2,224 data security breaches reported in 2016, says Data Protection Commissioner

11 Apr 2017

Data Protection Commissioner Helen Dixon. Image: Connor McKenna

Reports of data breaches to see exponential rise once mandatory reporting rules under GDPR come into force, warns DPC Helen Dixon.

Ireland’s Data Protection Commissioner (DPC), Helen Dixon, has reported that the number of complaints over data privacy has increased from 932 in 2015 to 1,479 in 2016.

In the annual report for 2016, Dixon revealed that the Office of the DPC (ODPC) received 2,224 valid data security breaches during the year, down from 2,317 reported in 2015.

‘Breaches are an inevitable consequence of the handling of data’

Overall, the ODPC dealt with 15,335 queries over data privacy by email, 16,744 by telephone and 1,150 by post.

Of these, 1,479 complaints were investigated, with the largest single category of complaints continuing to be access requests (56pc).

The ODPC received 26 ‘Right to be Forgotten’ complaints with six upheld, 15 rejected and five still under investigation.

2016 was the first full year of operation of the Special Investigations Unit. The ongoing examination of the private investigator sector remained a central focus, leading to two successful prosecutions.

In 2016, the new unit also finalised preparations to open a new investigation into the hospital sector, particularly into the processing of patient-sensitive personal data in public hospitals.

The ODPC managed to get Facebook Ireland to update its cookie-banner notification to include more precise information on the use of cookies for commercial purposes.

Similarly, LinkedIn also updated information for users on its use of cookies.

The ODPC carried out 50 audits and inspections in 2016, within State agencies such as An Garda Síochána, the Revenue Commissioners, the Defence Forces and the Garda Ombudsman (GSOC).

2017 will be the year of GDPR

Dixon said that the next 12 months will be all about getting Ireland ready for the onset of the General Data Protection Regulation (GDPR).

Speaking with Siliconrepublic.com, Dixon said that once the GDPR rules come into force in 2018, she expects to see an exponential rise in the number of data breaches reported by businesses.

“The real state of data breaches is hard to assess with the current voluntary regime. It is hard to assess the real levels of non-compliance.”

She said that the banking sector appears to have the highest volume due to its own regulatory compliance rules and that, in some cases, the breach may be down to the wrong bank statement going into an envelope.

“We are going to see the mandatory code come into play and that will affect public sector bodies as well. I think we will be having a very different conversation about the nature of breaches a year from now.

“Breaches are an inevitable consequence of the handling of data.”

Dixon warned that businesses will really need to double down on front-line training because data security measures are only as good as the weakest link. She mentioned the example of an employee of a prominent coffee chain who breached privacy by putting images of CVs on Snapchat.

“At the management level, the consciousness of privacy was at its highest but that didn’t filter down to staff on the ground.”

A key matter to emerge in 2016 was the surveillance of workers by employers, particularly by CCTV, with Dixon stating that employers were failing to make the rules around reliance on CCTV footage in disciplinary processes clear to employees.

The Irish DPC’s unofficial role as a kind of European data protection commissioner, or watchdog, became all the more apparent in 2016, taking a leadership stance in matters such as the High Court case over the validity of standard contractual clauses as a means of transferring EU personal data to the US.

2016 seemed to be a busy year in the courts, with a case by Digital Rights Ireland alleging a lack of independence with the DPC role, “a position the DPC does not consider is sustained by the reality of our entirely independent regulatory operations”.

The ODPC also saw its resources increase substantially, with a new office space in the city centre and close to 70 staff now on board. This will grow to 130 people within the next two years.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years