A charity that works with men who have behaved violently in the home has been censured by the Data Protection Commission after video recordings of counselling sessions involving up to 120 men went missing.
MOVE (Men Overcoming Violence) Ireland made a mandatory report regarding the data breach to the DPC in February of 2020 after 18 portable SD cards suspected of containing recordings of men discussing their “behaviour and attitudes with regard to domestic violence” went missing.
MOVE is a rarer form of outreach charity in that it deals with perpetrators of violence as opposed to victims with the aim of “supporting the safety and wellbeing of women and their children who are experiencing or have experienced violence or abuse in an intimate relationship”.
The recorded counselling sessions in question, which were first noted as being missing in the Sligo area in December 2019, may have shown the men participating in those sessions, while the personal data contained on the SD cards included the “disclosure of behaviours, feelings and attitudes towards current or ex-partners, other family members, and friends” who may have been named by those being counselled, the DPC said.
The Commission found that MOVE had infringed GDPR by failing to implement measures to ensure a level of security appropriate to the risk inherent in recording such sensitive information.
Together with an official reprimand, the DPC ordered MOVE to bring its data processing in terms of recording group sessions into line with Articles 5 and 32 of the GDPR.
A fine of €1,500 was also administered, one of the smallest the Commission has handed out to date.
Asked why such a low fine was administered for such an apparently broad-ranging breach, a spokesperson for the DPC said it must “arrive at a figure that is effective, proportionate and dissuasive having regard to the circumstances of each individual case and the turnover of the data controller”.
“The sensitivity of the personal data is one of the factors that the DPC had regard to in calculating the fine,” they added.
MOVE Ireland did not respond to a request for comment.
The DPC has the power to impose fines for GDPR breaches ranging as high as either €20m or 4% of a body’s turnover, whichever is higher.
In its full report on the matter, the DPC noted that MOVE’s turnover in 2019 had been €686,421.
The report also notes that MOVE disputed the amount of the administrative fine proposed, that it believe it was “unclear” as to whether what had happened constituted a breach of data protection, and that it did not believe it had a responsibility to report itself for the breach and that the fact it had done so should mitigate in its favour.
In fact, all such breaches are supposed to be reported to the DPC within 72 hours.
The nature of the breach was greeted with incredulity by sources within the outreach sector.
“I don’t know why they would record their sessions,” one source said. “You have to be so careful in these cases given what is being discussed is essentially a crime.”
Dr Cliona Saidlear, executive director with Rape Crisis Network Ireland, said the low fine indicated a viewpoint that “there isn’t any point in penalising the charity out of existence”.
“You impose a penalty for poor behaviour because you want an outcome. What you want to know is if they have changed practice, or learned their lesson,” she said.
“If you’re going to do something like recording a session you have to think carefully about the risks. Because the first rule of data protection is that a breach will happen.”
Meanwhile, Antoin O Lachtnain, director with privacy advocacy group Digital Rights Ireland, described the DPC’s fine as being “very low” given the sensitivity of the breach.
He described the breach as “a near miss”, one with “important lessons for data controllers in the health and social services sector”.
Civil rights group the Irish Council for Civil Liberties said meanwhile that its “thoughts are very much with anyone who has been affected by this leak”.
“When we think of recording and storing sensitive data, we must be sure that it is lawful and absolutely necessary,” Olga Cronin, the ICCL’s policy officer, said.
“In this case, the most secure option may have been not to retain the data in the first place."