatically to a marketing database when the subscriber made a donation via SMS. The DPC stated that charities processing personal data must comply with the Data Protection Acts and the Electronic Privacy Regulations and that mobile phone numbers could only be used for further electronic marketing where the subscriber had specifically opted-in to such use. In addition, the DPC confirmed that third party marketing companies also face prosecution if they target donors who have not unambiguously consented to the receipt of such electronic marketing communications. The DPC has therefore issued a guidance note for charities and members of the public on this issue.
The DPC highlighted some concerns in relation to the seven character postcodes which the Department of Communications, Energy and Natural Resources Department has committed to assigning to each household by 2015, as this will constitute personal data which would be easily exploitable through modern technology/big data and has the potential to allow for ready identification of sensitive information e.g. identifying areas with patterns of crime or illness. The DPC highlighted his concern as to whether safeguards for individuals’ data protection rights will be statutorily ring-fenced and as to how both public and private bodies will comply with the DPA in the use of the postcodes.
Data Breach Notifications
During 2013, the DPC dealt with 1,577 security breach notifications (of which only 70 cases were deemed not to be security breaches), a decrease of nearly 100 on the previous year. Commission Regulation 600 of 2013 came into effect across the EU on 25 August 2013. Most notably it imposes a requirement that notifications of data security breaches by Telecommunications and Internet Service Providers must be made to the relevant national authority within 24 hours of the identification of a data security breach. The Regulation also requires that the relevant national authority provides a secure form through which such notifications can be made, which the Office has provided via their website.
The DPC also received a number of data security breach notifications involving data subjects from other countries in relation to large global technology companies based in Ireland. This has led to increased cooperation by the DPC with other Data Protection Authorities and the establishment of two joint investigations into breach notifications with the Privacy Commissioner in Canada in relation to Adobe Software Systems Ireland and Facebook Ireland.
The DPC carried out 44 privacy audits and inspections in 2013, an increase of 10% on 2012. The audit of An Garda Síochána continued until October and the DPC commenced a major audit of LinkedIn Ireland’s European Headquarters in May of last year. The DPC also participated in the Global Privacy Enforcement Network's Internet sweep to review Irish websites for compliance with data protection law. Following the request in December 2012 by the DPC for information on steps taken by 80 major Irish websites to comply with cookie obligations under the Electronic Privacy Regulations 2011, the DPC worked with these websites to ensure compliance with the revised cookie rules and produced guidance to help organisations achieve minimum compliance through the use of cookie notifications and statements.
Use of former customer personal data in win-back marketing
The DPC confirmed that electricity and utility providers cannot use personal data retained from former customers for ‘win- back’ and ‘feet on the street’ marketing, without the prior marketing consent of the former customers concerned. This issue was raised in the context of an investigation into the use and possession of detailed personal information in relation to former customers, including Meter Point Reference Numbers, addresses and the last reading on an Electric Ireland accounts, by Electric Ireland representatives. The DPC has indicated that he is satisfied that all marketing lists containing MPRN data have been retracted, staff have been retrained and departing customers’ details are now automatically deleted from the company’s marketing database.
Requirements for compliant contracts with data processors under section 2C(3)
The case study involving Westmeath County Council highlights the necessity to ensure that a formal contract is in place with all data processors. In this case, no unauthorised use was made of personal data by the data processor, a printing company, and there was no other breach of the Data Protection Acts. However, as the Council had outsourced the processing of customer details relating to the Council’s domestic refuse collection, the DPC gave a formal opinion that the Council had contravened section 2C(3) of the Data Protection Acts by failing to have a contract in place to legitimise the transfer of personal data for processing purposes and bind the printing company to compliance with the Data Protection Acts in terms of the handling, storage, security and processing of the personal data concerned.
The DPC further elaborated on factors which will be taken into account in determining whether contracts with data processors are sufficient for the purposes of section 2C(3) of the Data Protection Acts as part of the case study on Loyaltybuild Ltd, following the high profile data security breach involving the compromise of encrypted and unencrypted customer credit card and contact details in November 2013. As part of the investigation, the DPC undertook a review of contracts between Loyaltybuild Ltd as data processor and various data controllers, focusing on issues such as ownership of data, requirement to comply with data protection legislation, specification of appropriate security requirements, confidentiality, restriction of further processing, process for dealing with subject access requests, deletion of data, actions on termination of the contract and audit of the data processor. The DPC noted that none of the contracts reviewed included a retention policy setting out the timeframe for the holding of data in respect of its customers and that none were completely compliant with the Data Protection Acts.
Increase in Formal Decisions
While the DPC noted that the vast majority of complaints concluded in 2013 were resolved amicably without the need for a formal decision under section 10 of the DPA, the proportion of complaints which resulted in a formal decision has increased by 50% since 2012 and the case studies also seem to indicate that consumers are increasingly likely to reject an amicable resolution and insist on a formal decision by the DPC.
Unsolicited marketing prosecutions
The DPC also brought a number of criminal prosecutions against companies for unsolicited e-mail or text message marketing, including against Four Star Pizza (Ireland) Limited, Levet Limited T/A Fast Fit, Wexford Arts Centre Limited, Bord Gáis Éireann, Eircom, Meteor, O2 and Vodafone. Guilty pleas were made in all cases and fines from €500 to €21,000 (or equivalent contributions to charity) were levied.