Complaint by Defence Forces member ‘destroyed in burglary and flood’

Case among several privacy breaches highlighted in Data Protection Commissioner’s report

Records of an internal complaint made by a member of the Defence Forces were destroyed in a flood and a burglary at a military investigating officer's private house.

The Defence Forces were found to have breached data protection law by failing to take appropriate security measures to secure the individual’s personal information.

The details were published on Tuesday in Data Protection Commissioner Helen Dixon’s annual report for 2015.

The Defence Forces told the commissioner it prohibited the removal of records and that such action may constitute an offence under the Defence Act. But as the military investigation officer was no longer a serving member, he was not subject to military law.

In a formal decision, the commissioner found the Defence Forces had contravened the Data Protection Acts by failing to take appropriate security measures in relation to the individual’s personal data when it allowed it to be stored at an unsecured location.

The commissioner warned that “extreme caution” should be exercised in workplace scenarios where staff and managers may need to take personal data home with them, to ensure there was no risk to the security of personal data.

The commissioner also said it was critical that employees be prohibited from emailing official files from their workplace email account to their personal email account for after hours work or for any other reason.

Formal decisions were also issued by the commissioner in cases involving the Department of Social Protection, Danske Bank and AIB.

Issues involving covert CCTV footage and monitoring of employees also feature prominently in the annual report.

In one case, an employee of a supermarket was dismissed for “gross misconduct” after she placed a paper bag over a CCTV camera in a staff canteen. The commissioner told the business that, in her view, there was no justification for having CCTV installed in the canteen area.

Ms Dixon said many businesses had justifiable reasons, usually related to security, for the deployment of CCTV on their premises. But any further use of the data captured in this way was unlawful, unless the business had at least made it known at the time of recording that the information may be used for additional purposes.

The commissioner also made a formal decision that Letterkenny General Hospital broke the law in relation to CCTV cameras installed in a maintentance area.

Another employer breached the Data Protection Acts by handing over details of an employee’s swipe card accesses to his workplace to his manager.

In her report, the commissioner said she continued to engage with the multinationals Facebook and LinkedIn, advocating a 'privacy by design' approach to all new products.

The commissioner’s report also expresses concern about privacy settings on mobile apps.

Some 932 complaints were opened for investigation by the commissioner last year. Over 60 per cent of them related to people’s rights to gain access to the personal information held about them by companies and other bodies.

A total of 11 per cent of the complaints related to unsolicited electronic marketing, such as via text messages and emails.

Some 2,376 data breaches were notified to the commissioner, but she noted that many of them involved human error and related to only one or two individuals.

The office dealt with 14,427 emails and 16,173 telephone queries in 2015.

Ms Dixon said 2015 had been a “pivotal year” for her office and more generally for the protection of data rights both at national and international level.

“Significantly increased resources and ongoing recruitment, in particular of specialist experts, provided the means to grow and strengthen our capability to continue to shape the data protection environment, protect data rights and ensure proper compliance with data protection law,” she said.

"Most notably on the international front, the Court of Justice of the European Union made a number of seminal judgments.

"These made clear the extensive protection of personal data under the EU Charter of Fundamental Rights, with significant impact for data protection authorities across Europe.

“Likewise, agreement on a new legal framework for data protection in Europe will clearly lay out new rights for individuals, increased obligations for organisations handling personal data and an increasing focus on enforcement for data protection authorities.”