The Report emphasises the growing significance of data protection in relation to the sharing of data in the public sector. It stresses the importance for insurers and other entities controlling personal data to clearly specify the purposes for holding such data on the Data Protection Commissioner’s Register.
The following is a summary of the Report’s key findings:
- Personal Data Sharing
The Commissioner acknowledged the benefits of data sharing for the effective delivery of public services but noted that all sharing of data must be done in a way that respects the rights of the individuals involved. Companies involved in data sharing must ensure that they have a clear justification for sharing data, make this reason known to all individuals having their data accessed by third parties and have effective security controls in place to dispose of such data when it is no longer needed.
- Insurance Companies Prosecuted
There was an increase of 8% in the number of entities appearing on the Register in 2012, including 400 insurance organisations. The Report contains a case study based on the prosecution of three insurance companies who pleaded guilty to charges under the Data Protection Act after illegally acquiring access to social welfare records and failing to include references to such access on their registrations. A significant number of insurance companies’ customers had information relating to claims, PPS numbers and employment history illegally obtained.
- Complaints and Investigations
A record number of 1,349 complaints were recorded in 2012, approximately 45% of these related to the Electronic Communications Regulations (SI 336 of 2011) and unsolicited direct marketing. A further 33% of complaints related to data access rights. This highlights a growing level of public awareness relating to access rights. The vast majority of complaints were resolved without a formal decision being made.
- Data Security Breach Notifications
A total of 1,592 valid breach notifications were recorded. This represents an increase of over 400 on previous years. The Commissioner highlighted that while the complexity of data security breaches has increased, over two thirds of all notifications involved mundane situations such as letters posted to incorrect addresses, bank accounts being created incorrectly or theft of IT equipment.
- Privacy Audits
The Commissioner is empowered to carry out scheduled audits and on-the-spot inspections to ensure compliance with the Data Protection Acts. Forty audits and inspections were carried out and the Commissioner interestingly noted that there was a “reasonably high awareness of and compliance with data protection principle.”
Please click here to view the full text of the Report.