Data Protection Commissioner launches his Annual Report for 2010 including special investigation on insurance data
Insurance Link Claims Database
The Commissioner is publishing the findings of the most wide ranging investigation yet undertaken by his Office of a database of personal data kept by the insurance sector known as Insurance Link. This is a shared claims database that allows member organisations to share and cross-reference their insurance claims data. At the time of the investigation it contained details of almost two and a half million claims. The investigation identified a major lack of transparency with regard to Insurance Link and that far too many individuals in insurance companies and other entities had access to the database with little or no oversight of that access. Some serious incidents of inappropriate access were identified and are listed in the report.
Data Security Breaches
The Commissioner reports on his publication of a data security breach Code of Practice. This was one of the recommendations of a Working Group set up by the previous Minister for Justice, Equality and Law Reform which also recommended a strengthening of our data protection laws to provide for penalties for serious breaches. The Code focuses on informing the people affected by security breaches so that they can take appropriate measures to protect themselves. It alsoencourages organisations to voluntarily report incidents to the Commissioner’s Office. 410 data security breach incidents were reported to the Office in 2010, a 350% increase on the number of reports received in the previous 12 months (there were 119 reports in 2009). This large increase in reporting is a consequence of the more exacting demands of the Code of Practice. The Commissioner reports on serious data security breach incidents that occurred in 2010 involving the GAA and SelfCatering.ie (see pages 77 and 79 of the Report). The report also includes details of an ongoing investigation of a breach affecting personal data held by the Department of Social Protection.
Data Sharing in the Public Sector
The Commissioner is publishing a set of guidelines for public sector agencies that wish to share personal data in the public interest – for example, to prevent tax evasion and other types of fraud. Transparency and proportionality are the key guiding principles. The sharing should be explicitly provided for by law. The public sector customer should know what personal data may be shared. The extent of sharing should be limited to what is necessary to achieve the public interest objective. The disclosed data should benefit from a high level of security and be securely destroyed when no longer needed.
The deployment and use of CCTV continues to give rise to complaints from members of the public. Investigations regarding the use of CCTV systems in schools, workplaces and in a small village, Culfadda in Sligo are detailed.
The report outlines concerns which arose following audits of charities. The report also provides information on positive engagements with the National Board for Safeguarding Children and the Catholic Church, the HSE in relation to its child welfare work in Limerick City and the Irish Council for General Practitioners.
The Commissioner’s report includes case studies of a number of investigations including:
· Prosecution of Ice Communications Ltd. for failing to comply with legal notices;
· Prosecution of three companies (Free Spirit Hair & Beauty Salon Ltd, Crunch Fitness Ltd and The Black Dog Communications Ltd) for sending marketing text messages;
- Prosecution of Fairco Ltd and Pure Telecom for calling numbers listed on the NDD opt-out register;
- Prosecution of Tesco for email marketing;
- Prosecution of UPC for offences related to unsolicited marketing phone calls;
- Deployment of biometric systems by commercial service providers and schools;
- Use of vehicle tracking systems
- Disclosure of previous defence force career information by the Defence Forces
- Disclosure of personal data by a housing association to a debt collection agent.
Note: The Annual Report is available for download in PDF format from the Data Protection Commissioner’s website: www.dataprotection.ie
Statutory Instrument No. 526 of 2008 which has now come into effect amends Statutory Instrument No. 535 of 2003 which has been in force since November 2003. Amongst the changes in the new Statutory Instrument are:
An increase from €3,000 to €5,000 in the penalty for a summary offence in respect of a contravention of the regulation relating to unsolicited communications.
The creation of an indictable offence for a contravention of the regulation relating to unsolicited communications. Where the person tried is a body corporate the fine imposed may not exceed €250,000 or, if 10% of the turnover of the person is greater than that amount, an amount equal to that percentage. Where the person tried is a natural person, the fine imposed may not exceed €50,000.
Provision for the prosecution of an officer of a body corporate for an offence under the regulations whether or not the body corporate itself has been proceeded against or been convicted of the offence committed by the body.
In relation to offences concerning the contravention of the regulation relating to unsolicited communications if, in court proceedings concerning such offences, the question of whether or not a subscriber consented to receiving an unsolicited communication is in issue, the onus of establishing that the subscriber consented will lie on the defendant.
Speaking today, Billy Hawkes said: "The signing of these Regulations by the Minister is an important and significant step in the fight against unsolicited communications for marketing purposes. I welcome the increase in penalties which have come into effect I am confident that the strengthening of the law in this area will help me in my task to enforce the regulations concerning unsolicited communications. I want to take this opportunity to remind persons engaged in direct marketing activities that my Office continues to pay close attention to the whole area of unsolicited communications by telephone, fax, email and text message. The new regulations, together with the serving of a considerable volume of summonses by my Office in the past fifteen months, serve to send a strong message to all involved in direct marketing about the necessity of compliance with the law."
Concluding, the Commissioner said: "I want, in particular, to send a message to all involved in business to familiarise themselves with the law which applies to unsolicited communications for direct marketing purposes. Increasingly, in this period of economic downturn, my Office is receiving complaints about businesses making unsolicited contact with their past customers for marketing purposes. In many cases, such contact is unlawful and, if carried out by telephone, text message or email it may be a criminal offence. Ignorance of the law is not an acceptable excuse for non-compliance and I will have no hesitation in applying the full force of the new regulations to offenders."