Data Protection Commissioner sees 48% surge in number of complaints

Tue, May 1, 2012, 01:00

THERE WAS a record number of complaints to the Data Protection Commissioner’s office last year, with an increase of 48 per cent on the 2010 figure.

Billy Hawkes, the Data Protection Commissioner, said the 1,161 complaints related to issues such as unsolicited marketing by text message and email, and the unlawful use of CCTV to monitor employees.

Prosecutions were taken by the commissioner last year against telecommunications companies Vodafone, UPC, Eircom and 02 for marketing offences under “e-privacy regulations”.

In the case of UPC, the company entered guilty pleas to 18 charges relating to unsolicited marketing phone calls made to four individuals who had previously told the company they did not want to receive such calls.

Other cases included excessive data collection by Swan Leisure centre in Rathmines, Dublin. An individual had complained that the centre had refused to allow him and his child use the swimming pool because he declined to complete its “guest registration form”.

The form sought personal details such as name, address, date of birth, email and mobile phone number. Medical details were also sought. The commissioner informed the centre this information was excessive.

In a case involving Westwood Swimming Ltd, Mr Hawkes said the improper use of CCTV to monitor employees was a matter of “increasing concern” to him.

Nearly 100 complaints or queries were made by individuals who received unwanted contact from candidates or political parties in the course of the general election campaign last year. Mr Hawkes noted that a previous exemption from normal data protection requirements for such contacts had been removed in July.

The commissioner noted a shift in the nature and type of complaints received last year, with individuals concerned about the security of their personal data and the uses made of that data by software and technology applications.

Complaints concerning access rights to personal data, at 562, accounted for nearly half of the overall total of 1,161.

For the first time, data breach notifications – where personal information held by a company or other entity has been compromised – outstripped the number of complaints. There were 1,167 breach notifications, of which some 75 per cent related to errors in postal mailing. The total number of breaches reported was up 300 per cent on 2010.

Mr Hawkes said he did not see this as an actual increase in the number of breaches but rather a reflection of a raised awareness of the need to notify his office when such a breach occurred.

The commissioner’s office carried out 28 audits during the year.

Mr Hawkes said the audit of Facebook Ireland, headed by deputy commissioner Gary Davis, had been “the most challenging” the office had carried out.

Mr Hawkes said that with the success of the IDA in attracting “major players” such as Facebook to Ireland, there had been a tendency to underestimate the resource requirements of his office. The commissioner’s office had suffered a “huge cut” in its budget about three years ago.

The overall cost of running the office of 22 staff last year was €1,523,620.

THE COMMISSIONER'S REPORT: 2011 CASE STUDIES

VETERINARY PRACTICE

A VETERINARY practice apologised after it gave the name and address of a dog’s new owner to its former owner, who had been “seeking to arrange contact with his former pet”, said the Data Protection Commissioner’s report.

The new owner had found a “stray” dog, which was microchipped. The former owner had indicated he did not want the dog returned. However, he subsequently wrote a letter to the new owner seeking to meet her and the dog, after he obtained her name and address from the vet it had previously attended.

The practice had been led to believe the former owner wanted to check his dog’s microchip was no longer registered to him and it looked up the details on the website fido.ieand passed on the new owner’s name and address.

When contacted by the commissioner, it said this would not have happened if it had been advised truthfully and its staff were now “thoroughly aware” of the need to protect personal data.

PRIVATE INVESTIGATOR

A MAN raised his former employer’s alleged failure to comply with his request for access to personal data obtained on him by a private investigator hired by the company. The commissioner said he was receiving “with greater frequency” complaints from individuals having difficulty accessing security or surveillance reports conducted by private investigators.

He said the decision to use a private investigator to gather personal data “surreptitiously” carried “very serous risk” of breaching data protection laws.

LEISURE CENTRE

A MAN complained about the information sought by Swan Leisure in Rathmines, Dublin, on a “guest registration form” in order to allow himself and his son use its swimming pool.

The form sought name, address, date of birth, email and mobile phone number as well as medical information. The commissioner told the centre the information sought was excessive.

TELECOM COMPANIES

EIRCOM, VODAFONE, 02 and UPC were all before the Dublin District Court in March charged in relation to unsolicited marketing contact with customers by phone and text message.

In the case of UPC, it faced charges relating to four customers, one of whom had been telephoned “persistently” over a two-week period in 2009.

CCTV MONITORING

THE COMMISSIONER issued a formal decision against Westwood Swimming Ltd in Leopardstown, Co Dublin, over its use of CCTV to monitor an employee, who complained to the commissioner. Expressing “concern” about the improper use of CCTV to monitor employees, the commissioner said any monitoring must be a “proportionate” response to a risk faced by an employer, taking into account legitimate privacy and other interests of workers.