The Office of the Data Protection Commissioner (the Commissioner) launched its twenty-fourth annual report this week detailing the work carried out by the Commissioner during 2012. The report contains details of the investigations and audits undertaken over the course of the year along with a summary of policy matters and EU activities. The full report is available here.
Increase in data protection complaints The report states that there was an increase in the overall number of complaints made to the Commissioner in 2012, with the number exceeding 2011's record high by 188 complaints. In total, the Commissioner opened 1,349 complaints for investigation in 2012. The number of data security breach notifications received has also grown, reaching 1,666 this year.
Although the overall number of complaints has not risen substantially since last year, there has been a significant surge in the number of claims made under the e-Privacy Regulations 2011. The number jumped to 606 in 2012 from 253 in 2011, with the majority relating to unsolicited emails, phone calls and SMS messages.
Complaints from individuals making access requests for their personal data held by organisations accounted for almost one-third of the overall complaints investigated over the course of the year.
Audits The report reveals that the Commissioner carried out audits of 40 organisations in 2012 and discovered significant, widespread breaches of data protection law during some of them.
An on-going two year audit of An Garda Síochána for example, revealed inappropriate access to the PULSE system by members of the Gardaí who accessed the records of two high-profile figures apparently with good cause.
A disturbing failure of governance and a worrying degree of inappropriate access to personal data by State employees was also discovered within some public bodies following an investigation into the INFOSYS system which holds information from a range of social welfare databases. The database is administered by the Department of Social Protection and is also used by a range of external third party government agencies and bodies. A number of cases are highlighted within the report where data was accessed inappropriately by users of this system. The level of inappropriate access within the HSE (the Irish public health care system) in particular indicated an unacceptable lack of awareness within the organisation as to what constituted appropriate access.