We are delighted to announce that the much anticipated 2015 Annual Report has been published by the Office of the Data Protection Commissioner this morning.

The Report can be found here: https://www.dataprotection.ie/docimages/documents/DPC%20AR2015_FINAL-WEB.pdf.

The main points highlighted in the Report include:

  • 932 complaints were received, with over 60% relating to access rights and 11% to electronic direct marketing, of which 94% were “resolved amicably.”
  • There were 2,376 data breach notifications.

The amount of complaints received by the Office of the Data Protection Commissioner, while a slight decrease on 2014, continues to highlight the fact that data subjects are becoming more and more aware of their rights in relation to data protection. In addition, not unsurprisingly data access requests are once again the focus of most of the complaints investigated by the Office of the Data Protection Commissioner.

Some of the key themes identified in 2015 audits conducted by the Office of the Data Protection Commissioner included:

  • Lack of data-retention policy – data controllers have a responsibility to ensure that they are clear about the length of time for which data will be kept and the reason why the information is being retained.
  • Lack of signage or policy for CCTV systems – data controllers need to be able to justify the obtaining and use of personal data by means of a CCTV system. Also, notification of CCTB usage should be made by placing easily read and well-lit signs in prominent positions.
  • Excessive use of CCTV systems – CCTV should only be used for the purpose or purposes for which it is in operation.

Among some of the incidents of data breaches listed in the Report includes:

  • The Defence Forces were found to have breached the Data Protection Acts by failing to take appropriate security measures to secure personal information, when records of an internal complaint made by a member of the Defence Forces were destroyed in a flood and a burglary at a military investigating officer’s private house.
  • When an employee of a supermarket was dismissed for “gross misconduct” after she placed a paper bag over a CCTV camera in a staff canteen, the Commissioner told the business that there was no justification for having CCTV installed in the canteen area.
  • Another incident involved an employer being deemed to have breached the Data Protection Acts by handing over details of an employee’s swipe card accesses to his workplace to his manager.