The Data Protection Commissioner (Commissioner) has warned that a recent landmark prosecution of three companies for data protection breaches demonstrates that there will be “severe consequences” for organisations which are found to have breached data protection law.
The three companies, all insurance firms, pleaded guilty in February 2012 to having illegally used a private investigator to obtain social welfare information on a number of their customers. The information, which included PPS numbers, dates of birth, addresses, details of employment and earnings and social welfare claims, was obtained by the Commissioner via a leak from the Department of Social Protection.
The Commissioner’s 2008 “Code of Practice on Data Protection in the Insurance Sector” sets out specific guidelines in relation to the disclosure of personal information to private investigators.
Following the guilty pleas from each of the firms, no criminal convictions were imposed, with the judge applying the Probation of Offenders Act on the condition that each of the firms donated €20,000 to charity.
Each firm also provided evidence to the Commissioner that they had substantially improved their systems and procedures and are seeking to be fully compliant with data protection law.
Following on from this ruling, a separate Garda (Irish police force) investigation has been instigated relating to the leak from the Department of Social Protection.
In a linked civil case, damages amounting to €15,000 were awarded based on a finding that an insurance firm had used personal data (obtained in breach of its data protection policies) to deny an insurance payout following the theft of a car. This was the first time the Circuit Court had been asked to consider a breach of data protection law and appears to be the first case publicised in this jurisdiction where damages were awarded for a breach of data protection rights.
The Commissioner released a statement to the effect that it was not thought that this was an isolated case and that these proceedings should be seen as an indication of the strong position the Commissioner will take on the protection of personal data.
Importantly, the case highlights the more stringent approach the Commissioner is now prepared to take with regard to the use of consumers’ personal information in the business environment. Indeed, in his Annual Report for 2011, which was published on 30 April 2012, the Commissioner warned that he will use his prosecution powers against organisations that persist in infringing the law, noting that he had brought a total of 54 prosecutions in 2011.
In light of this, all industries dealing with personal data, including financial institutions and insurers, should view data protection compliance and procedures as a priority and consider it a key part of their everyday operations.