Data Protection Commissioner publishes his Annual Report for 2008

The Data Protection Commissioner has published his Annual Report for 2008. The Commissioner notes that his Office's activities during 2008 "had a heavy data security focus".

The Commissioner reports that his office worked with the Department of Finance to produce new public service guidelines, to assist government departments, offices and agencies in understanding their legal responsibilities under the Data Protection Acts 1988 & 2003. The Commissioner's audit work has also had a significant focus on data security, as reflected in the recent Audit Resource report published by the Commissioner.

The Commissioner reminds us that the question of whether notification of data breaches should be a legal requirement is currently being examined by a Review Group set up by the Minister for Justice, Equality & Law Reform. The Review Group will take account of developments at EU level, including the potential data breach notification requirement to be included in the revised E-Privacy Directive. Over the past year the Commissioner's Office has been intensifying its efforts to encourage public and private bodies to voluntarily report personal data security breaches to the Office. The Commissioner also warns that the extended requirement to retain telecommunications data for police use, under the EU Data Retention Directive, (to be implemented by the Communications (Retention of Data) Bill, expected to be published this summer), raises security concerns and privacy issues.

The Report notes a significant decrease in the number of complaints relating to unsolicited direct marketing text messages, phone calls, fax messages and emails. The Commissioner attributes this decrease to those involved being more aware of their legal obligations and the serious implications, including criminal sanctions, of failing to comply with such obligations.

The Report further contains a list of occasions when the Commissioner has had to resort to using his legal powers to advance an investigation. The 'naming and shaming' of such organisations is aimed at encouraging all organisations to co-operate fully with the Commissioner's Office in relation to statutory investigations. The Report also contains a number of case-studies which highlight complaints that the Commissioner has investigated in the past year.

The Annual Report is available from the Data Protection Commissioner's website: www.dataprotection.ie