The Data Protection Commissioner has said any decision to take enforcement action against a State body or other organisation where there may be breaches of data protection law has to be at the discretion of her office.
Helen Dixon was speaking about her office's engagement with the Department of Education in relation to the primary online database (POD) rolled out at the start of the current school year.
She recently found that the department did not have a statutory basis for collecting some of the personal information about pupils that schools were asked to include in the new database.
The department has said it needs the data for statistical and planning purposes. Following complaints from a small number of parents, however, the commissioner’s office engaged with the department and some changes were made to the project.
Asked why she had not taken action against the department in this case and why she had not ordered it to start again with a new database, Ms Dixon said that if her office had been satisfied the project didn’t have a substantial legal basis at the outset, she “wouldn’t have hesitated to call it”.
Hundreds of thousands of parents had “legitimately engaged with POD” and the office had to take a “pragmatic approach” in terms of what purpose it would serve to halt it when “ the end result would be the same”.
“The office may prosecute, it may enforce; it also has an obligation to drive compliance. And in this case, we weighed up the level of non-compliance and we weighed up the approach of the Department of Education and we weighed up the issues that this would pose for all of the parents that had engaged with it and we took the approach that we did.
“It ultimately has to be at the discretion of the office in terms of all the circumstances of which we are aware and in terms of the level of non-compliance that we’re looking at.”
Asked whether criticisms by her predecessor Billy Hawkes of State entities and their sometimes poor attitude to personal data still applied, Ms Dixon said there were still issues and her office was targeting it as a "priority area for action" to try to improve outcomes. Ten of 27 formal decisions issued by the commissioner last year were against State bodies.
The office committed a significant amount of time to its privacy audits and to engagement with the technology multinationals based in
Ms Dixon said this engagement was designed to ensure the services such firms were rolling out in Europe as part of global product launches were compliant with European legislation and met the expectations of European citizens.
Difficulties in gaining access to personal information from organisations were the main source of complaint to the office last year, accounting for just over 54 per cent of the 960 complaints opened.
Complaints about unsolicited marketing by text and email accounted for 18 per cent of complaints, although the number of complaints had now fallen below 200.
A record number of notifications (2,264) about data breaches involving personal information was received last year. The increase was largely accounted for by an increase in the number of cases where the wrong personal information was sent by post or email.
In 2014, the commissioner also successfully prosecuted private investigators who had “blagged” personal information from State bodies and passed it to credit unions.