knowledge | 3 July 2015 |
Annual Report of the Data Protection Commissioner 2014
The Data Protection Commissioner recently published her Annual Report for 2014. The report is the first from new Commissioner Helen Dixon, who was appointed to the role in September 2014. It is clear from the report that 2014 was a busy year for the Office of the Data Protection Commissioner (“ODPC”), with an increase in activity across all of the ODPC’s main functions, such as investigation and enforcement, guidance and education, audits/inspections and notifications. This increase in activity is expected to continue into 2015, when the ODPC’s budget will be doubled from €1.8m to €3.65m, additional staff will be hired and a new office in Dublin will be opened. Key issues raised in the report include the following:
The ODPC received 960 complaints in 2014, which reflected an increase of approximately 5% from 910 in 2013. As was the case last year, the majority of the complaints related to data access requests (54.3%) with a further 18.3% of complaints relating to electronic direct marketing. Interestingly, the report notes that this is the first year since 2005 that complaints in relation to direct marketing dropped below 200 in a calendar year. A further notable development was the emergence of a new category of complaint in relation to internet search result delisting, arising from the “Google Spain” ruling regarding the removal of personal data from search engine search results. 32 of the complaints received related to this category. Other complaints related to disclosures of data, unfair processing of personal data, unfair retention of personal data and the use of CCTV footage.
The ODPC issued three enforcement notices in connection with investigations, obliging data controllers, subject to criminal penalty, to comply with directions – most commonly to comply with data access requests. The ODPC also issued nine information notices in 2014, up from three in 2013. Six of the nine information notices were issued to credit unions (probably arising as a result of the focus on privacy audits of credit unions, discussed below).
Data Breach Notifications
During 2014, the ODPC received 2,264 data security breach notifications (of which only 76 cases were deemed not to be security breaches). This is an increase of 681 on 2013. The report attributes this increase to the greater number of data-security breaches arising as a result of inadvertent disclosures made through post and email e.g. through a letter being sent to the wrong address or third party data being inadvertently included in correspondence.
Enforced Subject Access Requests
Section 4(13) of the Data Protection Acts 1988 and 2003 (the “DPA”) came into effect on 18 July 2014. This provision makes it unlawful for employers to require employees or candidates for employment to make an access request under section 4 of the DPA, or to provide them with information obtained via an access request. The report states that the ODPC intends to vigorously pursue and prosecute any abuses in this area in 2015 and onwards.
The ODPC carried out 38 privacy audits and inspections in 2014. The report states that a particular area of focus was the data processing activities of credit unions, private investigators, accountants and liability adjusters. The report also notes the finalisation of the LinkedIn-Ireland audit, and the publication of the An Garda Síochána audit report, arising from the data protection audits carried out by the ODPC in 2013.
The ODPC, in conjunction with 25 other
privacy enforcement authorities, conducted an audit of 20 mobile apps as part
of a Global Internet Privacy Sweep themed “Mobile Privacy”. The report notes
that in 55% of the cases examined, the privacy information provided by the apps
did not fully explain the manner in which the apps collect, use and disclose personal
data associated with the use of the app.
The case studies presented in the report highlighted a wide range of issues, including the following:
Prosecution of company directors: A
case in relation to the use of private investigators leading to a breach of
section 22 of the DPA (obtaining access to personal data without the prior
authority of the relevant data controller, and disclosing such data to another
person) resulted in the first prosecution of company directors under section 29
of the DPA for their part in the commission of data protection offences by
Failure to register as a data processor: A
further case relating to the use of private investigators led to the first
prosecution to be completed by the ODPC for processing personal data without
having registered as a data processor on the ODPC’s public register, in breach
of section 16(2) of the DPA.
Marketing offences: A number of cases describe
prosecutions in relation to marketing offences (e.g. the making of unsolicited
phone calls to numbers listed on the National Directory Database opt-out register,
and the sending of emails/texts to persons who had previously opted out of receiving
such contact) resulting in fines of between €75 and €6,000.
Excessive collection of data: A number
of cases detail complaints received by the ODPC in relation to the excessive
collection of data, particularly the collection of bank statements where not
strictly required. For example, a letting agent had requested bank statements,
PPS numbers and copies of utility bills from all prospective tenants at the
letting application stage. Following investigation by the ODPC, the agency accepted
that it should only seek such details once an applicant had been accepted as a
tenant. The report cautions data controllers against collecting a wide range of
personal data on an “in case” basis.
Employee emails and equipment: Two of the
case studies highlight the risks, from a personal data security perspective, of
employees using personal email accounts, and personal equipment (e.g. laptop
and mobile phone) for work matters. The report notes that employers have little
or no control over any data transmitted via non-business email accounts, or
data held on personal equipment, and advises that employers should ensure only
business email accounts are used for work-related purposes.
Overall, the case studies presented in the
report highlight the pro-active approach of the ODPC towards compliance, and
underline the importance for organisations of ensuring that all of their
employees are aware of data protection requirements, particularly where such
employees are involved in marketing activities on behalf of the organisation.
This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.