The Office of the Data Protection Commissioner (the “Commissioner”) launched its twenty-fourth annual report this week detailing the work carried out by the Commissioner during 2012. The report contains details of the investigations and audits undertaken over the course of the year along with a summary of policy matters and EU activities. The full report is available here.
Increase in data protection complaints
The report states that there was an increase in the overall number of complaints made to the Commissioner in 2012, with the number exceeding 2011’s record high by 188 complaints. In total, the Commissioner opened 1,349 complaints for investigation in 2012. The number of data security breach notifications received has also grown, reaching 1,666 this year.
Although the overall number of complaints has not risen substantially since last year, there has been a significant surge in the number of claims made under the e-Privacy Regulations 2011. The number jumped to 606 in 2012 from 253 in 2011, with the majority relating to unsolicited emails, phone calls and SMS messages.
Complaints from individuals making access requests for their personal data held by organisations accounted for almost one-third of the overall complaints investigated over the course of the year.
The report reveals that the Commissioner carried out audits of 40 organisations in 2012 and discovered “significant, widespread breaches” of data protection law during some of them.
An on-going two year audit of An Garda Síochána for example, revealed inappropriate access to the PULSE system by members of the Gardaí who accessed the records of two high-profile figures apparently with good cause.
A “disturbing failure of governance” and a “worrying degree” of inappropriate access to personal data by State employees was also discovered within some public bodies following an investigation into the INFOSYS system which holds information from a range of social welfare databases. The database is administered by the Department of Social Protection and is also used by a range of external third party government agencies and bodies. A number of cases are highlighted within the report where data was accessed inappropriately by users of this system. The level of inappropriate access within the HSE (the Irish public health care system) in particular indicated an “unacceptable lack of awareness” within the organisation as to what constituted appropriate access.
Commenting on the audits generally, the Commissioner noted that although most of the organisations had a good awareness of data protection requirements, the “majority had areas where immediate remedial action was necessary.”
Sharing of personal data in the public sector
Not unlike previous reports, the report stresses that one of the major themes over the past year has been the issue of the “sharing of personal data in the public sector”. In this regard, the importance of audit trails in relation to who accessed data is highlighted. While the Commissioner accepts that data sharing can bring benefits in terms of efficient delivery of public services, he warns that this must be done in such a way that “respects the rights of individuals to have their personal data treated with care” and “not accessed or used without good reason”.
Insurance company investigations
Information on the prosecution of three insurance companies carried out in 2012 is also provided in the report. The companies were prosecuted for data protection registration offences following the discovery of social welfare data on insurance claim files held by the companies. The social welfare information had been originally sourced by a private investigator who was leaked the information from within the Department of Social Protection.
The Commissioner hinted in the report that despite the much-welcomed increase in funding and staff levels his office received in 2012 (the need for which had been stressed in the 2011 report), a further staff increase may be required as the workload is likely to increase following the introduction of the proposed new European Regulation on Data Protection. The Commissioner suspects that more companies will choose to come under his office’s jurisdiction under the so-called “one-stop-shop” arrangement under the new EU law. He concluded that data protection issues related to the activities of multi-national companies has continued to absorb an increased amount of resources.
The 127 page report is detailed and extensive and as well as the above key points, it also contains a summary of the positive outcome of the follow-up audit of Facebook Ireland, a report on a High Court ruling that Dublin Bus must supply a copy of CCTV footage of an incident involving a member of the public who requested the video under rights of access, as well as an investigation into excessive use of CCTV cameras at a nursing home.
Overall, one can conclude that the increase in complaints over the past number of years highlights the growing concern among the public as to how exactly their personal data is being stored and in particular shared. The complexities and issues surrounding access to personal data will undoubtedly continue to grow between this year’s report and the next.