The ‘Personal Data Security Breach Code of Practice’ (the “Code”) was formally approved by the Irish Data Protection Commissioner on 7 July 2010, pursuant to Section 13(2)(b) of the Data Protection Acts 1988 and 2003. This comes in the wake of high profile breaches and a significant increase (47%) in the number of security breach incidents in 2009 compared with the previous year. The Code applies to all data controllers and data processors and sets out the key obligations of each. The Code addresses situations where personal data has been put at risk of unauthorised disclosure, loss, destruction or alteration. In such instances, the focus of the Office of the Data Protection Commissioner (the “ODPC”) is on the rights of individuals whose personal data may have been compromised. The Code does not presently have the force of law but can be taken into account in court proceedings if considered relevant. It should be considered recommended best practice in the meantime in circumstances where companies become aware of security breaches involving the personal information of customers and employees. 
 
All insurance and reinsurance companies are currently required to register with the ODPC and failure to register is an offence.  There is also an existing ‘Code of Practice for the Insurance Sector’, which sets out the ‘eight rules of data protection’ for data controllers.  Insurance companies should ensure that they comply with data protection obligations, particularly as there is an ongoing large-scale investigation by the ODPC into the sharing of customers’ personal data by insurers through the ‘Insurance Link’ database. The ‘Insurance Link’ database is a centralised database of claims used to detect repetitive claimants.

For further information, please contact Eoin Caulfield.