The Data Protection Acts 1988 and 2003 provide rules that apply to the collection, use, disclosure and transfer abroad of information about individuals. The Acts cover the principals that companies must follow when processing personal data about employees as well as information about clients/residents.
The Acts also give individuals certain rights in relation to personal data that is held about them.
If you as a company collect, host or process data about people on any type of computer or structured filing system, then you are considered a data controller under the Acts.
Every company holding information about individuals should have a data protection policy in place and should ensure that all IT administrators and employees with access to personal/confidential information are fully trained on the rights and responsibilities associated with that access.
Billy Hawkes, the Data Protection Commissioner, ensures that companies that keep personal data are in compliance with the Acts. The Commissioner has a range of enforcement powers to help guarantee that the provisions of the Acts are observed. The Commissioner can serve legal notices compelling data controllers to provide information needed to assist with his enquiries. He can also compel data controllers to implement provisions of the Acts in a particular prescribed manner.
He may investigate complaints made by members of the public and can authorise officers to enter sites with the aim of inspecting the type of personal information kept as well as how it is processed and the security measures that the data controller has in place. Companies are required to co-operate fully with such data protection officers.
Data controllers who are found guilty of offences under the Acts can be fined up to €100,000 on conviction and may be ordered to delete all or part of their database.
The Data Protection Commissioner publishes a report annually naming, in certain cases, data controllers who were investigated by his office.
Civil sanctions may result where a person suffers any damage as a consequence of failures on the part of a data controller to meet his/her obligations.
In November 2013 it was discovered that the personal information of more than 1,500,000 people was compromised by a major security breach at a Co. Clare based company. In an RTE Morning Ireland interview at the time, Mr. Hawkes admitted that “cyber-criminals have become extremely sophisticated and it can be quite difficult to actually identify that your system has been perpetrated.” This was one of the worst data breaches in Irish history.
The Society for Chartered IT Professionals in Ireland, known as the Irish Computer Society (ICS), carried out a recent survey on data protection in Ireland and the results, which were published in January 2014, were astonishing.
256 Irish based companies were surveyed and a record number of data breaches were reported to have occurred in 2013. Findings revealed that one in two of the surveyed companies experienced a data breach during the last 12 months. In fact, more than 20% of the companies contacted by the ICS reported multiple breaches. These statistics mark a significant increase on last year’s figures when 43% of companies examined reported a breach.
According to the results, one third of employees are not fully aware of data protection issues and many receive insufficient data protection training or, alarmingly, no relevant training whatsoever.
Several IT managers admitted that data protection policies are not implemented at all in their company or they are only partially adhered to. The survey has highlighted the need for companies to manage their data processing environment much more carefully and provide additional training for their IT administrators and all employees who have contact with personal information pertaining to employees/clients. According to the ICS survey, negligence on the part of employees accounted for 77% of the reported incidents. Hackers seeking to obtain data and unencrypted laptops were also cited as major threats.
According to Fintan Swanton, Chairman of the Association of Data Protection Officers, “Clear policies and procedures are vital, with regular refresher training and timely reviews to ensure that staff are complying with the structures.”
It is important for employers to be aware that new data protection legislation will require most organisations to appoint a Data Protection Officer.