In 2019, the DPC received a complaint about the disclosure of a patient’s data via Facebook messenger by a hospital porter regarding her attendance at the Early Pregnancy Unit of a hospital. Upon examination of the complaint, the HSE clarified to the DPC that the hospital porter who disclosed the personal information of the patient was in fact employed by a healthcare agency contracted by the HSE. The DPC contacted the agency and sought an update in relation to its internal investigation, details of any remedial action as well as details of any disciplinary action taken against the employee in question. At the same time, the DPC advised the HSE that, as it contracts the company concerned to provide agency staff to work in the hospital, ultimately the HSE is the data controller for the personal data in this instance.

The complaint was subsequently withdrawn by the solicitor acting on behalf of the woman following a settlement being agreed between the affected party and the hospital/ healthcare agency. Data controllers/data processors may be liable under Section 117 of the Data Protection Act 2018 to an individual for damages if they fail to observe the duty of care they owe in relation to personal data in their possession.

The DPC has no role whatsoever in dealing with compensation claims and no function in relation to the taking of any such proceedings under Section 117 of the 2018 Act or in the provision of any such legal advice.

We received a complaint against the Department of Foreign Affairs and Trade (the DFAT), alleging that the mission in Cairo, Egypt, had shared the complainant’s personal data with a third party (his employer) without his knowledge or consent, and that it had failed to keep the complainant’s personal data safe and secure, having transmitted it via WhatsApp to his employer. This related to processing of the complainant’s personal data contained in a short-term visa application that the complainant had submitted in order to sit an exam in Ireland.

During our investigation, the DFAT informed us that it was standard practice in processing visa applications to check for accuracy, completeness and the validity of supporting documents . According to DFAT, a suspicion had arisen as to the veracity of a supporting document submitted by the complainant, which had purportedly been signed by his employer. In order to verify its validity, a staff member in the Cairo mission had contacted the employer (an official of an Egyptian government agency, whose name and signature appeared on the document) by telephone as he was best placed to verify the authenticity of the document. The employer confirmed that he would need to see the document to verify it, but that as he did not have an official email address, the only way to receive it was via WhatsApp. The DFAT informed us that prior to sending the data via WhatsApp it had carried out a local risk assessment, including looking at the security/ encryption associated with WhatsApp. It had concluded that in light of the end-to-end encryption on WhatsApp, this was the most secure means of transmission available, given the urgency of the visa application, as outlined by the complainant in his application. In this context, DFAT informed us that many government officials and civil servants in Egypt do not have access to official email accounts/ systems and often use services like Gmail, Hotmail, WhatsApp and Viber to carry out official business. In this case, the government official in question had confirmed that this was the only method of communication available to him.

The documents had been sent by using the mobile phone of the only staff member of the Cairo mission with WhatsApp and had been deleted from the device immediately after being sent. Ultimately, the official informed the Cairo mission that the documents were fraudulent and the visa application was denied . During our investigation, the complainant informed us that he was seeking €3,000 in compensation from the DFAT, as the lost cost of sitting the exam in Ireland. Upon the DPC informing the complainant that it did not have the power to award compensation, the complainant requested a formal decision from the DPC. In considering whether a contravention of the Acts had occurred when the complainant’s personal data was sent by DFAT, via WhatsApp to the official in question, the DPC sought to establish the facts in relation to, first, whether the transmission in question was necessary, and, second, whether it was secure, including whether there were more secure methods available to DFAT to transmit the data. On the first issue, the DPC was satisfied that it was necessary for the DFAT to share the complainant’s personal data with the official who, in the application for the short-term visa, was stated to be his employer and who, according to the application documents, had purportedly signed certain supporting documents. We noted in this regard that the relevant privacy policy (for the Irish Naturalisation and Immigration Services) explicitly states that burden of proof in a visa application is on the applicant and that the visa officer may verify any evidence submitted in support of an application. The policy also states that any information provided in an application form can be disclosed to, among others, foreign governments and other bodies for immigration purposes.

The DPC was satisfied that given the lack of any other secure means to contact the official in question, the transmission via WhatsApp was necessary to process the personal data for the purpose provided (visa eligibility) and that the complainant was on notice that supporting documentation could be shared with third parties to verify authenticity. The DPC also took account of the fact that the local risk assessment carried out by DFAT had established that, in the circumstances, sending the personal data via WhatsApp was the most secure means of transmission. Accordingly, the DPC found that DFAT had complied with the Acts.

