The Data Protection Acts 1988 and 2003 provide rules that apply to the collection, use, disclosure and transfer abroad of information about individuals. The Acts cover the principals that companies must follow when processing personal data about employees as well as information about clients/residents.
The Acts also give individuals certain rights in relation to personal data that is held about them.
If you as a Company collect, host or process data about people on any type of computer or structured filing system, then you are considered a data controller under the Acts.
Every Company holding information about individuals should have a Data Protection Policy in place and should ensure that all IT administrators and employees with access to personal/confidential information are fully trained on the rights and responsibilities associated with that access.
Billy Hawkes, the Data Protection Commissioner, ensures that companies that keep personal data are in compliance with the Acts. The Commissioner has a range of enforcement powers to help guarantee that the provisions of the Acts are observed. The Commissioner can serve legal notices compelling data controllers to provide information needed to assist with his enquiries. He can also compel data controllers to implement provisions of the Acts in a particular prescribed manner.
He may investigate complaints made by members of the public and can authorise officers to enter sites with the aim of inspecting the type of personal information kept as well as how it is processed and the security measures that the data controller has in place. Companies are required to co-operate fully with such data protection officers.
Data controllers who are found guilty of offences under the Acts can be fined up to €100,000 on conviction and may be ordered to delete all or part of their database.
The Data Protection Commissioner publishes a report annually naming, in certain cases, data controllers who were investigated by his office.
On 12th May 2014 Billy Hawkes launched his Annual Report for 2013. The report contains a summary of the activities of the Office of the Data Commissioner during the entire year.
The Annual Report highlights a huge number of individual complaints that were referred to the Office regarding difficulties in gaining access to personal data. According to the report these were as a result of poor customer service standards by commercial entities.
It appears as though individuals who feel as though they are not receiving sufficient customer service from a commercial entity are exercising their data protection rights more regularly and are more frequently requesting a copy of all personal data held by that entity.
If the initial query or request had been comprehensively dealt with in the first instance then perhaps they would have been less likely to exercise their data protection right to request a copy of all personal data held about them.
Employers should note that telephone call recordings are considered personal data. The Office has seen as increase in the number of access requests to data controllers by individuals seeking a copy of telephone recordings. Organisations are obliged to inform data subjects that their call may be recorded if a call recording system is in operation.
Throughout the course of 2013 the Office opened more than 900 complaints for investigation. More than 500 of these complaints (56.8%) were from individuals who experienced difficulty when gaining access to their personal data held by organisations. This was a record high for this type of complaint which is indicative of the increased level of awareness among the general public of their statutory right of access.
Last year the Office dealt with 1,577 Data Security Breach notifications. The 2013 Annual Report contains a variety of case studies regarding Data Security Breach investigations. One such case study involved the taking of a client list by a former employee to a new employer. This has emerged as a regular issue in recent years and is a serious breach that is a big concern for all employers.
Civil sanctions may result where a person suffers any damage as a consequence of failures on the part of a data controller to meet his/her obligations.
In November 2013 it was discovered that the personal information of more than 1,500,000 people was compromised by a major security breach at a Co. Clare based Company. In an RTE Morning Ireland interview at the time, Mr. Hawkes admitted that “cyber-criminals have become extremely sophisticated and it can be quite difficult to actually identify that your system has been perpetrated”; This was one of the worst data breaches in Irish history.
The Society for Chartered IT Professionals in Ireland, known as the Irish Computer Society (ICS), carried out a recent survey on data protection in Ireland and the results, which were published in January 2014, were astonishing.
256 Irish based companies were surveyed and a record number of data breaches were reported to have occurred in 2013. Findings revealed that one in two of the surveyed companies experienced a data breach during the last 12 months. In fact, more than 20% of the companies contacted by the ICS reported multiple breaches. These statistics mark a significant increase on last year’s figures when 43% of companies examined reported a breach.
According to the results, one third of employees are not fully aware of data protection issues and many receive insufficient data protection training or, alarmingly, no relevant training whatsoever.
Several IT managers admitted that Data Protection policies are not implemented at all in their Company or they are only partially adhered to. The survey has highlighted the need for companies to manage their data processing environment much more carefully and provide additional training for their IT administrators and all employees who have contact with personal information pertaining to employees/clients. According to the ICS survey, negligence on the part of employees accounted for 77% of the reported incidents. Hackers seeking to obtain data and unencrypted laptops were also cited as major threats.
According to Fintan Swanton, Chairman of the Association of Data Protection Officers, “Clear policies and procedures are vital, with regular refresher training and timely reviews to ensure that staff are complying with the structures.”
It is important for employers to be aware that new data protection legislation will require most organisations to appoint a Data Protection Officer.