THE DATA PROTECTION Commission (DPC) received a variety of pandemic-related queries last year, some associated with Covid-19 test results seen first by employers at workplaces.
The DPC published its 2020 annual report today. 10,151 cases were handled by the commission last year, a 9% increase on 2019 figures.
The report set out a number of case studies from the year, one of which involved Facebook’s plan to expand its suicide and self-harm tools further which was halted by the DPC.
Speaking to TheJournal.ie, the Data Protection Commissioner Helen Dixon said this was a “project that needed further thinking and analysis”.
In terms of queries received by the DPC last year, Dixon said her office received “all sorts of queries” related to Covid-19.
She said a number of issues arose in relation to certain workplaces “where the HSE decided to implement mass testing”.
“In some cases as a matter of expediency, the supervisor or employer was getting the [test] results and distributing them to staff and many workers contacted us concerned at what they saw was an infringement of their personal data in that regard,” Dixon said.
She said there were a lot of areas the office did not expect to be involved in before the pandemic, such as the data protection considerations for predicted grading in the Leaving Cert last summer.
“It wasn’t even obvious once the pandemic had hit that the examinations in the summer were not going to take place, so that was a big one.”
Facebook approached the DPC in early 2019 about expanding its Suicide and Self Injury Prevention Tool (SSI), the report said.
Since last November on Facebook and Instagram in the EU, posts that likely break the rules about suicide and self-harm are made “less visible by automatically removing them from places like Explore”, Instagram said in a statement.
The Explore page is curated by Instagram for users based on the posts they like and the people they follow.
Facebook wanted to take the measure a step further and use advanced algorithms to monitor the online interactions and posts of users on Facebook and Instagram to identify users at risk of suicide and self-harm, as it does in countries outside the EU.
Details of these users would then be notified to external parties like police and voluntary groups to intervene with the users.
“The DPC raised a number of concerns during the engagement (2019–2020) including lawful basis and adequate safeguards relating to the processing of special category
data,” the report said.
The DPC then suggested that Facebook should consult European public health authorities before proceeding any further with its plan.
A spokesperson for Facebook said today that the company is “continuing to engage with health authorities and the DPC about how we can expand this safety feature in a way that protects user privacy and complies with regulation”.
Helen Dixon described this as a “project that needed further thinking and analysis”.
“I think Facebook have been satisfied to accept that view from us and have committed to going away and doing those further steps,” she said.
Another Facebook case study involved an election day reminder feature which would remind users about any upcoming elections.
Ahead of the Irish general election last February, the DPC notified Facebook that its election reminder “raised a number of data protection concerns particularly around transparency to users” about how personal data is collected when using the feature.
Facebook later withdrew its plan to use the feature during the general election as it didn’t have enough time to make the changes recommended by the DPC.
Dixon said the DPC will discuss this feature further at a meeting with Facebook next week.
Unsolicited marketing texts
The DPC prosecuted six companies in 2020 for sending unsolicited texts or emails to people without their consent.
The companies included Three Ireland and Mizzoni’s Pizza and Pasta.
In the case of Three Ireland, on offence related to three complaints who received these unsolicited marketing texts from the company.
In relation to one complaint, Three said an intermittent bug in their system prevented opt-out messages from being acted upon.
The other complaints related to a configuration issue and human error, Three said.
“We’re still seeing a lot of the same issues. we’re seeing a high volume of complaints from individuals still finding these unsolicited messages a complete nuisance,” Dixon said.
“And we’re prosecuting the same companies in some cases over and over again so these systems issues where companies offer an update, but it fails to stick in their system, is a repeat issue that happens all the time.”
She said it’s “not good” that these has been a repeat issue for years and that the DPC will “continue to prosecute”.
She said seeing this issues repeat themselves means that “perhaps the prosecutions aren’t having the deterrent effect that we were told they would have”.
Breaches
Other examples of breaches mentioned in the report include a facial recognition trial in a secondary school intended to be used to monitor attendance.
The DPC met with staff members and the school’s board of management following media reports about the issue.
The DPC said it outlined the data protection issues surrounding the use of facial recognition in an educational environment.
The school later said it did not proceed with a trial of this technology.
In another case, bank details were sent by a staff member at a financial sector organisation through a picture on WhatsApp.
A customer had requested their IBAN and BIC numbers. They were personally known to the staff member who sent the details to them, but the staff member sent a picture of another customer’s details by mistake.
The customer contacted the organisation to say this wasn’t their information and that they had deleted the material from their device.
Another incident involved a public sector organisation which told the DPC it had inadvertently published personal data through its Twitter page.
The tweet was “removed without undue delay” and the DPC was informed that the root of the incident was human error.
A number of queries related to Vodafone customers asked to produce employment details and work phone numbers in order to avail of the company’s services.
People were concerned that the requests were excessive.
After engaging with the DPC, Vodafone said it “had made an error in the collection of this information” and changed its requirements.
Need help? Support is available:
To embed this post, copy the code below on your site
have your say