The Data Protection Commissioner (“DPC”) has recently published her annual report for 2016. With the appointment of three deputy commissioners in the past year, the DPC has enhanced its resourcing in preparation for the GDPR. The DPC is also set to extend its recruitment drive into 2017, with a view increasing its staff to 100 people from varying backgrounds such as legal, data analytics and technical policies.
Goals for 2017
The DPC’s main objectives for 2017 include GDPR and ePrivacy Readiness. This will involve active engagement with the Article 29 Working Party towards the preparation of guidance, implementation of a new website and upskilling staff to meet new regulatory demands.
The Commission will also be managing the standard contractual clause proceedings it initiated in May 2016. This may involve a reference to the CJEU to examine the validity of standard contractual clauses as a means of transferring EU personal data to the US following the ‘Schrems 1’ ruling in October 2015.
Review of 2016
Multinationals and Technology
The GDPR will come into force in May 2018 and with that the DPC reports that “it will be the lead data-protection authority for multinational companies which have their ‘main establishment’ in Ireland under the one-stop-shop model”. The DPC has set up a Multinationals and Technology team to ensure co-operation between the various data protection authorities and will also carry out the various consultations, investigations and audits regarding data-processing issues.
Common Technology Issues
The DPC has identified what she considers to be the three most common data protection issues when it comes to tecnhology. First, many data controllers are not aware of their statutory obligations. This inevitably leads to a vulnerability of personal data. The second issue identified was in relation to the security measures that organisations have in place to cover any technical risks. The DPC recommends that in order to improve on this issue, organisations need to implement “rigorous policies/procedures and inventories” together with training to reduce the instances of human error. The final issue identified by the DPC was that most of the ransomware attacks rely on human error or misjudgement to succeed and on that basis, organisations should be stressing the importance of a ‘think before you click’ policy.
The DPC also noted the importance of organisations having sufficient password policies and user authentication requirements in place. An example of what was described as a “brute force attack” on an online retail organisation was given in the report. In this case, the attackers tried various combinations of passwords and usernames to gain access to user accounts over a two week period in 2016.The attackers eventually gained access to personal data and could also withdraw user balances from the access gained. In order to mitigate the risk of this type of attack, the DPC recommends the use of “multifactor authentication, network rate limiting and logon alerts”.
Complaints and Investigations
The DPC reports that 1,479 complaints were investigated in 2016, with the largest number of those complaints relating to access requests. It was reported that the high level of complaints in the area of data access is attributable to data controller’s lack of awareness of their statutory obligations on the topic.
A number of ‘Right to be Forgotten’ claims were also received by the DPC, with a total of 15 being rejected and 6 being upheld last year.
Following the Special Investigation Unit’s (“SIU”) first full year in operation, the DPC reports on a number of investigations which were carried out. The SIU has an ongoing investigation into the private invesigator sector, which last year resulted in two successful prosecutions for significant breaches of personal data. One of the issues which was reported by the DPC concerned the use of vehicle-tracking devices. In light of this investigtion, guidelines have been issued to a number of companies who engage with private investigators regarding their compliance with the Data Protection Acts.
The SIU also carried out an investigation into the Surgical Symphysiotomy Payment Scheme. A complaint was received regarding its plans to shred certain documents which were submitted to it by applicants as part of their claims for redress. In this case, the DPC reported no breach of data protection legislation on the basis that the appropriate consents had been obtained from the data subjects.
The hospital sector is set to be the subject of a new investigation in 2017. This will examine how patient data is processed in hospitals across Ireland. The SIU’s findings will form the basis for recommendations for improvements within the sector.
Data Breach Notifications
The DPC recorded a total of 2,224 valid data security breaches in 2016, which was a decrease from the 2,317 reported in 2015. The DPC found that the highest number of these data breaches were unauthorised disclosures either electronically or by post. The majority of these breaches were in the financial sector. For the most part, the data breaches were due to human error by way of inappropriate handling, improper disposal of data or loss of personal data held on smart phones, paper files or laptops. There was also a reported increase in the number of network-security breaches in 2016 involving ransomware and malware attacks.