Privacy through the Years - 21 Years of Data Protection

The Office of the Data Protection Commissioner came into existence in 1989 following the enactment of the Data Protection Act of 1988(1), the first data protection legislation to be introduced into Irish domestic law.

As we celebrate the Office's 21st anniversary, it is perhaps interesting to examine privacy through those years and hopefully help point the way to what the future may bring to individual privacy....What were the key privacy concerns in the late 1980s and throughout the 1990s? Was it the steaming open or alleged interception of a personal letter or the knowledge that an employee in a telephone exchange had listened to a private conversation? Did the divulgence of sensitive medical information over the phone by a receptionist in a crowded GP's surgery lead to complaints being made to the Office?

Looking back through the annual reports produced by the Office over 21 years, there are striking resonances with the data protection landscape in 2010 and also some key contrasts in terms of the nature of complaints raised and issues facing the Office. Consumer credit issues appear to have been the predominant privacy concern of members of the public who contacted the Office in the early years of its inception. The 1990 annual report states that two thirds of the formal complaints investigated by the Office of the Data Protection Commissioner related to consumer credit, mainly the issue of adverse credit reports on individuals being made by lending institutions to credit reference agencies, despite settlement terms with lending institutions on outstanding debt having been reached. The Commissioner at the time noted "This is often done without informing the agency of the settlement or telling the individual that the adverse report is being sent". This issue was tackled effectively at the time through substantial engagement with the sector. No doubt as a direct result of the current economic climate, the Office witnessed an upturn in 2009 of enquiries and complaints concerning financial affairs, liquidation, debt collection and credit related matters but thankfully nothing like the level witnessed in the 1990 report.

Awareness of Data Protection & Privacy

The 1995 Annual Report recounts a relatively common misconception whereby it was believed that "the Data Protection Commissioner has access to some enormous database which brings together all the computer records relating to an individual".  Also, in the 1997 Annual report the Commissioner was disappointed to note that an Attitudes & Awareness Survey conducted by the Office whilst displaying high levels of concern from respondents about information privacy revealed "only 2% of respondents spontaneously mentioned the Office when they were asked to name organisations dealing with complaints about privacy." Thanks to 21 years of dedicated awareness raising, both these impressions of the Office and its functions has been almost successfully eradicated!

Registration

Upon its establishment in 1989, the Office quickly set about addressing one of the primary elements of the 1988 Act, the requirement for certain categories of 'data controllers' and 'data processors' to register with the Office, outlining on a publicly available register the types of personal data being processed and to pay an annual registration fee. The numbers of data controllers and data processors registered in 1989 stood at 1,194 in comparison to now in 2010, where there are 4, 318 controllers and data processors registered with the Office. This information is available to all on our website at   http://www.dataprotection.ie/docs/Current_list_of_Registrations_held_by_the_Data_Protection_Co/8.htm  and includes an incredible amount of detail in relation to how organisations handle personal data. For instance the registration of An Garda Síochána, available at  http://www.dataprotection.ie/registry-details/0315%2FA.htm - is extremely informative and transparent as to how the force uses personal data to perform its functions.

Unsolicited Communications

Unsolicited mailings and how to prevent such communications going forward were a subject of enquiry to the Office from the outset. 1996 saw the introduction of a Mail Preference Service by the Irish Direct Marketing Association (IDMA). The Office of the Data Protection Commissioner immediately began directing members of the public to this facility whereby they could centrally record their preference not to be direct marketed by post. The issue of unsolicited phone calls also needed to be addressed and hence a similar type initiative - a Telephone Preference Service - was launched in 1998 by Eircom in conjunction with the IDMA. This was followed by a legally binding telephone preference service, the ‘opt out’ register on the NDD (National Directory Database), introduced following the passage of SI 535 of 2003 (as amended). This makes it an offence to call anybody who has expressed their preference not to receive such phone calls. As it stands today, in excess of 1 million subscribers have registered their preference to be included on the NDD.

