THE DATA PROTECTION Commissioner dealt with a record 1,161 complaints during 2011.
That figure shows a significant jump when compared with the 783 complaints for investigation noted in the previous year.
According to Billy Hawkes’s annual report, a total of 253 complaints were opened in relation to unsolicited direct marketing text messages, phone calls, faxes and emails.
Although that number is up just marginally on 2010 figures, the Office indicated that it is a rising trend among Irish businesses. There were 54 prosecutions against six entities as a result of direct marketing and Hawkes commented that many companies were unaware they were breaking any rules.
During the course of our investigations of these complaints we invariably find that the offending businesses concerned are unaware of the law which applies to such communications with regard to subscriber consent and the requirement to provide an opt-out mechanism in each marketing message.
According to the report, most complaints are resolved amicably without enforcement decisions. However, there were 17 formal decisions made in 2011 with 13 upholding the complainant’s assertion that there had been a breach of the ePrivacy Regulations.
Altogether 22 per cent of complaints were made under the ePrivacy Regulations. The remainder relate to the Data Protection Acts of 1988 and 2003. More than 560 complaints about access rights reflects not a increased rate of incidents but a “growing level of public awareness of the right of access to personal data”, said Hawkes.
Eleven complaints about postal direct marketing were made, and another 11 about the “unfair retention of data”.
Fourteen cases were made against companies for requesting excessive data, while 25 were accused of failing to secure data. The use of CCTV footage was complained about on 37 occasions.
Disclosure complaints made up 10 per cent of all investigations, while alleged “unfair obtaining of data” was reported 42 times.
During the course of the General Election, 25 separate investigations were started because of direct marketing by political parties and candidates. Hawkes said he was dissatisfied with the exemption which excludes politicians from the scope of the Data Protection Act.
I expressed my dissatisfaction then that I was unable to launch investigations into complaints which I received from voters who received unsolicited SMS messages, emails or phone calls even when they had made it clear that they did not wish to be contacted in that way. Had such unsolicited marketing contact been made to members of the public by any other entity, such as a commercial business, there would be no restriction on my investigating the matter.
Name and shame
Hawkes published a list of Enforcement and Information Notices served in 2011 in the hopes of “encouraging all organisations that are the subject of complaints to co-operate fully” with his office.
“The vast majority of organisations voluntarily engage with my Office without the need for a formal legal notice to advance an investigation,” he said.
JP Distribution, The Clarence Hotel Sligo, Shandon Street Private Hospital and Eircom Limited were among those issued with enforcement notices but the Eircom Limited notes are currently under appeal at the Circuit Court.
There has been a 300 per cent increase in the number of data security breaches being reported by companies to the Office but Hawkes said that this is not an acutal increase in the incidents but “rather a raised awareness of the need to notify”.
Hawkes said the inappropriate disposal of patient records by the HSE was of particular concern. Citing an incident when records were found in a dustbin outside Roscommon General Hospital, the Commissioner said he was forced to write to the HSE to compel it to follow recommendations made back in 2009.
Threatening legal action, Hawkes said the events demonstrated the lack of central responsibility regarding data protection matters withing the HSE.
Correspondence between the two bodies has since ensued and Hawkes said although it is too early to assess the impact, he is “heartened” and “encouraged” by the appointment of a director at the HSE with lead responsibility in the area.
Of the 28 audits carried out in 2011, the Office said that of Facebook Ireland was the most complex. It required about one quarter of the organisation’s staff resources for three months, as well as external technical assistance from University College Dublin.
A planned inspection of An Garda Síochána has been delayed until later this year because of the strain on resources caused by the Facebook audit.
An in-depth examination of the use of INFOSYS – a database administered by the Department of Social Protection – is still ongoing and work is being undertaken to address the deficiencies spotted so far.
Phone hacking and other issues
Following revelations in the UK about phone hacking incidents, Hawkes’s office began a consultation with mobile network operators in Ireland. There was a positive response from all operators, according to the Data Protection Commissioner, who said he is satisfied that any vulnerabilities that did exist on the network have now been addressed.
The Office continues to work with the National Board for Safeguarding Children in the Catholic Church about best practice relating to child protection policies and procedures.
During 2011, Eircom, Vodafone, UPC and O2 were prosecuted for marketing offences, including making unsolicited calls to landlines which had their numbers placed on an opt-out register.
In the UPC case, the defendant faced 12 charges for persistent calling of an individual in a two-week period in 2009. Fine of €7,100 were imposed on UPC – the highest of the four companies prosecuted on the same day.
Hawkes said he was pleased with the outcome of the cases as it sent a “strong message” to organisations about the importance of compliance.
Another investigation was opened in October 2010 and completed last year after a complaint was received from an individual claiming that his personal privacy was being impacted through the “inappropriate use” of CCTV cameras at his workplace.
The Office found that Westwood Swimming Ltd had used the CCTV system to monitor an employee, something which is in breach of the Data Protection Acts. The company agreed to remove cameras from the office space, drop disciplinary actions taken against the employee on foot of what was seen and ensure the staff member would not suffer as a result of the footage.