We received a complaint from a data subject whose webchat with a Ryanair employee was accidentally disclosed by Ryanair in an email to another individual who had also used the Ryanair webchat service. The transcript of the webchat contained details of the complainant’s name and that of his partner, his email address, phone number and flight plans. The complainant told us that he had been alerted to the disclosure by the individual who had been erroneously sent the transcript of his webchat.

In our examination of the complaint, we established that Ryanair’s live webchat service is provided by a third party, which is a data processor for Ryanair. We also established that the system that sends the webchat transcripts by email has an auto-fill function that populates the recipient field with the email address of the last customer emailed. On the date in question, the data processor received requests from four Ryanair customers for transcripts of their webchats, all of which were processed by the same agent. However, the agent did not correctly change the recipient email address when sending each transcript so that they were sent to the wrong recipients . Ryanair informed us that in order to prevent a recurrence of this issue the auto-fill function in the live webchat system has been disabled by the data processor and refresher GDPR training has been provided to staff.

Many of the complaints that the DPC receives relating to unauthorised disclosure of personal data in an electronic context — for example, emails containing personal data sent to the wrong recipient — stem from use of the auto-fill functions in software. While data controllers may consider this a useful timesaver tool in a data-entry context, it has inherent risks when it is used to populate recipient details for the purposes of transmitting personal data. Auto-fill functions should therefore be used with caution, and where controllers decide to integrate such a function into their software for data-processing purposes, at a minimum other safeguards should be deployed, such as dummy addresses at the start of the address book, or on-screen prompts to double-check recipient details. The principle of safeguarding the security and confidentiality of personal data goes hand in hand with data protection by design and default so that when data controllers and processors are devising steps in a personal-data-pro- cessing programme or software, the highest standards of protection for the personal data are built in, particularly with regard to assuring the integrity, security and confidentiality of personal data.

We received several complaints in late 2017 against the Central Statistics Office (the CSO), each alleging that the CSO had disclosed the respective complainants’ personal data without their consent or knowledge. The complaints related to a data breach that the CSO had previously reported to us (under the voluntary Personal Data Breach Code of Practice) and to the affected individuals.

The data breach originated from actions taken by the CSO in response to three requests over a five-day period from separate former census enumerators seeking their P45 information. Emails with PDF attachments containing their own P45 and P45s of thousands of third parties were sent to the requesting enumerators. The CSO informed us that the data breach had been identified when a member of CSO staff had reviewed the relevant CSO sent-items mailbox, as part of the CSO’s standard due-diligence practices. The CSO confirmed that the disclosed third-party P45 information contained personal data including PPSNs, dates of birth, addresses and details of earnings from employment as census enumerators.

During our investigation, the CSO informed us that upon discovering the breach it had notified the recipients of the error, who had subsequently confirmed in writing that they had deleted the files. The CSO told us that it had also notified the affected individuals of the facts of the breach as they pertained to each individual. The CSO also informed us that following the data breach it had implemented a range of new procedures for handling P45 requests, including a rule that P45 requests were to be answered only by post going forward.

This data breach had impacted on the thousands of individuals whose personal data was contained in the files that were unlawfully disclosed to the three former enumerators. The incident essentially occurred in triplicate because the erroneously disclosed files had been attached to three separate outgoing communications. This incident would have been preventable had the CSO had the appropriate processes in place for the oversight of releasing tax-related personal data.

The DPC issued a number of individual decisions in respect of complaints in relation to this breach, finding in each case that a contravention of Section 2A(1) of the Data Protection Acts 1988 and 2003 had occurred, in that personal data had been processed without a legal basis, as was clear from the breach report submitted to the DPC from the CSO. Having examined the new measures implemented by the CSO to guard against a recurrence, the DPC was satisfied that they comprehensively addressed the failings that had brought about this incident. However, from the perspective of ensuring the lawfulness of the processing and the security and confidentiality of personal data held by the CSO, those new organisational procedures only served to underline the inadequacy of the previous measures for responding to requests for tax-related information.

We received a complaint concerning the alleged disclosure by a motor dealership of the complainants’ personal data to a third party. The complainants had provided the dealership with copies of their driver’s licences and bank details, including bank statements and full account details, in order to purchase a car through a Personal Contract Plan. They were subsequently copied in on an email from the dealership to a third-party email address, believed to be an address associated with a bank, which contained the complainants’ driver’s licences and bank details. The complainants were concerned that the third-party address was that of a restaurant and contacted the dealership about this, but were assured that the email address in question pertained to a bank and was secure.

