There has been a 50pc surge in the number of data breach notifications reported in Ireland during 2014, with 2,264 cases recorded. Data Protection Commissioner Helen Dixon says she now has the resources to uphold digital rights.
Dixon’s arrival into the office of the Data Protection Commission following her predecessor Billy Hawkes’ departure coincided with the appointment of Dara Murphy TD as Data Protection Minister.
Dixon paid tribute to Hawkes and said that he and his team paved the way for a near doubling of the 2015 budget from €1.8m to €3.6m, the increase in headcount from 29 to 50 and the opening of a new office in Dublin in 2015.
Dixon said that the task of independent regulation of privacy in Ireland is tantamount given the 60pc smartphone ownership among the population, the arrival of the “right to be forgotten” rules following the Google Spain case and ensuring privacy is respected by public and private organisations in Ireland.
As well as acting on statutory enforcement notices, privacy audits on organisations like LinkedIn and An Garda Siochana, and ensuring companies publicly report data breaches, an expanded international remit in line with the European data protection legislation has given her office plenty to do.
Data protection challenges in Ireland
Other challenges that arose in the past year concerned the use of Personal Public Service Numbers by the new water utility Irish Water.
It also had to field similar issues concerning the Department of Education and Skills’ Primary Online Database.
A looming issue concerns the rollout of the new Eircode national postcode and how that pertains to how the postcodes could be used to identify individuals.
2014 saw the Data Protection Commission undertake a high volume of casework in terms of the abuse of personal data, and one company was prosecuted for the use of private investigators.
Self-reported notifications of data breaches approached nearly 2,300 during the year.
Dixon said the principle causes of data breaches were human error and not systemic, such as the inclusion of the wrong bank statement in the wrong envelope or the wrong spreadsheet in an email.
Data protection complaints in 2014 included access rights (54pc), electronic direct marketing (18pc), disclosure (7.2pc), unfair processing of data (5pc), internet search result delisting (3pc) and the use of CCTV footage (3pc).
In terms of internet search delisting under the “right to be forgotten” system, there were 32 cases in Ireland where people had their information removed from internet search engines.
The DPC reported that it continues to engage with Facebook in Ireland in terms of the introduction of new features and the new terms and conditions launched in January.
The DPC is examining a proposal from Apple to roll out a mobile mapping product in terms of data protection matters for Irish and European jurisdictions.
Work continues with LinkedIn to ensure it complies with the audit recommendations.
The DPC said it is continuing to get updates from Microsoft on issues relating to the establishment of new services in Ireland.
Global privacy sweep on apps
In May last year 26 privacy enforcement authorities, including Ireland, participated in the second global Privacy Enforcement Network Privacy Sweep and over 1,211 apps were examined.
These included a mix of Apple and Android apps, free and paid, as well as public and private sector apps.
In Ireland’s case, the sweep involved the examination of 20 apps from diverse sectors like transport, retail, media, banking, entertainment and government.
The DPC found that, in 55pc of cases, the privacy information provided by the apps only partially explained the collection, use and disclosure of personal information, with questions remaining to some of the permissions requested.
Two apps stood out in terms of best practice – Ulster Bank and Tralee Credit Union.
At the other end of the scale, the DPC found that three of the apps failed to provide adequate information, while one app provided no information whatsoever.
“2015 sees this Office in a stronger-than-ever position to continue, in Ireland and beyond, helping to shape the data-protection environment and ensuring compliance with the relevant laws,” Dixon said.
“The nature of the internet means data protection is clearly a global matter, and I believe that meaningful cooperation and the free exchange of ideas are essential to making data protection work for everyone. I firmly believe in an engaged approach, to ensure that data protection rights are upheld, while ensuring access to digital services that many enjoy and even rely upon.
“The expanded resources of my Office and geographic proximity to decision-makers in leading technology companies make us well-placed to regulate with the full efficacy that our stakeholders deserve,” Dixon added.