The Data Protection Commissioner (the “Commissioner”) published his Annual Report 2010 (the “Report”) on 30 May 2011.
Increase of Statutory Powers?
The Report discusses the Commissioner’s use of his statutory powers to deal with complaints from individuals about denial of their data protection rights while working towards an improved general standard of data protection in Ireland. The Commissioner looks forward to the strengthening of such powers thereby allowing him to deal more vigorously with organisations who fail to demonstrate accountability for the personal data entrusted to them.
Insurance Link Database
The Report notes that such a failure was clearly evident in the insurance sector . A detailed investigation of data sharing in that sector through the database Insurance Link was prompted by concerns about the legitimacy and compliance of the database with data protection legislation. The outcome of that investigation was published as an appendix to the Report.
The database, which allows member organisations to share and cross-reference their insurance claims data, contains details of almost two and a half million claims. The investigation identified a number of issues relating to Insurance Link including a major lack of transparency as well as the accessing of the database by huge numbers of individuals with no supervision of that access. A number of serious incidents of inappropriate access were identified in the Report.
Fall in Complaints
The Report published figures showing that the number of formal complaints for investigation fell from 914 in 2009 to 783 in 2010. However, the Commissioner notes that this decrease may be attributed to greater focus on investigating claims only where evidence of a likely breach of legislation exists. Other complaints are dealt with by providing the complainant with suitable information on their rights.
Breaches & Code of Practice
The Commissioner also reports on his publication of the Data Security Breach Code of Practice (the “Code”) . The Code focuses on informing those affected by security breaches thereby allowing them to take appropriate measures to protect themselves. It also encourages the voluntary reporting of breaches to the Commissioner. The number of data security breach incidents reported in 2010 increased by 350% on the previous year as a result of the more exacting demands of the Code.
Data Sharing in the Public Sector
The Department of Social Protection, in consultation with the Commissioner has published a set of Guidelines to aid public sector agencies that wish to share personal data in the public interest. Transparency and proportionality are the guiding principles of the Guidelines which state: the sharing should be explicitly provided for by law; the public sector customer should know what personal data may be shared; the extent of sharing should be limited to what is necessary to achieve the public interest objective; and the data should be subject to a high level of security and be securely destroyed when no longer needed.
The Commissioner carried out thirty two privacy audits in 2010. Those audited included financial institutions, schools, pharmacies and charities. The Report outlines a number of concerns arsing from these audits including the use of CCTV systems in schools and workplaces without sufficient justification and the collection and retention of PPS Numbers by charities for indefinite periods of time. In relation to the use of biometrics to record attendance in workplaces and schools, amongst other things, the Report notes numerous complaints. In relation to one particular audit, it was found that the inability of employees to opt out of such monitoring along with an absence of information on how the data would be used constituted a breach of the data protection legislation.
Contributed by Leo Moore.