Data Protection Commissioner
Data Protection Commissioner

MEDIA RELEASE 13 MAY 2009

Data Protection Commissioner launches his Annual Report for 2008

The Data Protection Commissioner launched his report for 2008 today.  His report focuses on the responsibility of private and public sector organisations to treat the personal information of their customers and clients with respect. 

Enquiries and Complaints
During 2008 the Office of the Data Protection Commissioner continued to receive a high volume of complaints.  The total of 1,031 complaints submitted in 2008 is similar to the total for 2007, a substantial increase from previous years (658 complaints were submitted in 2006).  However, a breakdown of the figures reveals a significant decrease in the number of complaints reporting unsolicited direct marketing text messages, phone calls, fax messages and emails.  The Commissioner welcomes this development which reflects increasing awareness of data protection obligations among service providers in this sector and the impact of prosecutions undertaken by the Commissioner to challenge illegal practices in the text marketing sector.  There has been a corresponding increase in the number of complaints related to access rights under the Data Protection Acts 1988 and 2003.  The Commissioner considers that this reflects a higher level of awareness among members of the public of their rights in this area.  The Commissioner includes a list of occasions when he had to resort to the use of his legal powers to advance an investigation.  He hopes that publication of these lists will encourage all organisations that are the subject of complaints to co-operate fully with his Office in relation to its statutory investigations.

As in previous years the Office sought to achieve amicable resolutions to complaints as often as possible, as mandated by section 10 of the Data Protection Acts, 1988 and 2003.  In such cases complainants may be content to receive an apology from the data controller concerned and an undertaking to ensure there will be no repeat of the incident and may not require a formal decision from the Commissioner.  These settlements have also, on occasion, involved sizeable donations to charity in recognition of the breach of data protection requirements that occurred.

The Commissioner also reports on efforts to encourage public and private sector bodies to voluntarily report personal data security breaches to the Office.  He reports considerable success in this respect, as voluntary breach notification has come to be accepted as best practice when dealing with data security breach incidents in both the public and the private sector.  The Commissioner reports on a number of high profile data security breach incidents that occurred in 2008, including breaches at Jobs.ie, Bank of Ireland, the Office of the Comptroller and Auditor General and the Health Service Executive.

The Report updates on the Commissioner's intensive audit of data security at the Department of Social and Family Affairs, prosecutions undertaken against Iarnród Éireann and Clarion Marketing, complaints received against UPC (formerly Chorus/NTL), concerns in relation to the overall approach to data protection within An Post and continued interaction in relation to the M50 Barrier-Free Tolling Project.
The Commissioner's report also includes case studies of a number of specific investigations into the use of personal data including:

  • Breaches of the Data Protection Acts related to a marketing postcard campaign launched by the insurance company 123.ie to promote its home insurance product;
  • Unsolicited premium rate text messages sent by Interactive Voice Technologies (IVT) and a substantial donation to charity as part of an amicable resolution;
  • Total Fitness Ireland and the use of legal powers to ensure compliance with an access request;
  • BuyAsYouFly and a failure to respect opt-outs from direct marketing by email;
  • Celtic Water Solutions and marketing telephone calls to numbers on the NDD Opt-Out Register;
  • Breaches of the Data Protection Acts by Halston Street Credit Union;
  • Tesco and the resale of an Apple ipod containing a customer's personal data; and
  • Dell and persistent unsolicited marketing faxes.

Other Activities
In a wide ranging report on his Office's activities in 2008 that reflects the variety of issues the Office is called upon to address, the Commissioner also focuses on:

  • Efforts to increase public awareness of data protection rights and a recent public awareness survey;
  • The publication of a Data Protection Code of Practice for the insurance sector to allow a better understanding of data protection requirements among those working in that sector;
  • Engagement on a range of data protection issues with the health sector and remaining issues of concern regarding the capacity of those in the sector to meet their obligations

The Commissioner's report also includes a special consideration of the challenges posed by the expansion in use of the Personal Public Service Number (PPSN).

[Note:  The Annual Report is available for download in PDF version from the Data Protection Commissioner's website:    www.dataprotection.ie]

Media Queries   Diarmuid Hallinan

Telephone   (057) 868 4800
Fax             (057) 868 4757
Email          dphallinan@dataprotection.ie
Website      www.dataprotection.ie