AN GARDA SÍOCHÁNA and the Fastway delivery firm are among the organisations that were reprimanded over data breaches, according to a watchdog’s annual report.

Gardaí reported a breach to the Data Protection Commission (DPC) involving the names and addresses of 108 individuals, some of whom were children, processed at Kilmainham Garda Station.

On 15 December 2022, its decision found that the Gardaí infringed Sections 71, 72, 75 and 78 of the Data Protection Act 2018, imposed a reprimand and ordered the organisation to bring its processing into compliance.

In the same month, the DPC adopted a decision on a personal data breach that Fastway Couriers had reported to the watchdog.

Fastway was reprimanded and received an administrative fine of €15,000, which is pending confirmation in the courts.

“The personal data breach concerned unauthorised access to a significant amount of personal data,” the watchdog said.

“The decision found that Fastway infringed Article 32(1) of the GDPR by failing to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data.”

In its annual report, the DPC said there were 5,828 GDPR data breaches reported last year, down 12% on 2021.

The most frequent cause of reported breaches was from correspondence inadvertently being sent to the wrong recipients, at 62% of the overall total.

Of the total 5,828 breach notifications that the DPC received, 3,014 related to the private sector, 2,568 to the public sector and the remaining 246 came from the voluntary and charity sector.

As of 31 December 2022, the DPC was pursuing 88 statutory inquiries, including 22 large-scale cross-border inquiries.

The DPC has also imposed administrative fines ranging from €1,500 to €17 million on six different organisations; all of these funds have been collected and transferred to the Exchequer.

Among the organisations were Limerick City and County Council, fined €110,000 in December 2021; Bank of Ireland, fined €463,000 in March, and Meta Ireland, fined €17 million in March.

Limerick council has taken corrective actions including obtaining Garda permission for more than 353 CCTV cameras, removing all automated number plate recognition technology and removing cameras that were focused on traveller accommodation sites.

Plans to bring in real-time monitoring of CCTV cameras in 14 towns and villages across Co Limerick were also abandoned.

A draft DPC decision has been issued on surveillance technologies used by Kildare County Council, and final decisions have been issued into inquiries concerning Kerry County Council and Waterford City and County Council.

The Commissioner for Data Protection Helen Dixon said that 2022 saw “significant outputs” from the organisation in its efforts to drive GDPR compliance and protect the people’s data rights.

“While the DPC encourages and guides organisations in achieving highest standards of protection in their processing of personal data, the DPC has also demonstrated it does not shy away from enforcing the law and applying sanctions where warranted,” she said.

“Two-thirds of the fines issued across Europe last year, including the EU, EEA and UK, were issued by the DPC on foot of detailed and comprehensive investigations, a fact that underlines both the outsized role, and exceptional performance, of the organisation in effectively holding those guilty of non-compliance to account.”