The first annual report of the new Data Protection Commissioner, Helen Dixon was recently published and highlighted some interesting trends and statistics for 2014 (the “Report”).
The Data Protection Office (the “Office”) was significantly strengthened in 2014 by a near doubling of its budget, an increase in the number of staff and the opening of a new Dublin office. This expansion re-enforces the significance of data protection and the priority which it is being afforded by the Irish Government in a year which also saw the appointment of Dara Murphy as Minister for State with responsibility for data protection.
Breach Notifications – key points
- The Report detailed a record number of data breach notifications (2,264) and queries via email (13,500 increased from 12,000 in 2013).
- Of the total of 960 complaints received, only 27 were not amicably resolved. The largest single category of complaints related to access requests which indicate increased public awareness of the right to access one’s personal data.
- The next largest category related to direct electronic marketing.
Enforcement – key points
- 38 audits and inspections were carried out.
- While the Report noted that the vast majority of organisations engaged voluntarily with the Office, 3 statutory enforcement notices were issued and 9 entities prosecuted for offences under the Data Protection Acts 1988-2003 (“Acts”).
- The Office undertook a large volume of work focusing on the investigation and prosecution of private investigators as well as prosecuting (for the first occasion) directors of a company for their part in data protection breaches by investigators employed by the company.
- The Commissioner continued her predecessor’s policy of engagement with large technology companies and consulted with them on numerous matters such as new products or services and emerging data protection issues.
A number of case studies are annexed to the Report which highlight the complaints received by the Office (ranging from excessive data collection and inappropriate disclosure of personal data to failure to comply with a data access request) and its approach to resolve them.
The Office was busy with the new water utility, Irish Water as a large volume of queries and complaints were received. In addition, it advised the Department of Communications, Energy and Natural Resources on the data protection implications of Ireland’s new postcode system. The Office also co-operated with the Canadian Commissioner, the Australian Information Commissioner and the Federal Trade Commission regarding a data breach by Adobe.
What does this mean for companies?
Compliance with data protection legislation is important for all companies because failure to do so can have not only financial consequences but can also damage their reputation,
particularly if a breach is reported in the media and they are named in the Commissioner’s Annual Report.