The complainants remained concerned over the ownership of the email address, conducted online research into the matter, and were confident the email address was that of a restaurant. In order to confirm their suspicions, a friend of the complainants sent an email to the address in question and the response received confirmed it was that of a restaurant.

In the course of our examination, the dealership accepted that the email had been sent in error to the wrong address. Notwithstanding this acknowledgment, it was clear that no attempt had been subsequently made to contact the restaurant in order to request that the information erroneously sent be deleted by the unintended recipient. Upon instruction from this office, we received confirmation that the dealership had contacted the restaurant and requested that the email, including the documents, be deleted. The dealership put forward a proposal for amicable resolution that was accepted by the complainants.

A Hospice Care Centre (data controller) utilises the a cloud-based email service and also engaged third-party IT consultants. An Audit was conducted by the IT provider every quarter, where a number of recommendations by the service provider  were identified including, but not limited to, all user accounts to have multi-factor authentication (MFA) and the disabling of forwarding rules on all accounts. A user’s credentials were subsequently compromised and the IT consultants established that the credentials were obtained as a result of a brute-force attack, which may have been prevented had the controller introduced multi- factor authentication as recommended at the time of the audit. On the advice of the IT consultants, the compromised user password was reset and MFA introduced for this user. The controller has now commenced the introduction of MFA to all users. This breach could likely have been prevented if the recommendations of the audit were introduced in a timely manner.

The DPC received a notification from a financial sector data controller concerning an individual whose account had been incorrectly reported to the Central Credit Registrar (CCR). The controller had purchased the individual’s account as part of a portfolio sale in 2015 and was not aware that the individual had been adjudicated bankrupt in 2014. Individuals who have been declared bankrupt fall outside the scope of reporting obligations to the CCR. In addition, accounts with returns prior to the commencement of the CCR on the 30 June 2017 are not reportable to it.

The individual experienced difficulty obtaining a loan because their CCR record, which is visible to other lending institutions, had been reported in error by the controller as live and in arrears . The risk to the rights and freedoms of the individual was assessed as high and the breach was accordingly communicated by the controller to the individual under Article 34 of the GDPR . The DPC confirmed with the controller that the individual’s CCR record had been amended . By way of mitigation, the controller introduced measures which require sellers of portfolios to disclose information on individuals such as bankruptcies.

A medium-sized law firm reported that it was the victim of a social engineering attack. A staff member opened an email from a malicious third party that secretly installed malware on their computer. The malware enabled monitoring email communications and permitted the bad actor to defraud a client of a sum of money. The firm reported the breach to the DPC.

Through its DPC engagement with the firm, the DPC established that the firm used a widely used cloud email service which was managed by a contractor . Basic security settings such as strong passwords were not properly enforced and multi-factor authentication was not implemented . Upon becoming aware of the incident, the firm immediately commissioned a full investigation to establish the root cause and the extent of the breach . Based on the findings of the investigation, the firm responded promptly and implemented further technical security measures as well as additional cyber security and data protection training to all staff. The DPC requested that updates be provided on the implementation of appropriate organisational and technical security measures to prevent a reoccurrence of a similar breach 

.

The DPC received a breach notification from a charity that supports people with intellectual disabilities. The breach occurred when an email newsletter was addressed to recipients using the Carbon Copy (CC) field rather than the Blind Carbon Copy (BCC) field. The result was that the email addresses of all recipients were disclosed to those who read the email. This is a common type of personal data breach that is often the result of simple human error and that usually poses low risks. While the risks posed in this instance may not have been significant, further inquiries and an analysis of previous submissions to the DPC indicated poor awareness of data protection issues and responsibilities among the charity’s staff and volunteers.

Following engagement with the DPC, the organisation introduced training on data protection for staff and volunteers, and moved to create a new management role with responsibility for data protection compliance across the organisation .

Charities frequently process personal data of vulnerable persons, often including special category data such as information concerning health . Data protection is a fundamental right in the European Union and protecting the rights of vulnerable persons requires care, planning and careful organisational measures . The hard work and goodwill of staff and volunteers must be matched by appropriate management and compliance resources to ensure the protection of personal data rights .