Given the pace of technological evolution since the 90s, the spectrum in terms of unsolicited direct marketing has extended to a vista today where unsolicited e-mails, text messages, GMS location-based marketing and online behavioural advertising all combine to pose an increasing challenge for privacy rights. Due to the pace of technological advancement, it is difficult to predict future marketing frontiers and what challenges they may pose but clearly the tracking of our online activities to better target us with marketing is a key issue that we expect to engage our Office going forward.

Right of Access

It is evident from a review of the annual reports in the early 1990s that the rights of individuals to make an access request for a copy of their personal data under section 4 of the Data Protection Acts presented difficulties for some data controllers, in terms of an apparent lack of knowledge of their responsibilities and obligations in this area or a reluctance to respond within the specified timeframes. 

It is still the case some 21 years after the right of individuals to access their personal data from whoever is holding it (public body, private sector, voluntary organisation etc) was granted that it still seems to come as a complete surprise to some data controllers that such a right exists. Delays in responding to access requests also continue to be an issue the Office has to deal with, although significant work in raising awareness of data protection has at least succeeded in highlighting the access rights of individuals.

Complaints

In terms of overall statistics, the numbers of complaints investigated by the Office range from an initial 25 complaints back in 1990 through to 91 complaints in 1997, 233 in 2001 up to a level of around 1,000 for each of the last three years demonstrating the increased attention on data protection in Irish society today. Many more enquiries are dealt with without requiring the opening of a formal investigation.

As outlined above, since the inception of the Office in 1989 up until 1997 there were two predominant issues evident in the complaints investigated by the Office: consumer credit and unsolicited direct marketing. In the 1997 annual report the Commissioner noted a third issue to emerge as an element in several cases investigated; the use of the electoral register as a source of names and addresses for mailing lists. This issue continued to lead to complaints to the Office over the following years until the matter was addressed with the introduction in 2004 of a "Full" and "Edited" Register whereby only names on the edited register could be used for a purpose other than an electoral or other statutory purpose such as direct marketing.

At the end of the second decade of the Office's operation it is interesting to note that in 2006 the complaints landscape had shifted significantly, with 39% of complaints received relating to unsolicited electronic communications and 28% of complaints investigated concerning access rights. Only 5% of complaints investigated in 2006 addressed accuracy. The upward trend in complaints which had stemmed principally from a rise in unsolicited text messages from the premiuim rate SMS sector was halted when the 2008 annual report noted that

"Regarding unsolicited marketing text messages, my Office received almost 200    fewer complaints in 2008 than in 2007. I attribute this decrease to the effect on the   text marketing sector of prosecution proceedings which I brought to the District Court   towards the end of 2007 against a number of companies operating in that sector."

Technology

Smart card technologies make an appearance in the 1995 annual report, signalling an increasing engagement by the Office with new technologies and their implications. Loyalty card schemes are also referred to for the first time in the 1995 annual report and the potential of RFID technology (radio tracking devices on consumer goods) when combined with a loyalty card is highlighted in a resource aimed at teenagers produced by the Office in 2007 entitled - 'Sign Up, Log In, Opt Out: Protecting your Privacy & Controlling your Data'. E-Government initiatives surface for discussion in the 2000 annual report, whilst a commentary on social networking sites is provided for the first time in the 2006 annual report. Biometric systems feature in several annual reports from 2001 onwards.

National Identity Cards

The prospect of National Identity Cards was raised as far back as the 1992 annual report with the then Commissioner commenting on the proposal to issue ID cards based on RSI numbers

"the extended use of a social security number throughout the public sector poses a  more serious threat to privacy than might be imagined. This is because the use of any  multipurpose identity number creates the possibility of wide scale "file-matching"  within the State sector. It is the potential for "file matching" and not simply the use of  the numbers that give rise to privacy concerns. Once multi-purpose numbers begin to  cross government agency lines, privacy considerations are set aside in favour of  administrative efficiency".

