The Data Protection Commissioner’s Annual Report 2013

The Data Protection Commissioner, Billy Hawkes, launched his Annual Report for 2013 on 12 May 2014. The report summarises activities of the Office of the Data Protection Commissioner (“ODPC”) during 2013 by reference to particular investigations and audits carried out. The report also elaborates upon policy matters and activities at an EU and international level.

The report starts with reference to Edward Snowden and the importance of data protection in modern society and the virtually unparalleled access by state agencies to digital personal information. The question of proportionality is at the forefront of debate worldwide, and the ODPC puts emphasis on data protection concerns in relation to Irish state agencies.

Furthermore, the annual report covers a summary of the findings and recommendations of the recently published audit of An Garda Síochána. The conclusion of this audit means that the ODPC has concluded audits of three key State holders of personal data – the Department of Social Protection, the Revenue Commissioners and An Garda Síochána.

Complaints

The ODPC opened 910 complaints for investigation in 2013. Complaints from persons concerning difficulties gaining access to their personal data held by organisations accounted for almost 57% of the overall complaints investigated during 2013 (a record 517 complaints). The vast majority of complaints concluded in 2013 were resolved amicably without the need for a formal decision under Section 10 of the Acts, or enforcement action.

The Commissioner made a total of 29 formal decisions. 25 of these fully upheld the complaint, 1 partially upheld the complaint and 3 rejected the subject of the complaint. A total of 1290 investigations of complaints were concluded in 2013.

Data Security Breaches

In 2013, the Office dealt with 1,577 data security breach notifications. 2013 saw the first notifications by telecommunication companies via the new online reporting mechanism laid down in European Commission Regulation 611/2013. For the second year, the annual report contains a selection of case studies regarding a number of data security breach investigations, including:

  • Report of investigation into data security breach at Loyaltybuild Ltd (the largest such breach the ODPC has dealt with to this point); and
  • The dissemination of a client list by a former employee to a new employer.

Privacy Audits

44 audits and inspections were carried out in 2013. This was an increase of 10% on 2012. Some key details from the audit section of the report include:

  • Summary of the findings and recommendations of the audit of An Garda Síochána;
  • Details of commencement of the audit of Linked-In Ireland;
  • Global privacy internet sweep – a review of websites in terms of their privacy policies conducted by a number of data protection authorities internationally; and
  • A “cookie compliance” sweep.