Data protection needs to be taken seriously or we will pay
Presence of so many established computing, technology and internet companies increases need for action
Billy Hawkes: The Data Protection Commissioner flagged problems in his report that the Government would do well to address with a seriousness and responsibility it has not shown to date.
This week, the Office of the Data Protection Commissioner released the final annual report that will be made under the aegis of Data Protection Commissioner Billy Hawkes, who retires from this position later this year.
It’s a critical moment for his office and for the Government.
As Hawkes rightly highlights in his foreword to the report, 2013 was the year whistleblower Edward Snowden changed the way individuals and governments view access to data, with the businesses that collect and store much of this information caught somewhere in between.
That has placed data protection in the public eye and high on the public agenda. Governments need to take such issues seriously – and to be seen to do so.
With major focus on the role of businesses in the collection and dispersal – legal or otherwise – of personal data, proper regulation and oversight of the corporate side of the equation is also an international concern.
Given the presence of so many of the big and established, as well as up and coming, technology and internet companies in this country, our data protection system will be under increased international scrutiny.
Hawkes points towards all these issues in his foreword and flags problems the Government would do well to address with a seriousness and responsibility it has not shown to date.
“The resulting debate [following the Snowden leaks] has thrown a welcome spotlight on the general issue of State access to personal data,” Hawkes writes, a situation he notes has been given further visibility here and across Europe in the past month with the decision of the European Court of Justice (ECJ) to throw out the 2006 EU Data Retention Directive*.
“But the [ECJ] judgment has significance beyond that of data retention. Our audits of State organisations have, in too many cases, shown scant regard by senior management to their duty to safeguard the personal data entrusted to them – a duty that is all the greater because of the legal obligation to provide such personal data to the State,” Hawkes says in his foreword.
Into that pointed summary one could put the wrist-slapping punishments various departments have placed on civil servants who have, sometimes repeatedly, accessed people’s data without any valid reason to do so – a long-standing situation that has spanned the terms of, and exasperated, two data protection commissioners.
One can throw in the Garda taping scandal too. The Garda tapes came to light because of contact made with Hawkes by former Garda commissioner Martin Callinan regarding how the tapes should be handled to comply with data protection law.
It still is unclear why these tapes were made in the first place and how such a situation could have continued at so many stations for so long.
Hawkes was adamant in interviews that these data handling and management concerns – and the by and large bland response of the Government and its various departments and agencies to these issues – remain a major problem.
“Failure to treat personal data with respect can only lessen the trust that should exist between the individual and the State,” Hawkes writes.
“It will also lead inevitably to more formal enforcement action by my Office unless system-wide action is taken to improve current practice.”
As his office becomes subject to a new Government appointment this year, one temptation for officialdom might well be to place someone toothless into the role and shrug off such warnings.
That would be a mistake, destructive to national reputation as well as the domestic economy.
Ireland must have a person who is both tough and fair in the role of commissioner.
If this country does not address the data handling problems highlighted by Hawkes, it will be seen as a sloppy data management environment by the broader European Union and the world community, which would be damaging to our reputation.
Data protection reform at EU level means that by next year we are likely to have a new data protection regulation that will place particular responsibility for oversight and investigations of companies on the DPC office in the state in which the companies are based.
As so many of these major data handlers are based here – including many at the centre of Snowden’s allegations – this places an additional burden and responsibility for good oversight on Ireland’s DPC.
There’s a significant potential impact for our own economy: companies may not welcome regulation, but will prefer a transparent, fair and professional process.
Or they may go elsewhere.
* This article was amended on May 15th 2014 to correct a date