The Data Protection Commissioner, Billy Hawkes launched his report for 2010 (the Report) last week. The Report contains 19 case studies which outline prosecutions for various data protection breaches during 2010, including unsolicited marketing calls and unlawful use of CCTV images. The report also includes details of an investigation into data sharing in the insurance sector. The investigation revealed significant breaches of data protection legislation.
Data Security Breaches
410 data security breach incidents were reported in 2010, a 350% increase on the number of reports received in 2009. The Commissioner attributes this large increase to what he describes as the "more exacting demands" of the data security breach Code of Practice, rather than an increase in the absolute number of data breaches. The Code focuses on informing the people affected by security breaches so that they can take appropriate measures to protect themselves. It also encourages organisations to voluntarily report incidents to the Commissioner's Office.
Policy issues – some key findings
- The deployment and use of CCTV continues to give rise to complaints from members of the public. Investigations regarding the use of CCTV systems in schools, workplaces etc were undertaken and are outlined in the Report;
- Data sharing in the public sector is also an area of concern for the Commissioner – the Report outlines that adherence to the guidelines published by the Dept of Social Protection should ensure that such data sharing is proportionate and in accordance with the Data Protection Acts;
- Cloud computing – the Report says that cloud computing has many implications for data protection and that the key challenge for both the cloud provider and its customers is being able to guarantee the safety and security of the personal data in the "cloud". The Commissioner says that organisations that choose to outsource to the "cloud" have a responsibility to ensure that the data is safe. They must satisfy themselves as to security standards, access controls and data back-up systems and procedures.
Special Investigation into Insurance Sector – Insurance Link Claims Database
The Report contains findings of an investigation undertaken by the Data Protection Commissioner of a database of personal data maintained by the insurance sector known as "Insurance Link". According to the Report, Insurance Link is a database that holds data in relation to claims submitted under the terms of insurance policies. It provides for sharing of personal data between multiple entities both inside and outside the insurance sector, enabling member organisations to share and cross-reference their insurance claims data. The Report says that databases such as this pose a significant risk to individuals' right to protection of their personal data. At the time of the investigation in November 2010, it contained records of almost two and a half million claims.
The investigation identified a major lack of transparency with regard to Insurance Link and found that very little regard was paid to data protection requirements by the users of the service. Some serious incidents of inappropriate access were identified. The Report sets out the key recommendations to address the weaknesses, including specific recommendations about the use of pre-claims data.