The DPC received a notification from a financial sector data controller concerning an individual whose account had been incorrectly reported to the Central Credit Registrar (CCR). The controller had purchased the individual’s account as part of a portfolio sale in 2015 and was not aware that the individual had been adjudicated bankrupt in 2014. Individuals who have been declared bankrupt fall outside the scope of reporting obligations to the CCR. In addition, accounts with returns prior to the commencement of the CCR on the 30 June 2017 are not reportable to it.

The individual experienced difficulty obtaining a loan because their CCR record, which is visible to other lending institutions, had been reported in error by the controller as live and in arrears . The risk to the rights and freedoms of the individual was assessed as high and the breach was accordingly communicated by the controller to the individual under Article 34 of the GDPR . The DPC confirmed with the controller that the individual’s CCR record had been amended . By way of mitigation, the controller introduced measures which require sellers of portfolios to disclose information on individuals such as bankruptcies.

A medium-sized law firm reported that it was the victim of a social engineering attack. A staff member opened an email from a malicious third party that secretly installed malware on their computer. The malware enabled monitoring email communications and permitted the bad actor to defraud a client of a sum of money. The firm reported the breach to the DPC.

Through its DPC engagement with the firm, the DPC established that the firm used a widely used cloud email service which was managed by a contractor . Basic security settings such as strong passwords were not properly enforced and multi-factor authentication was not implemented . Upon becoming aware of the incident, the firm immediately commissioned a full investigation to establish the root cause and the extent of the breach . Based on the findings of the investigation, the firm responded promptly and implemented further technical security measures as well as additional cyber security and data protection training to all staff. The DPC requested that updates be provided on the implementation of appropriate organisational and technical security measures to prevent a reoccurrence of a similar breach 

.

The DPC received a breach notification from a charity that supports people with intellectual disabilities. The breach occurred when an email newsletter was addressed to recipients using the Carbon Copy (CC) field rather than the Blind Carbon Copy (BCC) field. The result was that the email addresses of all recipients were disclosed to those who read the email. This is a common type of personal data breach that is often the result of simple human error and that usually poses low risks. While the risks posed in this instance may not have been significant, further inquiries and an analysis of previous submissions to the DPC indicated poor awareness of data protection issues and responsibilities among the charity’s staff and volunteers.

Following engagement with the DPC, the organisation introduced training on data protection for staff and volunteers, and moved to create a new management role with responsibility for data protection compliance across the organisation .

Charities frequently process personal data of vulnerable persons, often including special category data such as information concerning health . Data protection is a fundamental right in the European Union and protecting the rights of vulnerable persons requires care, planning and careful organisational measures . The hard work and goodwill of staff and volunteers must be matched by appropriate management and compliance resources to ensure the protection of personal data rights .

A health science focused university notified the DPC of a breach arising from inappropriate disposal of materials containing personal data. An employee worked from home on a recruitment project. The employee worked on printed copies of a number of job applications and accompanying CVs. The organisation had instructed employees working from home to minimise printing and to destroy documents before disposal. However, the employee placed the recruitment documents intact into a domestic recycling bin. High winds caused contents of the bin, including the recruitment documents, to be dispersed.

In concluding its examination of the breach, the DPC made a number of recommendations . These focused not just on the work practices of employees, but most importantly on the technical and organisational measures of the controller. While it is important for staff to understand and implement good data protection practices, it is the responsibility of the controller to ensure that they do so and have the means — including, where appropriate, devices such as shredders — of delivering the required standard of protection .

.

A notification was received from a statutory body whose functions include the investigation of complaints concerning experts’ professional conduct, training or competence. The personal data breach occurred when a letter concerning a complaint against a specialist was attached to an email and sent to an incorrect address. The attachment contained personal data of several persons, including health data, and was encrypted. However, the password for the encrypted letter was issued in a separate email to the same incorrect address.

The nature of the personal data and the context all indicated a high risk to data subjects . The DPC accordingly confirmed that all affected persons had been notified of the breach, the risks and measures being taken in response to them, as required by Article 34 of the GDPR . The DPC reminded the organisation of its continuing obligation to secure personal data that was accidentally disclosed, and of the importance of ensuring security when emailing personal data . The statutory body has undertaken a review of all its data protection processes, policies and procedures .

Misaddressed emails are one of the most common causes of breaches reported to the DPC . Encryption is a valuable tool that can help to protect against accidental disclosures . However, it is advisable to use a separate medium — such as a telephone call or SMS message — to send the password, as a single mistake in an email address can negate the benefits.

Over a period of 12 months, the DPC received notifications of a series of similar breaches from a data controller involved in financial matters. The controller sold services through a nationwide retail network owned and operated by a third party, which acted as its processor. The breaches occurred when existing customers of the controller made purchases at the processor’s outlets, but used an address different from the address they had previously registered with the controller.

