Data Protection Commissioner Publishes Guidance on dealing with the data protection issues that can arise from the use of Cloud Computing
The Data Protection Commissioner, Billy Hawkes has today published guidance on his website to assist any entity using or considering using a cloud computing solution to hold or manage the personal data for which they are responsible. The Commissioner has published this guidance for Irish based entities on foot of guidance published at a European Level by the Article 29 Working Party (of which he is a member) today on Cloud Computing and recent useful guidance produced domestically by the National Standards Authority of Ireland (NSAI), in conjunction with the Irish Internet Association (IIA). In summary, the guidance makes clear that the use of the cloud to store or handle personal data can be easily accommodated within Data Protection law once some simple steps are followed by any entity using such a service.
Media Queries to: Ciara O’Sullivan
Telephone (057) 868 4800
Fax (057) 868 4757
Commenting on the new requirements, the Commissioner stated “I am pleased that the Minister has introduced new legal requirements which recognise that the challenges to the maintenance of individual privacy are becoming increasingly complex in today’s electronic age. Individuals must be able to enjoy the benefits of new technology while at the same time remaining in control of their privacy. These new requirements give individuals new rights which my Office will enforce.
I particularly welcome the fact that the Minister has responded to public concern over data breach incidents by introducing strict requirements for service providers in this area with the ability for my Office to bring prosecutions where such requirements are not followed. I am also pleased that individuals can no longer be bothered on their mobile phones by direct marketers unless they have given their prior agreement.”
The main new requirements are:
- Compulsory notification of individuals and the Office of the Data Protection Commissioner in the case of data breaches
- More stringent requirements for user consent for the placing of “cookies” on electronic devices
- Stricter requirements for the sending of electronic marketing messages and the making of marketing phone calls
All telecommunications companies and internet service providers are now required to notify the Data Protection Commissioner of every data breach involving a subscriber. They are also required to notify customers in all cases where there is a risk their data may be accessed. Failure to do so can lead to prosecution by the Commissioner with a fine of up to €5,000 per instance. The Commissioner can also for the first time prosecute companies in this area for allowing a data breach with fines on indictment of up to €250,000.
Any company or website placing information, usually by way of what is known as a cookie, on user equipment (computer, smartphone etc) must provide appropriate information to the user and collect their consent except in limited circumstances where the cookie is strictly necessary for the provision of the service in question. In practice this means that websites placing cookies on user equipment that are not deleted when the user leaves their website must identify a means of obtaining user consent.
Electronic Marketing & Phonecalls
In a strengthening of the laws in this area, it is now an offence for any company or entity to phone a person on their mobile phone for a marketing purpose without having obtained their prior consent for such contact. The requirements now extend to all forms of marketing carried out by means of a publicly available electronic communications service – including, for example, the soliciting of support for charitable organisations or political parties.
Data Protection Commissioner launches his Annual Report for 2010 including special investigation on insurance data
Insurance Link Claims Database
The Commissioner is publishing the findings of the most wide ranging investigation yet undertaken by his Office of a database of personal data kept by the insurance sector known as Insurance Link. This is a shared claims database that allows member organisations to share and cross-reference their insurance claims data. At the time of the investigation it contained details of almost two and a half million claims. The investigation identified a major lack of transparency with regard to Insurance Link and that far too many individuals in insurance companies and other entities had access to the database with little or no oversight of that access. Some serious incidents of inappropriate access were identified and are listed in the report.
Data Security Breaches
The Commissioner reports on his publication of a data security breach Code of Practice. This was one of the recommendations of a Working Group set up by the previous Minister for Justice, Equality and Law Reform which also recommended a strengthening of our data protection laws to provide for penalties for serious breaches. The Code focuses on informing the people affected by security breaches so that they can take appropriate measures to protect themselves. It alsoencourages organisations to voluntarily report incidents to the Commissioner’s Office. 410 data security breach incidents were reported to the Office in 2010, a 350% increase on the number of reports received in the previous 12 months (there were 119 reports in 2009). This large increase in reporting is a consequence of the more exacting demands of the Code of Practice. The Commissioner reports on serious data security breach incidents that occurred in 2010 involving the GAA and SelfCatering.ie (see pages 77 and 79 of the Report). The report also includes details of an ongoing investigation of a breach affecting personal data held by the Department of Social Protection.
