2017 was an eventful year for the Data Protection Commissioner in Ireland.
2017 seems like a distant thought at this stage, and it can be easy to forget just how much happened in terms of data protection in a single year. From the Public Services Card controversy to preparing for GDPR, Data Protection Commissioner (DPC) Helen Dixon and other team members of the Office of the DPC (ODPC) have had a busy 12 months.
This is the fourth report issued under Dixon as DPC and she herself noted just how quickly the landscape changed in only a year. “Even in that relatively short period, the importance of our personal data – and moreover, our comprehension of what it means to have our personal data collected, used and transferred by countless visible and invisible actors – has multiplied exponentially.”
Major budget increase for the ODPC
In 2017, the ODPC’s budget was increased to €7.5m, allowing for the body to recruit new team members, making up 85 people at the end of the year. For 2018, the budget has been increased once more to €11.7m, with a further 55 new staff members to be recruited.
Record number of complaints
The ODPC saw 2,642 complaints lodged and handled in 2017, a record number for the body. 2016 saw just 1,438 complaints sent. While many of the complaints were resolved, the report noted that those that did not produce a satisfying outcome for the complainant often involved issues arising from the recession, such as transfer of loan books and receiverships. These cases often have personal data transfer elements, but data protection law is not always able to resolve the problems.
Breaches on the increase
2,795 valid security breaches were recorded in 2017, an increase of 26pc compared to 2016. The most common types of breaches reported to the ODPC were: inappropriate handling of personal data, loss of data held on devices such as USB keys and paper files, and network security compromises such as hacking and malware.
The number of network security compromises more than doubled to 49 from 23 in 2016. There was, however, a slight decrease in the number of website security breaches, down to six from 16 reported last year. Phishing and social engineering attacks increased and the ODPC said that there were a number of factors at play that contributed to these breaches, including: a lack of staff training, slowness to patch devices, poor password policies and failure to update antivirus software, among other things.
GDPR training unit established
The dedicated GDPR unit was set up to raise awareness of the upcoming regulation, including a microsite. On GDPR, Dixon said: “The best results for data subjects are secured when organisations of all types deliver on their obligations to be fair and transparent. We firmly believe that organisations should see the GDPR as an opportunity rather than a challenge, and that those who can demonstrate a true commitment to data protection will be rewarded in the marketplace for their services.”
Keeping an eye on multinationals
The ODPC has been keeping watch over multinational companies such as Facebook, Oath, WhatsApp and LinkedIn regarding a number of different data-related issues, from location data collection to salary reporting. 19 data breaches reported this year happened at multinational firms.
The ODPC found numerous issues that contributed to the breaches, such as: an over-reliance on data processors to implement security measures, a lack of awareness of security rules and a failure to undertake regular reviews of security measures.
Consulting keeping ODPC busy
The consultation arm of the ODPC was busy, with 61pc of the organisations seeking help belonging to the private sector. AIB, Deloitte and other companies worked with the ODPC on their GDPR readiness plans.
In the public sector, numerous Government departments consulted on matters such as the Public Services Card, mobile phone data and community CCTV regulations.
Almost 100 organisations audited
91 audits or inspections were carried out by the ODPC, including an examination into alleged misuse of CCTV in a direct provision centre, and a controversial policy that saw retailers issuing e-receipts in physical stores without correctly informing people about how their data (email addresses in this case) would be used. The ODPC also reported on how a Fingal library borrower’s record, which contained sexually explicit data entries, was found by a staff member.
The ODPC’s Special Investigations Unit continued its work in the private investigator sector, resulting in several prosecutions. It also commenced an investigation into the hospital sector on the processing of patient data; on Tusla (the Child and Family Agency) regarding the governance of personal data concerning child protection cases; and on the Public Services Card of the Department of Employment and Social Protection.
Dixon concluded: “The protection of personal data is of fundamental importance in this digital age. The Irish DPC has a critically important role to play in ensuring those protections are delivered and I’m pleased to launch my annual report today to highlight outcomes, progress and challenges for the past year, and to raise awareness of data protection law as we move into GDPR implementation in 2018.”