Recent changes to the controller’s customer database systems had not been fully coordinated with those for sales, resulting in sales documents containing personal data being sent to customers’ old addresses rather than their new ones . The controller had instructed the processor not to accept purchase requests until changes of address had been registered, but some counter staff did not consistently follow the correct procedures .

When the DPC flagged the pattern of breaches, the controller agreed that there was a systemic problem that required attention by its senior management . While a technical solution was being designed and tested, the controller and processor adopted interim measures including re-training of staff, increased supervision, and a notice that appeared on screens used by processor staff when effecting sales, prompting them to confirm that the customer’s current registered address was correct . The controller implemented the changes in its IT systems to prevent sales documents being sent to incorrect customer addresses, and the recurring breaches ceased .

The DPC received separate breach reports from 12 credit unions that employed the services of the same processor, which was based in the UK. The breach by the processor arose from a coding error made by the processor when implementing measures introduced in response to the Covid-19 pandemic.

Credit unions are required to report information to the Central Bank of Ireland concerning their borrowers and the performance of their loans . The Central Bank utilises this information to maintain the Central Credit Register (or CCR) . Lenders and credit rating agencies in turn use this information to verify borrowers’ debts and credit histories . A large number of lenders, particularly credit unions, use the services of data processing companies to prepare such CCR returns and forward them to the Central Bank .

During 2020, the Irish Government introduced a series of measures to mitigate financial distress caused by the pandemic and resulting lockdowns . These included measures allowing financial institutions to pause loan repayments without adversely affecting borrowers’ credit ratings . Lenders were instructed to use particular codes in the CCR returns to flag paused loans. This was intended to prevent those loans being interpreted as delinquent or otherwise suggesting that the relevant borrowers’ cred- it-worthiness had deteriorated .

In this incident the processor employed by the 12 credit unions used incorrect codes on CCR returns dealing with paused loans . The incorrect codes indicated that the borrowers affected had undergone a ‘restructuring event’ — a restructuring event typically occurs when a borrower is unable to repay a loan over the agreed period, and the lender agrees to change the loan’s terms to improve the borrower’s ability to repay . This can greatly reduce a borrower’s credit rating, so an inaccurate CCR record of a restructuring event could have serious conse- quences for the persons affected.

The credit unions in question became aware of the processor’s coding error in relation to their CCR returns several weeks after the processor first sent CCR returns for them using the incorrect codes to the Central Bank .

A private financial sector organisation notified the DPC that a customer had made a request to obtain their IBAN and BIC numbers, which were held on file. The customer making the request was personally known to the member of staff dealing with the request. The member of staff, deviating from approved practices, used their personal mobile phone to send a picture of what they believed to be the requested information over a messaging platform (WhatsApp). However, the staff member erroneously sent details pertaining to another customer to the requesting customer.

The customer who received this information contacted the organisation to advise that the information received did not relate to their account and that they had undertaken to delete all offending material from their device. The organisation communicated with staff to remind them that only authorised methods of communication should be utilised when handling future requests of this nature . The organisation has also issued an apology to all affected data subjects .

The DPC issued a number of recommendations encom- passing the use of only approved organisational commu- nication tools, making staff fully aware of acceptable and non-acceptable behaviour when using organisational com- munications tools, and to ensure staff have undergone appropriate training in terms of their obligations/respon- sibilities under the provisions of the GDPR and the Data Protection Act 2018 .

In May 2020, the DPC received a breach notification from an Irish data processor and subsequently a notification from an Irish data controller operating in the voluntary sector who had engaged this processor to provide webhosting and data management services.

The breach related to a ransomware attack that occurred in the data centre utilised by the data processor, and which was the result of malware gaining access via a Remote Desktop Protocol (RDP) 1 port to the server .

The DPC engaged with both the controller and processor and through a number of communications — including the issuing of technical and organisational question- naires focusing on areas of potential non-compliance with data protection regulation . These areas included the processor’s use of a data centre within the US to store back-up data without adequate agreements and sufficient oversight by the controller over its processor as required under Article 28 of the GDPR . The DPC engaged intensively with both parties and the DPC concluded this case by issuing recommendations to both controller and processor . Thereafter the DPC continued to engage with both parties to ensure that implementation of the DPC recommendations had occurred .

A commercial and residential property management company notified the DPC that an employee of a security company whose services they retained had used their personal mobile phone to record CCTV footage of two members of the public engaged in an intimate act, which had been captured by the management company’s security cameras.

The video taken was subsequently shared via WhatsApp to a limited number of individuals . The business advised the DPC that they communicated to staff who may have received the footage that they must delete it and requested no further dissemination of the video .

Both the property management company and the security company were able to demonstrate that adequate policies and procedures did exist, however appropriate oversight and supervision to ensure compliance with these policies and procedures were lacking .

Following recommendations made by the DPC to the property management company, the company has subsequently engaged with its staff to deliver further data protection training with an emphasis on personal data breaches . In addition, further signage was displayed prohibiting the use of personal mobile devices within the confines of the CCTV control room .