Data Sharing in the Public Sector
The Commissioner is publishing a set of guidelines for public sector agencies that wish to share personal data in the public interest – for example, to prevent tax evasion and other types of fraud. Transparency and proportionality are the key guiding principles. The sharing should be explicitly provided for by law. The public sector customer should know what personal data may be shared. The extent of sharing should be limited to what is necessary to achieve the public interest objective. The disclosed data should benefit from a high level of security and be securely destroyed when no longer needed.
The deployment and use of CCTV continues to give rise to complaints from members of the public. Investigations regarding the use of CCTV systems in schools, workplaces and in a small village, Culfadda in Sligo are detailed.
The report outlines concerns which arose following audits of charities. The report also provides information on positive engagements with the National Board for Safeguarding Children and the Catholic Church, the HSE in relation to its child welfare work in Limerick City and the Irish Council for General Practitioners.
The Commissioner’s report includes case studies of a number of investigations including:
· Prosecution of Ice Communications Ltd. for failing to comply with legal notices;
· Prosecution of three companies (Free Spirit Hair & Beauty Salon Ltd, Crunch Fitness Ltd and The Black Dog Communications Ltd) for sending marketing text messages;
- Prosecution of Fairco Ltd and Pure Telecom for calling numbers listed on the NDD opt-out register;
- Prosecution of Tesco for email marketing;
- Prosecution of UPC for offences related to unsolicited marketing phone calls;
- Deployment of biometric systems by commercial service providers and schools;
- Use of vehicle tracking systems
- Disclosure of previous defence force career information by the Defence Forces
- Disclosure of personal data by a housing association to a debt collection agent.
Note: The Annual Report is available for download in PDF format from the Data Protection Commissioner’s website: www.dataprotection.ie
Every organisation, whether in the public or the private sector, must respect the confidence placed in it by members of the public who hand over their personal data. Every customer, client and employee has the right to full control over the use of their personal information. Personal information is a valuable resource and processing it is a privilege earned by respecting the rights of individuals.
Members of the public must also be on guard to protect their personal information from criminal gangs and other organisations that purposefully set out to engage in fraud or mis-use. In that regard, the Office of the Data Protection Commissioner is calling on all households to be particularly vigilant when receiving phone calls from organisations “out of the blue” offering to fix problems that the householder did not know existed.
Specifically, the Office of the Data Protection Commissioner and Microsoft Ireland would like to warn people of a scam that remains active in the Irish marketplace. Irish consumers are receiving telephone calls from persons claiming to be from Microsoft, or working on behalf of Microsoft, to tell them they have a virus on their computer.
Details of the Scam:
- Consumers are cold called from someone claiming to be from Microsoft and told there is a problem with their computer and offered help to solve the computer problems.
- Once the caller has gained the consumer’s trust, they ask consumers to log onto a website to download a file to help solve the problem.
- They then ask for credit card details to pay for software which will fix the virus and also potentially attempt to steal from the person by accessing personal information on their computer. In addition to gaining access to your personal details, they can also infect your computer with damaging viruses and spyware.
Deputy Data Protection Commissioner, Gary Davis indicated “Our Office has received ongoing complaints and queries from unsuspecting members of the public who have received these calls. This would appear to be a major scam targeting Ireland and people need to be aware of the issue. Together with the Gardaí, Comreg and the National Consumer Agency we have sought to highlight the issue to ensure that consumers do not fall victim. We are making progress in identifying an Irish link to these calls and intend to bring prosecutions. In the meantime the best answer is to hang up if receiving such a call and if you have provided details of your credit card to any entity on foot of such a call, we would advise you to contact your credit card provider immediately.”
Speaking on the issue Paul Rellis, General Manager, Microsoft Ireland said, “Microsoft takes the privacy and security of all our customers and partners’ personal information very seriously. We are advising customers to treat all unsolicited phone calls with scepticism and not to provide any personal information to anyone over the phone or online. Anyone who receives an unsolicited call from someone claiming to be from Microsoft should hang up. We can assure you Microsoft does not make these kinds of calls”.
