Data breach code 'not signed off'

 

A code of practice that would have forced organisations to report cases where personal data was stolen or compromised cannot be enforced because it was not put before the Oireachtas prior to the dissolution of the last Dáil.

Data Protection Commissioner Billy Hawkes approved the code last year to help organisations to react appropriately when they become aware of breaches of security involving customer or employee personal information.

Mr Hawkes told the Irish Computer Society 3rd annual Data Protection Conference the code, which he submitted to then minister for justice Dermot Ahern in July last year, does not have the force of law because the final step to give it such force was never taken.

The code was one of two recommendations of a working group set up by Mr Ahern. Fine Gael TD Simon Coveney had previously published a Private Members' Bill on the issue.

The other recommendation of the working group was that gross breaches of data protection should attract criminal sanctions.

Recent high profile cases of data breaches included the theft of the entire GAA membership database of over half a million people.

Mr Hawkes presented the code to Mr Ahern in July last year after it had been opened for public consultation.

“At the time of the dissolution of the Dáil, this final step [laying the code before the Oireachtas to give it the force of law] had not yet been taken,” Mr Hawkes told The Irish Times.

“So therefore the code of practice that exists now is not legally binding - it’s just strong recommendations.”

Mr Hawkes said he had done his part and sent the code to the Minister. He believed, however, the more important step would be to put the penalty provision in place. “I think it would be helpful to have such a penalty power in reserve, to be used sparingly.

“If you had penalties and there was a major breach today, even without a code of practice there would be a sufficient basis to prosecute. The two recommendations should be seen as very much complementary.”

Information security consultant Daragh O'Brien said organisations should comply with the code on data breach reporting because it was good practice and allowed them to learn where their risks were.

He said that even though implementation of an EU privacy directive was coming down the tracks in May, with further changes due to the data protection directive in 2015, the Irish government did not have a particularly good record in implementing such directives.

The conference last weekend heard many companies are now heeding the message that personal data on laptops and other devices must be properly secured and encrypted.

Last year, there were more cases of data breaches in more traditional areas, such as “mistakes” with direct mailing and information sent to the wrong person.

Other speakers included information security consultant Brian Honan, and Ivan O’Brien of Ernst & Young, who delivered a paper on the challenges to privacy in a “borderless world”.