Record rise in complaints over personal info breaches to Data Commissioner

12 May 2014

In its annual report for 2013, the Data Protection Commissioner for Ireland cited a record high in the number of complaints from individuals experiencing difficulties gaining access to personal data held by organisations.

Some 517 complaints – representing 57pc of overall complaints investigated by the Data Protection Commissioner (DPC) – concerned access requests.

The DPC said that complaints in 2013 about unsolicited marketing communications are at a similar level to recent years with 204 complaints opened for investigation.

Among the complaints were the disclosure by Carphone Warehouse of a customer’s details to strangers resulting in distressful consequences.

In another case an official of the Department of Social Protection accessed departmental records for their own personal use.

Companies were also prosecuted across the State for unsolicited marketing offences, the DPC said.

Data breaches

In 2013 the DPC dealt with 1,577 Data Security Breach notifications, including the data security breach at Loyaltybuild that saw as many as 100,000 Irish consumers’ credit card details compromised.

During an inspection of LoyaltyBuild’s systems Loyaltybuild advised that it had been inadvertently recording full credit card details in unencrypted format and that it was not a part of their recorded process.

One of the conditions of remedial action by Loyaltybuild involves achieving the Payment Card Industry Security Standard. An audit of the company will continue this year.

Other cases being investigated involved the taking of a client list by an ex-employee to a new employer. The DPC said that this is becoming a recurring issue in the Irish economy.

The DPC also received the first notifications by telecoms firms via the new online reporting mechanism laid down by the European Commission regulation 611/2013, under which telcos must report within 24 hours to their respective data commissioners if they have experienced a security breach.

Audits

A total of 44 audits and inspections were carried out in 2013, up 10pc on last year.

Audits included the commencement into the audit of business social networking site LinkedIn.

Audits also included an audit of An Garda Siochana concerning the accuracy and security of data recorded into An Garda Siochana’s PULSE system and how it was accessed.

“Overall, we found that the majority of the areas examined demonstrated a professional police force operating in compliance with data protection legislation.”

The DPC said that it took part in a Global Privacy Internet Sweep to review the terms of privacy policies on certain websites as well as a “Cookie Compliance” sweep.

“2013 was the year of revelations about the extent of access by US and European intelligence agencies to data,” the DPC said.

“This has sparked an important and welcome debate on the proper balance between national security and privacy considerations for the 21st Century.”

Security breach image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com