A data breach notification is a notification by a data controller to the ODPC informing them that the data controller’s security has been breached and/or data has been compromised. In 2015, the ODPC received a total of 2,376 data-breach notifications. This is an increase of 4.95% on the previous year. At present, only telecommunications and internet service providers have a legal obligation to notify the ODPC of a data-security breach although a Code of Practice introduced in 2011 sets out a number of recommendations for breach notifications to the ODPC.
It should be borne in mind however that the General Data Protection Regulation (“GDPR”) set to come into force in May 2018 will legally oblige all data controllers to notify the ODPC of any personal-data security breaches that occur.
It is of interest that in 2015, the highest category of data breaches (54%) reported under the Code of Practice was unauthorised disclosures such as postal and electronic disclosures, the majority of which occurred in the financial sector. Only 0.12% of the valid breach notifications were in relation to database hacking incidents or credit card scraping. This demonstrates the importance of implementation of data breach policies and training for staff, so that there is awareness of the types of incidents which might constitute a breach and may need referral to the DPC.
Enforced Subject Access Requests
The ODPC is continuing to clamp down on a practice whereby some employers require prospective job applicants to make a data access request to the Gardaí for their personal information. In this way, the employer gets access to data, to which they would not otherwise be entitled. As of 18 July 2014, section 4(13) of the Data Protection Acts 1988 and 2003 (the “DPA”) makes it an offence to compel an employee to make an access request of this nature. In 2015, the ODPC initiated investigations against 40 organisations across a range of sectors to identify and prevent companies engaging in such practices.
Privacy Audits
In 2015, the ODPC carried out 51 audits and inspections. Interestingly, just under half of these were ‘unscheduled inspections’ carried out under section 24 of the DPA. Unscheduled inspections arise from specific complaints made to the ODPC and the investigated data controller may be subject to an unannounced inspection or may be given advance notice. Some of the issues identified in the 2015 audits include:
Lack of data retention policy
Issues around CCTV usage including lack of signage and policy and excessive use
Lack of audit trails by organisations to guard against inappropriate access
Poor call handling procedures
Lack of clarity in relation to data controller / data processor contracts
Clear identification of the data controller where a debt collector has been engaged
Excessive use of biometric time and attendance systems.
Guidance: CCTV and ‘Body-Worn’ Cameras
Unlawful CCTV usage remains a pitfall for many organisations, with significant emphasis on this issue in the 2015 Report. The ODPC updated its guidance on CCTV, ‘body-worn’ cameras and drones in 2015. CCTV video and images of individuals normally constitutes personal data. The ODPC Guidance Notes state that a data controller needs to be able to justify the obtaining and use of personal data by means of a CCTV system and have a proper written CCTV policy in place outlining the position regarding requests for access to footage by third parties.
It is very clear that the ODPC’s position is that the use of any surveillance equipment must comply with the transparency requirements of data protection law. Similar to CCTV cameras, the ODPC affirms that the use of body-worn cameras must be adequate, relevant and not excessive for the purpose for which the data is collected. Organisations should review their use of CCTV to ensure they are compliant with the updated guidance from the ODPC.
Engagement with Tech Multi-Nationals
In 2015, the ODPC engaged with technology multinationals, including Facebook, Google, LinkedIn, Microsoft and Airbnb in relation to existing and proposed features of their respective websites, e.g. management of ‘cookies’, online behavioural advertising, computer-automated ‘tagging’ of photos and general management of privacy details. The ODPC also engaged with a number of multinationals on their use of Binding Corporate Rules. These define an organisation’s global policy with regard to the international transfer of personal data within the same corporate group to entities located in countries which do not provide an adequate level of data protection.
Recent European Case Law and International Developments
The Court of Justice of the European Union (“CJEU”) delivered its findings in the Schrems and Facebook case. This case struck down the Safe Harbour Agreement which provided a framework for the transfer of personal data to the US. On 12 July 2016, the European Commission formally adopted the EU-US Privacy Shield, replacing the Safe Harbour Agreement. According to the European Commission, the new framework affords increased protection and forms of redress to EU residents whose personal data is transferred to the US. The Privacy Shield also provides legal clarity for businesses that depend on transatlantic data transfers.
