Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Data Protection Commissioner launches his Annual Report for 2012

 

The Data Protection Commissioner, Billy Hawkes, today launched his report for 2012.  As in previous years the report summarises activities of the Office during 2012 by reference to specific investigations and audits undertaken as well a summary of policy matters and EU/international activities. 

 

One of the major themes in this year's report concerns the issue of sharing personal data in the public sector which has featured regularly in previous annual reports from this Office.  The Commissioner accepts that data sharing can bring benefits in terms of efficient delivery of public services but cautions that it should be done in a way that respects the rights of individuals to have their personal data treated with care and not accessed or used without good reason.  Appendix 4 of this year's report contains the full audit report carried out by the Office of external public agency access to the Department of Social Protection INFOSYS database* which uncovered significant breaches of the data protection legislation in relation to access to and governance of personal data.

 

In the 2011 Annual Report the Commissioner drew attention to the increased demand on the resources of the Office.  The Commissioner in his 2012 report points to the Government's response by providing additional staffing and funding to the Office.  In addition the Government has also given a commitment to keep the resourcing of the Office actively under review to ensure that any additional resources required will be made available.  The Commissioner acknowledges that his Office is now well-placed to discharge its current statutory responsibilities.  Given the likely increased role for the Office which will emerge from the new "one-stop-shop" arrangement being proposed at EU level for oversight of multi-national companies, the Commissioner welcomes the commitment to ongoing review of further resource requirements.

 

Complaints:

During 2012, the Office opened 1,349 complaints for investigation, exceeding last year's record high number with an increase of 188.  Complaints from individuals in relation to difficulties gaining access to their personal data held by organisations accounted for just under one-third of the overall complaints investigated during 2012.  There was a marked increase in the number of complaints under the Privacy in Electronics Regulations during 2012 (up from 253 in 2011 to 606 during 2012).

The report includes case studies of a number of specific investigations including:

?         Prosecution of three Insurance Companies for Data Protection Registration offences after social welfare data, sourced via a private investigator, was found on insurance claim files held by those companies.

?         Prosecution of a number of companies for unsolicited marketing offences

?         High Court ruling that Dublin Bus must supply copy of CCTV footage requested under the right of access

 

Data Security Breaches:

Data Security Breach notifications in 2012 increased to 1666 notifications.  For the first time the annual report contains a selection of case studies regarding a number of Data Security Breach investigations,  including:

?         First prosecution taken under updated security and breach notification requirements for telecommunication companies – Eircom (trading as eMobile) and Meteor arising from the theft of two unencrypted laptops containing personal data of over 10,000 customers.

?         Notification of postal breaches by Allied Irish Banks

 

Audits:

A list of the 40 organisations audited during 2012 is included in the report.  More comprehensive details of the following four audits are contained in the report:

?         Full Audit report of use of INFOSYS database administered by the Department of Social Protection

?         Details of Commencement of the audit of An Garda Síochána

?         Summary of the outcome of the follow-up audit of Facebook-Ireland

?         Summary of the findings and recommendations of the audits of reporting processes within lenders to the Irish Credit Bureau

 

ENDS

 

*INFOSYS is a query system used to view the details of a client's record across most of the Department of Social Protection's (DSP) transaction systems.  The principal DSP database which INFOSYS can query contains in excess of 7.7 million client records.  The INFOSYS query system consists of a snapshot of payment and record information held by DSP and is a read-only system which cannot be altered by those accessing it.