More information on this scam and how consumers can protect themselves is available here:
Note to Editors:
The Council of Europe has decided that each year there should be a special day dedicated to Data Protection. The 28 January is the anniversary of the opening for signature of the Council of Europe’s Data Protection Convention. This is the fifth year that countries across Europe and indeed beyond have marked the day by increasing awareness of data protection and privacy rights. More information on Council of Europe Data Protection Day can be found at: http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/
A working group established by the Minister for Justice, Equality and Law Reform is at present examining if changes in data protection law are necessary to deal with such data breaches.
In the public sector, recent guidance from the Department of Finance on data security advises departments and agencies to report data breaches immediately to this Office. The guidance issued today by the Commissioner recommends that the same approach be followed by all organisations.
Commenting on the Guidelines, the Commissioner said: "we have seen a welcome trend towards organisations seeking our advice when they suffer a data breach. Our main focus is on preventing such loss of personal data and the distress it can cause to individuals. But we recognise that mistakes do happen and it is vital that organisations are ready to react. That means having plans in place to trace and secure the data that has been compromised, to prevent further security breaches and to warn those affected by the data security breach. It means allocating responsibility for the key decisions that have to be made in such circumstances. By these means organisations will prevent a bad situation from deteriorating further."
The annual ICS Data Protection Conference will take place on the 2nd April at the Hilton Hotel, Charlemont Place, Dublin 2. The conference is organised by the Irish Computer Society’s Privacy Forum, a special interest group for privacy professionals and those with data protection responsibilities.
This event’s unique balance of real-life case studies and expert opinion makes it the ideal opportunity for organisations that handle personal information to build on their existing knowledge. Leading Irish companies, such as An Post, Bank of Ireland and BT Ireland, will share their experiences so that you can implement proven best practice in your organisation. Some of Ireland’s foremost data protection and information security experts will give practical advice to help you adhere to the most important data protection rules.
Full agenda: http://www.ics.ie/dp/DPcon09agenda.html
Single delegate, only €280, register online using discount code “IIA”
2 for 1 offer – email Edwina Fogarty (firstname.lastname@example.org) or phone 01-6447842
On the occasion of the 3rd Council of Europe Data Protection Day, Data Protection Commissioner Billy Hawkes today launched two new initiatives aimed at increasing awareness of data protection rights and obligations amongst the public and those holding personal data.
The Commissioner is publishing a new data protection audit resource for organisations. It is hoped that the new resource will provide organisations holding personal data with a simple and clear basis to conduct a self-assessment of their compliance with their obligations under the Data Protection Acts. The Commissioner noted that "over the past year we have had a large number of very high profile losses of personal data and other incidents affecting all sectors of society. There is clear room for improvement. The data protection audit resource will help organisations to easily identify areas where improvement in their data protection practices are required."
The second initiative is a new video clip competition with a €10,000 prize fund. This is a joint collaboration with Google. Entrants are asked to submit video clips on the theme of ‘Private I, Public Eye’. This is the second year of the video clip competition. Commissioner Hawkes said "My office is delighted to organise this competition in conjunction with Google. Based on the extremely high standard of entries received for last year’s competition, I am confident that this year the competition will be even more successful in reaching out to people who may not be fully aware of their data protection rights. I am particularly delighted to work closely with Google as a key provider of public access to information, including personal information and also appreciate Google’s commitment in providing the prize fund for this competition."
Google, when announcing the competition said "We are delighted to work with the Office of the Data Protection Commissioner to help promote awareness of privacy and data protection. YouTube is a fantastic channel through which to promote such issues among younger people in particular and this competition provides a great opportunity for amateur film makers to profile their work to a global audience".
The competition is being hosted on YouTube and the aim is to use the winning clips in schools to promote awareness of how people can take more control of their own information.
The new audit resource is available to download from
details for the competition are available at www.youtube.com/dataprotection
The IIA welcomes the O-C Group as the newest members of the association. In their own words
“O-C Group’s provides the payment industry with a complete solution in payment processing technology and business operations to increase revenues and reduce costs. As a Qualified Security Assessor, O-C Group are approved to perform Payment Card Industry audits for any organisation which stores, processes or transmits cardholder data.”
