Data Protection Commissioner launches his Annual Report for 2010 including special investigation on insurance data
Insurance Link Claims Database
The Commissioner is publishing the findings of the most wide ranging investigation yet undertaken by his Office of a database of personal data kept by the insurance sector known as Insurance Link. This is a shared claims database that allows member organisations to share and cross-reference their insurance claims data. At the time of the investigation it contained details of almost two and a half million claims. The investigation identified a major lack of transparency with regard to Insurance Link and that far too many individuals in insurance companies and other entities had access to the database with little or no oversight of that access. Some serious incidents of inappropriate access were identified and are listed in the report.
Data Security Breaches
The Commissioner reports on his publication of a data security breach Code of Practice. This was one of the recommendations of a Working Group set up by the previous Minister for Justice, Equality and Law Reform which also recommended a strengthening of our data protection laws to provide for penalties for serious breaches. The Code focuses on informing the people affected by security breaches so that they can take appropriate measures to protect themselves. It alsoencourages organisations to voluntarily report incidents to the Commissioner’s Office. 410 data security breach incidents were reported to the Office in 2010, a 350% increase on the number of reports received in the previous 12 months (there were 119 reports in 2009). This large increase in reporting is a consequence of the more exacting demands of the Code of Practice. The Commissioner reports on serious data security breach incidents that occurred in 2010 involving the GAA and SelfCatering.ie (see pages 77 and 79 of the Report). The report also includes details of an ongoing investigation of a breach affecting personal data held by the Department of Social Protection.
Data Sharing in the Public Sector
The Commissioner is publishing a set of guidelines for public sector agencies that wish to share personal data in the public interest – for example, to prevent tax evasion and other types of fraud. Transparency and proportionality are the key guiding principles. The sharing should be explicitly provided for by law. The public sector customer should know what personal data may be shared. The extent of sharing should be limited to what is necessary to achieve the public interest objective. The disclosed data should benefit from a high level of security and be securely destroyed when no longer needed.
The deployment and use of CCTV continues to give rise to complaints from members of the public. Investigations regarding the use of CCTV systems in schools, workplaces and in a small village, Culfadda in Sligo are detailed.
The report outlines concerns which arose following audits of charities. The report also provides information on positive engagements with the National Board for Safeguarding Children and the Catholic Church, the HSE in relation to its child welfare work in Limerick City and the Irish Council for General Practitioners.
The Commissioner’s report includes case studies of a number of investigations including:
· Prosecution of Ice Communications Ltd. for failing to comply with legal notices;
· Prosecution of three companies (Free Spirit Hair & Beauty Salon Ltd, Crunch Fitness Ltd and The Black Dog Communications Ltd) for sending marketing text messages;
- Prosecution of Fairco Ltd and Pure Telecom for calling numbers listed on the NDD opt-out register;
- Prosecution of Tesco for email marketing;
- Prosecution of UPC for offences related to unsolicited marketing phone calls;
- Deployment of biometric systems by commercial service providers and schools;
- Use of vehicle tracking systems
- Disclosure of previous defence force career information by the Defence Forces
- Disclosure of personal data by a housing association to a debt collection agent.
Note: The Annual Report is available for download in PDF format from the Data Protection Commissioner’s website: www.dataprotection.ie