The Data Protection Commissioner recently published her Annual Report for 2014. The report is the first from new Commissioner Helen Dixon, who was appointed to the role in September 2014. It is clear from the report that 2014 was a busy year for the Office of the Data Protection Commissioner (“ODPC”), with an increase in activity across all of the ODPC’s main functions, such as investigation and enforcement, guidance and education, audits/inspections and notifications. This increase in activity is expected to continue into 2015, when the ODPC’s budget will be doubled from €1.8m to €3.65m, additional staff will be hired and a new office in Dublin will be opened. Key issues raised in the report include the following:
The ODPC received 960 complaints in 2014, which reflected an increase of approximately 5% from 910 in 2013. As was the case last year, the majority of the complaints related to data access requests (54.3%) with a further 18.3% of complaints relating to electronic direct marketing. Interestingly, the report notes that this is the first year since 2005 that complaints in relation to direct marketing dropped below 200 in a calendar year. A further notable development was the emergence of a new category of complaint in relation to internet search result delisting, arising from the “Google Spain” ruling regarding the removal of personal data from search engine search results. 32 of the complaints received related to this category. Other complaints related to disclosures of data, unfair processing of personal data, unfair retention of personal data and the use of CCTV footage.
The ODPC issued three enforcement notices in connection with investigations, obliging data controllers, subject to criminal penalty, to comply with directions – most commonly to comply with data access requests. The ODPC also issued nine information notices in 2014, up from three in 2013. Six of the nine information notices were issued to credit unions (probably arising as a result of the focus on privacy audits of credit unions, discussed below).
Data Breach Notifications
During 2014, the ODPC received 2,264 data security breach notifications (of which only 76 cases were deemed not to be security breaches). This is an increase of 681 on 2013. The report attributes this increase to the greater number of data-security breaches arising as a result of inadvertent disclosures made through post and email e.g. through a letter being sent to the wrong address or third party data being inadvertently included in correspondence.
Enforced Subject Access Requests
Section 4(13) of the Data Protection Acts 1988 and 2003 (the “DPA”) came into effect on 18 July 2014. This provision makes it unlawful for employers to require employees or candidates for employment to make an access request under section 4 of the DPA, or to provide them with information obtained via an access request. The report states that the ODPC intends to vigorously pursue and prosecute any abuses in this area in 2015 and onwards.
The ODPC carried out 38 privacy audits and inspections in 2014. The report states that a particular area of focus was the data processing activities of credit unions, private investigators, accountants and liability adjusters. The report also notes the finalisation of the LinkedIn-Ireland audit, and the publication of the An Garda Síochána audit report, arising from the data protection audits carried out by the ODPC in 2013.
The ODPC, in conjunction with 25 other privacy enforcement authorities, conducted an audit of 20 mobile apps as part of a Global Internet Privacy Sweep themed “Mobile Privacy”. The report notes that in 55% of the cases examined, the privacy information provided by the apps did not fully explain the manner in which the apps collect, use and disclose personal data associated with the use of the app.
The case studies presented in the report highlighted a wide range of issues, including the following:
Prosecution of company directors: A case in relation to the use of private investigators leading to a breach of section 22 of the DPA (obtaining access to personal data without the prior authority of the relevant data controller, and disclosing such data to another person) resulted in the first prosecution of company directors under section 29 of the DPA for their part in the commission of data protection offences by their company.
Failure to register as a data processor: A further case relating to the use of private investigators led to the first prosecution to be completed by the ODPC for processing personal data without having registered as a data processor on the ODPC’s public register, in breach of section 16(2) of the DPA.
Marketing offences: A number of cases describe prosecutions in relation to marketing offences (e.g. the making of unsolicited phone calls to numbers listed on the National Directory Database opt-out register, and the sending of emails/texts to persons who had previously opted out of receiving such contact) resulting in fines of between €75 and €6,000.
Excessive collection of data: A number of cases detail complaints received by the ODPC in relation to the excessive collection of data, particularly the collection of bank statements where not strictly required. For example, a letting agent had requested bank statements, PPS numbers and copies of utility bills from all prospective tenants at the letting application stage. Following investigation by the ODPC, the agency accepted that it should only seek such details once an applicant had been accepted as a tenant. The report cautions data controllers against collecting a wide range of personal data on an “in case” basis.
Employee emails and equipment: Two of the case studies highlight the risks, from a personal data security perspective, of employees using personal email accounts, and personal equipment (e.g. laptop and mobile phone) for work matters. The report notes that employers have little or no control over any data transmitted via non-business email accounts, or data held on personal equipment, and advises that employers should ensure only business email accounts are used for work-related purposes. Overall, the case studies presented in the report highlight the pro-active approach of the ODPC towards compliance, and underline the importance for organisations of ensuring that all of their employees are aware of data protection requirements, particularly where such employees are involved in marketing activities on behalf of the organisation.