Woman’s medical records disclosed to an insurance company

Data Protection Commissioner’s office dealt with 1,507 valid data breach notifications during 2013

The Data Protection Commissioner’s office dealt with 1,507 valid data breach notifications, including the largest such breach it had ever dealt with – the breach by the Ennis-based company Loyaltybuild (above), which processed holiday loyalty schemes on behalf of companies all over Europe, including Supervalu and Axa in Ireland.

The Data Protection Commissioner’s office dealt with 1,507 valid data breach notifications, including the largest such breach it had ever dealt with – the breach by the Ennis-based company Loyaltybuild (above), which processed holiday loyalty schemes on behalf of companies all over Europe, including Supervalu and Axa in Ireland.

 

The disclosure by a GP of a woman’s medical records to an insurance company and the sending of an email containing a patient file by another GP to an incorrect address were among the case studies highlighted in the 2013 annual report.

Notification was also received by the Data Protection Commissioner’s office from a medical practitioner that their computer system had been compromised by ‘ransomware’ and that they were unable to access their patient files.

They had received a demand for € 5,000 in return for the reinstatement of the data but they had informed gardaí and had not paid the ransom. Five months worth of patient files were lost as the practitioner also discovered the back-up files had been infected with the rogue software.

Case studies highlighted also included a complaint against Carphone Warehouse, after a trainee employee gave out a customer’s home address in an “isolated” area to two individuals who claimed to have found her mobile phone and wanted to return it to her after it was stolen and seeking a reward for finding it.

The report said the disclosure of the woman’s address to strangers resulted in “considerable distress”. Regardless of the fact that the employee concerned was a trainee, this disclosure should not have happened.

Electric Ireland was the subject of a complaint over its ‘Feet on the Street’ marketing campaign after a sales agent called to a former customer’s home and was in possession of their personal details.

The Data Protection Commissioner told Electric Ireland its processing of the information was unlawful.

Mr Hawkes said companies needed to “tread carefully” in the space of win-back marketing campaigns as “without the prior marketing consent of the former customers concerned, there is no legal basis to process marketing lists using such retained personal data”.

It was also “disappointing” that the telecommunications sector remained a cause of complaint given the number of prosecutions taken against that sector in recent years for marketing offences.

Prosecutions were taken during the year against Eircom, Meteor, Telefonica (O2) and Vodafone for such offences.

The office dealt with 1,507 valid data breach notifications, including the largest such breach it had ever dealt with – the breach by the Ennis-based company Loyaltybuild, which processed holiday loyalty schemes on behalf of companies all over Europe, including Supervalu and Axa in Ireland.

Some 61 per cent of data breaches were the result of postal mailing breaches. The annual report said that while a number of these were the result of mail merge issues at the printing stage, “an unacceptably high” percentage were the result of human error.

Complaints about unsolicited direct marketing text messages, emails, phone calls and fax messages were 22.4 per cent of the total.

Bad customer service was increasingly the driving force behind people making requests under the Data Protection Acts to get access to their personal data, the commissioner’s office said.

The 517 complaints concerning access requests accounted for some 56.8 per cent of the total of 910 complaints opened by the Data Protection Commissioner’s office in 2013. This was the highest number ever received by the office in this category.

Mr Hawkes said this pointed to the extent of the difficulties being experienced by individuals in their efforts to exercise their rights and the barriers that some data controllers place in their way.

“Data protection has to be a corporate concern, a boardroom concern, with the clear direction coming from the top of every organisation whether that’s in the public or private sector.”

Audits were carried out on 40 organisations last year, including LinkedIn Ireland, Siptu, AA Ireland, the Health and Safety Authority, Irish Life, An Post, IBRC, Carlow Institute of Technology, Advanced Laser Light and several credit unions.