Companies need ‘very good reason’ for 3rd parties to look at data, expert says

Companies must ensure data is protected, Daragh O’Brien says

The Office of the Director of Corporate Enforcement (ODCE) has applied to the High Court to appoint an investigator to look at the affairs of Independent News and Media. Photograph: Bryan Meade

The Office of the Director of Corporate Enforcement (ODCE) has applied to the High Court to appoint an investigator to look at the affairs of Independent News and Media. Photograph: Bryan Meade

 

Companies have an obligation to ensure they keep data safe and secure and need to have a “very good reason” to get third parties to look at data, an expert in the field has said.

Speaking to The Irish Times Inside Business Podcast, Daragh O’Brien, chief executive of data advisory Castlebridge, noted that pursuant to the current data protection act in force since 1998, companies have to ensure they “protect information from any unauthorised access and any unauthorised processing”.

Citing a body of case law both in the European Court of Human Rights (ECtHR) and the European Court of Justice (ECJ), Mr O’Brien flagged the need for transparency and balance in the engagement of any monitoring in the workplace.

“In the context of any organisation getting involved in a trawl or search of data, it’s important that it’s targeted and balanced,” he said.

“There needs to be a rationale [for the data search], you can’t just go on a fishing trip. You need to have a reason to look at the data,” Mr O’Brien added.

He flagged the need for controls in place if companies are in the process of looking at data, saying that there needs to be a clear reason why you’re doing a search and when it will stop.

Mr O’Brien’s comments come following an application by the Office of the Director of Corporate Enforcement (ODCE) to appoint an investigator to look at the affairs of Independent News and Media (INM).

An affidavit filed by by Ian Drennan, the director of Corporate Enforcement, says that in 2014 there was a “data breach” at INM that apparently involved the information on the media group’s server being copied and given to specialists outside the group.

Asked about what the data protection commissioner will look at in the company, Mr O’Brien said they’ll examine the governance structures in place in the organisation, the basis for the access to data and the basis for transferring data out of one organisation to another.

“A trawl of an entire server looking for information may not be considered balanced and proportionate but that’s up to the data protection commissioner to decide,” he said.