Hubert O’Donoghue, one of the company directors, contacted me recently about their work and from this conversation I really think they have a lot of expertise to offer the IIA membership in the area of transaction management. For example on their site they have included a knowledgebase with plenty of resources for those seeking to learn more about transaction management. I’ll certainly be having a good look because while Hubert was very good at explaining much about transaction management and the Payment Card Industry Security Standards, it would certainly be an area I could brush up on.
(Hah? What’s The OC?)
Although the Darklight Symposia weren’t quite like the bar in Cheers where everybody knows your name, there was a lot of familiar names and faces at this event. A good sign for Darklight because it means that they touched a chord with the topics they chose and also attracted a respected panellists. I attended the first symposium of the day “Letting it all hang out: Privacy vs. Publicity in the Virtual World” and caught the very end of the second “Web 3.0: Where next for the Internet”. Brendan Hughes, chair of the IIA Social Media Working Group gives a good overview of the topics on his own blog. The festival continued in venues around Dublin all weekend.
I was particularly interested in the first symposium they ran this morning. Regular readers might recall that I was at another seminar last month about privacy in the Institute of International and European Affairs. While the two audiences were very different (Peter Fleischer from Google would not have been making jokes about Google employees non-tie-wearing* at today’s event, let me encapsulate it like that!) they had many of the same concerns albeit from a different angle. There was a strong sense of “us” and “them” to many of the comments from the floor. “Us” seemed to refer to the private citizen and “them” to anyone who wasn’t; but even “them” is made up of private citizens who have rights too; among them a right to earn a living. Also “them” variously referred to businesses and government: businesses who are retaining data about those using their services; governments using that data to for crime-fighting purposes. However there was little acknowledgement of the fact that those companies were generally obliged by those governments to keep that information but also to protect it. And where does the government get the mandate to oblige those companies to keep AND to protect it? From this “us”. However it would be disingenuous not to acknowledge that many of the concerns in the room were about the lack of disclosure about and access to exactly what information certain larger internet companies are retaining about individuals and their use of their services.
Businesses are, of course, not without their influence when it comes to data-protection policies. Involvement in bodies like the IIA allows businesses to come together and debate these issues and present a united view to the government. It is also essential that businesses remain aware of their obligations under data protection and privacy legislation and the IIA hopes to keep businesses abreast of these issues.
The keynote speaker was Daniel J. Solove, Associate Professor of law at the George Washington University Law School, and the author of “The Digital Person: Technology and Privacy In The Information Age”. This book can be downloaded for free from www.futureofreputation.com Chaired by solicitor and digital rights expert Caroline Campbell, the panel included journalist Jim Carroll, Hotline.ie director Cormac Callanan, Relevant Media owner Niall Larkin and Irish blogger Damien Mulley. The audience was made up of a mix of bloggers, developers, researchers, consultants and policy makers.
* Tie-wearing: I recall being irked at the IIEA seminar because Fleischer made a flip comment about how he could spot his Google colleagues a mile off because they were always the ones not wearing ties. This annoyed me because I had spoken to one of his colleagues earlier and SHE was most definitely not wearing a tie and probably never does. Similarly Annette Clancy from Inter-Actions, who I was sitting beside at the Darklight symposium on Friday, made a point from the floor that there were no women (bar the chair) on the panel on Friday and this was the case in both of the sessions. Working for an organisation that is constantly seeking good speakers and presenters for a variety of event types I understand the Darklight’s conundrum when they approach people and some of them are unavailable and unfortunately that effects the gender balance on their panel. Similarly I appreciate the viewpoint that to deliberately seek women because they are women could be just as sexist as not having women at all. However I do tend more to the side that it is essential that all aspects of a question are discussed. Women experience and use technology differently and for different purposes to men. I’m sure there’s research to back this up and would appreciate any links to same. Annette said to me later that one issue that was not discussed, and she feels, that this was due to the lack of women on the panel, was the issue of privacy and cyber-stalking. While this may not be solely experienced by women, if virtual life reflects real life chances are the majority of its victims are women.
Is the virtual life experience of women and their absence from some fora a reflection of the real life experience of women in technology and business? Why are the women unavailable? Where is the brave new world that the internet promises to all of us?