The Data Protection Commissioner's
2011 Annual Report was published today. While the whole document is well worth reading, a few highlights struck me as worth particular attention.
Resources
Unsurprisingly - particularly in the light of the ongoing
Facebook investigation - the report starts by saying that the financial and personnel position of the Office has become unsustainable in light of increased demands, with the warning that failing to remedy this will jeopardise investment in Ireland:
The scope of our responsibilities has changed significantly in the past 3 to 5 years. This arises in particular from the success of the Industrial Development Authority in attracting to Ireland companies conducting significant processing of personal data. We have worked with these companies to help them understand their obligations under EU data protection law towards all EU users of their services.
The legislative proposals presented by the European Commission1 in January of this year, if passed into law, will involve increased responsibilities for our Office under the so-called “one-stop-shop” arrangement for multinational companies providing services to EU users from an Irish base. While the exact division of labour between data protection authorities has yet to be finalised, it clearly will involve a greater degree of responsibility for our Office in relation to multinational companies which choose Ireland as an EU base. Failure to adequately discharge this responsibility will carry significant reputational risks for the country...
The implications of our increased European responsibilities were brought home to us forcefully in relation to our audit of the activities of Facebook-Ireland. Facebook- Ireland had unambiguously placed itself under our Office’s jurisdiction through changes in its contractual arrangements with its EU users and the establishment of clear responsibility for the processing of their data. We therefore included them in our programme of audits for 2011. This was the most complex audit ever undertaken by our Office, involving about a quarter of our staff resources for 3 months and external technical assistance from University College Dublin (UCD)...
We clearly cannot maintain a similar level of commitment in relation to other multinational companies without additional resources. I am confident that this message is understood by the Government and would hope to be allocated additional resources in the course of this year. [All emphasis added.]
Number of incidentsComplaints reached a record high last year with 1,161 complaints under the Data Protection Acts and 253 complaints under the ePrivacy Regulations (dealing with unsolicited texts messages, etc.). Remarkably, data breach notifications outnumbered both types of complaints with 1,167 notifications during the year from 186 different organisations (up from 119 in 2009 and 410 in 2010). This seems to reflect greater awareness of the obligation to notify, rather than any increase in breaches, and presumably will plateau in coming years - but the sheer volume of notifications presents its own challenges.
Unsolicited marketing prosecutionsOne area where the DPC has been particularly successful is in relation to unsolicited marketing text messages and telephone calls, where there now seems to be a well-oiled machine in place for prosecuting repeat offenders. In relation to communications providers alone, in 2011 successful prosecutions were brought against:
* Eircom: one unsolicited telephone marketing call, Probation Act applied, €2,000 donation made to charity;
* Vodafone: four unsolicited telephone marketing calls, one text message, total of €3,850 in fines imposed;
* o2: one unsolicited text message, Probation Act applied, €2,000 donation made to charity;
* UPC: eighteen charges relating to unsolicited telephone marketing calls, total of €7,100 in fines imposed.
Political spam now prohibitedUntil recently there was an extensive exemption for political direct marketing - one which was arguably incompatible with the requirements of the ePrivacy Directive. This has now been amended, which will no doubt be a relief to Irish voters in the run up to the Fiscal Treaty referendum:
A second issue of concern which I commented on in 2009 was the direct marketing exemption which excluded from the scope of the Data Protection Acts any direct marketing carried out for political purposes by political parties or by candidates for election to political office. I expressed my dissatisfaction then that I was unable to launch investigations into complaints which I received from voters who received unsolicited SMS messages, emails or phone calls even when they had made it clear that they did not wish to be contacted in that way. Had such unsolicited marketing contact been made to members of the public by any other entity, such as a commercial business, there would be no restriction on my investigating the matter. I expressed doubts in my 2009 Annual Report about the consistency with EU Directives of the exemption in this country for such political activities.
I am pleased to report that the Minister for Communications, in framing S.I. 336 of 2011, removed the exemption relating to direct marketing for political activities in the context of marketing communications carried out by electronic means – such as SMS messages, faxes, email and telephone calls. As a result, I am no longer restricted from investigating complaints in this area. Accordingly, in my role as Data Protection Commissioner, I am obliged to investigate any such complaints in this area.
In this respect, arising out of the Presidential Election which took place following the commencement of SI 336 of 2011 on 1 July, I have already issued a warning to a political party about the sending of unsolicited marketing text messages in the course of the campaign. A second such incident is likely to lead to a prosecution. [Although not identified in the Annual Report, the Sunday Times has named Sinn Fein as the offending party.]
Department of Social Protection AuditOne of the greatest offenders against individual privacy has been the Department of Social Protection, formerly the Department of Social Welfare, which has a long and ignominious track record of staff abuse of personal information. (
One recent example.) Worryingly, however, the Annual Report confirms earlier reports that Social Protection databases may be open to abuse externally as well as internally - by other state entities which have access to the departmental systems:
Also included in the list of the audits is an INFOSYS investigation. This refers to an in-depth examination of the use of INFOSYS – a database of social welfare data administered by the Department of Social Protection. The INFOSYS investigation focused on the authorised use of INFOSYS by a whole range of external third parties, including local authorities and state agencies. Initially INFOSYS was a ‘desk audit’ entailing extensive correspondence in the second and third quarter of 2011 between my Office and external users of INFOSYS. It was my intention to comment extensively on this investigation in this report but this has not proven possible, given the resources needed, to complete it to a suitable level. However, the interim findings have caused my Office to engage with the Department of Social Protection and the large number of entities authorised to access the system to address the deficiencies identified so far.
Guthrie Cards / Heel Prick SamplesOne of the most important issues dealt with by the report is the (long delayed)
destruction of
illegally-held blood samples taken from all newborns. The full discussion is too long to excerpt here, but one important point (which the media don't appear to have picked up) is that the Minister for Health and the HSE appear to have attempted to evade the Data Protection Commissioner in their efforts to create a national DNA database, by freezing out the DPC from a "review" of the decision to destroy the samples:
A final issue that emerged can essentially be summarised as that it would be useful to continue to hold the millions of samples involved to form the basis of a national database which could be used for health-related genetic (DNA) analysis We were obliged to point out that the creation of such a database, without the consent of the persons involved (or their parents/guardians as appropriate) would be a clear breach of the Data Protection Acts. It would also run counter to the spirit (if not the letter) of the Disability Act 2005 – which requires individual consent for the carrying out of genetic tests – and of the Marper judgment of the European Court of Human Rights in relation to the retention of DNA samples in a criminal context However, in light of concerns expressed around such issues, we understand that the Minister for Health asked for a full review of the decision taken by the HSE to destroy the samples on the terms agreed with this Office. We were not a party to this review but it is now completed and at the time of writing the Minister had approved the position previously agreed including the publicity campaign for people to seek earlier deletion or continued retention depending on their own particular preferences.
Security cluelessnessFinally, although it's not an issue of any great significance, I was amused by case study 7 in which insurance company Allianz chose to use three pieces of
publicly available information for their "security questions":
Allianz informed us that it introduced three ID security questions consisting of date of birth, mother's maiden name and place of birth. It stated that these questions were introduced to ensure that it was keeping its customer's personal information safe and secure and to prevent any unauthorised disclosure. As previously outlined in my 2009 Annual Report it is our view that the use of questions such as date of birth and mother's maiden name for the purpose of ensuring security of data is not an adequate safeguard against disclosure to a third party. Such questions may in fact be a security vulnerability as this type of information is publicly available upon payment of a fee to the General Register Office and is therefore of limited value on its own as a security feature.