Annual Report of the Data Protection Commissioner for 2014

The Data Protection Commissioner (DPC), Helen Dixon, has published her Annual Report for 2014. As usual, the Report reveals some interesting trends, statistics and case studies.

Here's a few we think are worth noting:

• Increase in data breach notifications - During 2014, there were almost 2,300 self-reported notifications of data breaches (an increase of 681 on 2013).  The principal cause of these data breaches was human error, such as the inclusion of the wrong bank statement in the wrong envelope, or the attachment of the wrong spreadsheet to an email. The financial sector accounted for two-thirds of the notifications.
   
• Complaints on the rise – The DPC received 960 complaints (compared to 910 in 2013).  All but 27 of the complaints received were resolved amicably.
   
• Difficulties in accessing personal data – The largest category of complaints received concerned difficulties in gaining access to personal data, which accounted for 54% (521) of the 960 complaints received.
   
• Decrease in unsolicited marketing complaints – The second largest category of complaints concerned unsolicited electronic marketing by text and email, which involved 18% (176) of the complaints received.  This was a decrease of 28 complaints compared with 2013. The DPC's active prosecution strategy in this area no doubt contributed to the decline in this type of complaint.
   
• New category of online search delisting complaints – A new category of complaint received concerned internet search result delisting.  Following the Google Spain case (which held that users may request search engines, in certain circumstances, to remove links to information affecting their privacy when a search has been conducted on the name of that individual), the DPC received 32 complaints against search engines refusing requests to remove links.
   
• Prosecutions of private investigators and company directors – The DPC prosecuted nine entities for a total of 162 offences.  The DPC undertook a high volume of case-work against private investigators (also known as tracing agents).  The prosecutions involved, for the first time, use of section 29 of the Data Protection Acts (DPAs) 1988 and 2003, to prosecute the directors of companies for their part in breaches by investigators employed by the company. 
  
  The prosecutions highlight the importance of businesses carrying out better due diligence before hiring private investigators, and of businesses ensuring that they are not inadvertently leaking personal data to third parties.  The DPC warned that her office will be scrutinising insurance companies and other financial institutions with regard to their use of private investigators to examine potentially fraudulent insurance claims.
   
• Statutory Enforcement Notices – Three Enforcement Notices were served requiring organisations to take certain steps to comply with the DPAs, mainly concerning the right of access to personal information.
   
• Selected Information Notices – The DPC served nine Information Notices requiring organisations to provide her with certain information she needed to carry out her functions, such as to pursue an investigation.
   
• Enforced Access Requests now an offence – In July 2014, section 4(13) of the DPAs came into effect, and it is now an offence to require job applicants to source personal information about themselves from organisations such as An Garda Síochána and to reveal the result of same to employers. The DPC is actively working to combat this practice, and has written to a random selection of organisations to check compliance.
   
• Privacy Audits – The DPC carried out 38 audits and inspections in 2014, prioritising multinational technology companies and major public -sector organisations.  It finalised its audit report of LinkedIn and published its audit of An Garda Síochána. The DPC also carried out some unscheduled inspections, using its powers under section 24 of the DPAs.
   
• Engagement with tech companies – The DPC engaged with large tech multinationals, with headquarters or significant presences in Ireland, regarding numerous matters, such as proposed new products and services and emerging data-protection issues.
   
• Queries - A record number of 13,500 queries were received by email, an increase from 12,000 in 2013. 

Case Studies
As always, the case studies contained in the Report offer a useful insight in to the approach of the DPC across a range of important issues.

Case studies which are certainly worth reading include, amongst others, the prosecutions of private investigators; prosecutions for marketing offences; excessive data collection by certain organisations; disclosure of financial information by a credit union; disclosure of personal data to a business partner, and resignation of a financial institution's employee taking personal data with him.

For further information please contact Davinia Brennan at dbrennan@algoodbody.com.

Date published: 23 June 2015