In October 2015, the CJEU issued a ruling in the Smaranda Bara case (C-201/14). The case involved the sharing of data between Romanian tax authorities and the National Health Insurance Fund in Romania, for the purposes of collecting arrears information. It was held that EU law precludes the transfer and processing of personal data between two public administrative bodies without the data subjects having been informed in advance. On foot of this decision, the DPC issued guidance on the sharing of data in the public sector.
ODPC Case Studies
The Annual Report contains 12 case studies dealing with a range of issues, including direct marketing offences, failure to keep personal data up to date, the accidental disclosure of personal data to third parties and the use of CCTV in employee disciplinary proceedings. Two cases in particular show the importance of complying with the provisions of the DPA:
1. Case Study: Defence Forces failure to keep data secure.
This involved the review of an internal complaint of a member of the Defence Forces by a Military Investigating Officer (MIO). The MIO conducted an interview with the complainant and made notes of the interview. The notes in question were brought by the MIO to his private residence, an unsecure location. The notes were ultimately lost in a subsequent burglary and flooding of the private residence. The ODPC found the Defence Forces in contravention of section 2(1)(d) of the DPA. The case highlights the importance, for all employers, of having a proper system in place that records the taking and returning of files by employees and ensuring that any files that are removed are kept in a secure location.
2. Case Study: Supermarket’s excessive use of CCTV to monitor staff
This case involved a former staff member of a supermarket who was dismissed after she placed a paper bag over a CCTV camera in the canteen area. The staff member did so during an authorised break so that a colleague could style her hair. The ODPC found the supermarket to be in breach of section 2(1)(c)(iii) of the DPA due to excessive processing of the complainant’s personal data by means of a CCTV camera in a staff canteen. The case again highlights the need to ensure legitimate use of CCTV and to have a written policy in place governing such use.
2016 and Beyond
Providing a clear incentive for organisations to sharpen their focus on data protection compliance, the DPC notes that her office does not replace the requirement for organisations to procure their own expert advice and build their own capability to manage and drive compliance. The Annual Report also emphasises that the GDPR will explicitly put back onto organisations the clear obligation to properly organise themselves and their activities to ensure they are adequately protecting the individual’s fundamental right to privacy. With the approach of the GDPR in May 2018, organisations are advised to begin auditing their internal data management practices and procedures to position themselves to implement the changes under the GDPR.
Data breach claim struck out in Cork Circuit court as ‘minor’ incident
In our latest Insight, Jennifer Noctor, Partner in RDJ's Cyber and Data Protection team, discusses a data breach claim which was struck out in the Circuit Court affirming the principal that a certain minimum level of severity must be obtained in…
Balancing Risk with Innovation: EU's Approach to AI Procurement Contracts
As we edge closer to the AI Act being adopted into an agreed and final text, the European Commission have published a draft of what are known as 'standard contractual clauses' for the procurement of artificial intelligence systems. In this insight,…
On 29 December 2023, on the floor of the New York Stock Exchange, 2024 was declared to be the “year of AI” by top tech analyst Dan Ives.
In this insight, Ricky Kelly and Sadhbh Walsh look at efforts made to regulate the use of AI around the world in…
Recent Developments To The EU'S Cyber Resilience Framework
Cybersecurity continues to be a significant risk for organisations across all sectors. This year, we have already seen a significant bolstering of the European Commission’s legal framework with initiatives that seek to advance a comprehensive…
Non-Material Damage Compensation – the CJEU Enters the Fray
The CJEU delivers its first, and eagerly awaited, decision on the concept of ‘non-material damage’ arising from an infringement of the GDPR and in doing so departs from the Advocate General’s Opinion.
In this insight Lorcan Moylan Burke and Ricky…
Cyber Incident Response and Crisis Management Workshop
On Wednesday, 10 May, we hosted a Cyber Incident Response and Crisis Management workshop with RDJ partners Ricky Kelly and Jennifer Noctor and guest speakers Mark Fawcett and Joseph Dashwood from Control Risks.
