Data Protection Commissioner (DPC) Helen Dixon warned in her annual report, published yesterday, that an overhaul of EU laws was coming down the tracks in terms of greater protection of personal information.
“We are going to see a very big change and that’s really what I was referencing when I made the reference to a new era,” she told the Irish Examiner.
“At an EU level the law is being completely over-hauled and that new law in the form of the General Data Protection Regulation and in due course also a new e-privacy regulation is going to be implemented from May 2018.”
She said data will be treated with greater care.
“We are all going to be under obligation to treat the personal data that we process much more carefully in the future. We’re going to have to ensure that there is much greater transparency to users, in terms of the personal data that we collect and process.
“For public bodies, we will have to appoint on a mandatory basis by law a data protection officer.”
However, the new law does not just demand greater accountability on the part of the companies and state bodies, it gives individuals more rights.
“For the individual, the intention of this new law is that it puts all of us much more in control because arguably we are not in control at the moment because we are not entirely clear all the time who’s collecting what on us.
“A lot of organisations have pro forma privacy policies that are extremely difficult to decipher, they’re not concise and intelligible to the user. We don’t see in plain English exactly what a company is collecting on us and what third parties they’re sharing it with.”
In the report, the DPC outlined emerging issues in the field of data protection.
“It’s clear that power in terms of internet tracking and driving profit from interest-based ads lies largely in the hands of a few big platforms and that questions need to be asked and answered as to whether consumers are being left between a rock and a hard place with too little choice (and therefore subject to a type of ‘forced consent’) given that media outlets are all signed up to those same ad exchanges.”
The report also detailed the number of queries it received as well as breaches reported. In 2016, the DPC dealt with 15,335 queries by email, 16,744 by phone and 1,150 queries by post. Some 2,224 valid data security breaches were recorded.
Unsolicited marketing email
An online retailer was prosecuted by the Data Protection Commissioner (DPC) for sending an unsolicited marketing email.
A customer received an unsolicited email after opting out of marketing from the company, Shop Direct Ireland Limited trading as Littlewoods Ireland.
Littlewoods Ireland carried out a review of the customer’s account.
It found that while she was correctly opted out of email marketing, she was not opted out of third-party marketing.
It then took steps to opt the customer out of third-party marketing.
A “null value” was applied to the email marketing field of the customer’s account but this had the unintended consequence of opting her back into email marketing.
In court, last April, the company pleaded guilty to one charge of sending an unsolicited marketing email without consent.
The company made a charitable donation and the charge was struck out.
Bank disclosed personal data
The Data Protection Commissioner (DPC) received a complaint last year that Bank of Ireland (BoI) had disclosed personal information to a third party. This occurred because BoI failed to properly “verify the identity” of an individual on the phone.
The individual in question was the mother of a son (the complainant), who shared a forename with his father. The mother mistakenly thought the call was in relation to an account she held with her husband.
BoI did not contest the disclosure but said confusion had arisen. The DPC found BoI contravened Section 2A(1) of the Data Protection Acts 1988 and 2003. “While the circumstances of this case involved the verbal unauthorised disclosure of personal data to a family member of the data subject concerned, this in no way makes it any less serious than if it had been a written disclosure to an unrelated third party,” the DPC said.
Hackers demand ransom from school
A ransom was demanded from an Irish primary school after hackers seized personal data.
The Data Protection Commissioner (DPC) received a report about a breach from a primary school last October, where parts of the school’s information systems had been encrypted (data was concealed) by a third party.
This meant the school was unable to access its own files, which contained names, dates of births, and personal public service numbers.
A ransom was then demanded from the school to release the encrypted files.
The DPC found that the school “failed to ensure that adequate security measures were in place, to protect against the unauthorised processing and disclosure of personal data”.
The DPC made several recommendations to the school, which were followed.