Almost 20 years on, the issue of national identity cards is still a live one with the current Commissioner currently engaged in extensive consultations with the Department of Social and Family Affairs regarding its plans to begin a phased introduction of a Public Services Identity card featuring a photo, signature and the PPS Number of an individual. It is also evident that file matching across government agency lines, using the PPSN,  has  since become a reality.

The Public Sector and exemptions within the DP Acts

Regarding the public sector, it is interesting to note a case that dominated both the 1992 and 1993 annual report concerning Revenue and its use of a provision within the Data Protection Acts - section 5 (1)(a) - allowing access to be refused "where personal data are kept for the purpose of preventing or investigating offences or assessing or collecting any tax owed to the State in any case in which the granting of such access would be likely to prejudice any of these matters." This provision led to Revenue adopting a general policy of refusing taxpayers the right of access to their personal data on the grounds that it would prejudice the collection of taxes. The blanket application of this provision was challenged by the Data Protection Commissioner and the Revenue Commissioners were issued with an information notice seeking a justification for this approach which they appealed and subsequently lost in the Circuit Court. A Review Group was subsequently set up in which both the Office and Revenue participated, working together to draw up an agreed set of criteria for determining situations in which the Revenue Commissioners could appropriately rely on (section 5 (1)(a).

Over fifteen years later, a related provision, a set of exemptions also subject to a prejudice test was highlighted in the audit report on the inspection of Revenue carried out by the Office in 2009. This report is available on the Revenue website at http://www.revenue.ie/en/about/data-protection-report.html

 
"From the outset, the ODPC outlined its recognition that Revenue occupies a special  position as a consequence of the broad exemptions that exist under Section 8(b) of the  Data Protection Acts regarding the processing of personal data for the assessment or collection of tax. Nonetheless, the Team stressed that these exemptions are subject to  a prejudice test in each case and Revenue is still required to meet all the other  requirements of the Acts in terms of retention, disclosure and security. Revenue  assured the Team that it understood these requirements and had invested major  resources to ensure compliance with requirements under data protection legislation  and to protect itself against any risk of non-compliance."

Audits

The explicit power to conduct an inspection of an organisation and examine or extract a copy of personal data was not introduced until the 2003 Data Protection Act and thus the 2003 annual report contains a reference to the auditing activities of the Office for the first time. The increase in numbers of audits conducted by the Office is striking with 31 audits conducted in 2009 in comparison to just 6 audits in 2003.

The Future of Data Protection

Gazing into the privacy crystal ball of the future, digital vaults in the sky spring to mind. An array of technologies generate reams of data cushioned by a haze of cloud computing networks. The ether may host a person's DNA and genetic map, their employment history, health records, social network profile, pictures of the street and place where they live, a history of all their financial transactions, records of any penalties and fines incurred, a sample of their voice, a copy of their fingerprints. The possibilities are endless...Data borders continually merge and the privacy landscape mutates at an increasing pace.... Of course just because something can be done does not mean that it is right or indeed legal to do it. This is a point all too often lost on those holding personal data.

Going forward, it will be fascinating to gauge whether people's attitudes towards data protection will change in the wake of such monumental adjustments to the way their personal data is captured and harvested. Already, when the phenomenon of social networks sites and various online discussion fora is examined, the disclosure of all kinds of personal information and images appears to have become de rigueur, with the most personal and intimate information being disclosed sometimes in the absence of even the most basic privacy settings.

As indicated in recent remarks by the current Data Protection Commissioner at a Press Council Privacy Seminar in January 2010

Data protection must adapt to changing social norms and methods of communication. But its  basic aim of giving us as much control as possible over our personal information is even  more important in the Web-enabled world we live in.

(1) The 1988 Data Protection Act was based primarily on a 1981 Council of Europe Convention concerning the processing of personal data and this was followed by the 1995 EU Data Protection Directive (95/46/EC) which was transposed into Irish domestic law in 2003. Initially, data protection laws only applied to personal data held in computerised form but following the enactment of the 2003 Act, Irish data protection law covered all personal data held on individuals, be it in automated or manual form, ranging from files to phone call recordings to CCTV footage.