The Irish Data Protection Commission (DPC) published its 2021 Annual Report in February 2022.
It includes over 30 case studies on a range of topics, which are practical and illustrative examples of how CPD addresses some common issues.
The most useful case studies can be divided into three categories:
- Processing access requests.
- Use of Data for New or Additional Purposes.
- Case studies related to security.
Processing access requests
Access requests continue to be one of the top issues in complaints received by DPC. The DPC has identified a growing trend in 2021 of data controllers not responding to data subject requests or complaint correspondence from the DPC itself.
Content missing from an access request
The DPC received a complaint from a person who stated that he had not received all the personal data relating to him. In particular, they were looking for an email they had sent to the controller which related to a separate appeal they were pursuing. The controller proved to the DPC that the email never reached any of the intended recipients – it was quarantined by a spam filter and was automatically deleted. Since the email did not exist at the time of the access request, it was not necessary to include it in the access request. But the DPC noted that when implementing such a quarantine system, the controller must balance the rights and freedoms of individuals against the security requirements of the controller.
Only the data available at the time of the access request must be shared and the implementation of any security measures must be measured against the impact on the rights and freedoms of the persons concerned.
Identity verification obligations
A person who submitted an access request to a controller (a hotel) was asked by the hotel to provide a copy of the utility bill and a copy of photo ID verified by An Garda Siochana . The DPC asked the controller to raise specific concerns about the identity of the data subject who made the request. The DPC noted that the postal address and email address used were the same as provided during the booking process. The DPC considered that the level of verification sought was not proportionate to the categories of data held by the data controller and that the identity could be verified on the basis of questions of a different nature when combined with the information that the controller already had in the file.
A controller should only request the minimum amount of additional information necessary and proportionate to prove the identity of an applicant.
Use data for a new purpose
It is common for data controllers to use data collected for a specific purpose, for additional purposes, which were not previously disclosed to data subjects.
Use of data collected for one purpose that is also used for a different purpose
The controller (who performed a statutory function) used a dispatch system with the aim of ensuring the most efficient use of drivers and vehicles, particularly in emergency situations. The system recorded various details that the employer used to verify overtime and substance claims. The employer denied the grievor’s overtime request due to inconsistencies between the details on the grievor’s form and those recorded in the dispatch system. The controller had no written policy on the use of the dispatch system, but the requirement to include dispatch reference numbers in overtime requests signaled to employees that the system was being used at other purposes. Using the system in this way was in line with the controller’s legitimate interests and it should be noted that the controller’s legal obligations regarding verification of overtime for payments etc. were also relevant.
Certain steps must be followed before data collected for one purpose can be used for a different purpose, but it is possible to do so if the new purpose is compatible with the original purpose.
Under the GDPR, it is mandatory to notify any personal data breach that occurs to the DPC. Unauthorized disclosure of personal data accounts for up to 71% of data breach notifications. The report contains a number of useful case studies of unauthorized disclosure.
Unauthorized disclosure in the workplace
A complainant was in a dispute with a data controller and filed a complaint with the DPC. About a month before the complaint, the DPC received a notification from the data controller about a data breach in which a submission to the Industrial Relations Commission had been inadvertently stored in a folder accessible to all employees. It was corrected two days later. The DPC took the opinion that there was no evidence that the file had been improperly accessed during this time and viewed favorably that the data breach had been disclosed. Regarding security measures, the DPC said the company was clearly aware of the disclosure risks and had failed to take adequate steps to mitigate those risks.
Ensure measures are taken to secure personal data appropriate to the risk and promptly notify the DPC in the event of a data breach.
Unauthorized disclosure of video conferencing
An educational institution used a video conferencing application for presentations by students to their professors. Sessions were recorded so that presentations could be shared with external reviewers. It later emerged that recordings of each student’s presentation and the examiners’ internal deliberations were available to all affected students. The data controller reported this data breach to the DPC.
Basic security steps around the implementation of new technologies should not be overlooked. The risks arising from such technology should be clearly documented as part of a data protection impact assessment.
Email address hijacking violation
An email containing a sensitive encrypted file was sent to the wrong email address. The file was encrypted, but the error was repeated by the controller sending a separate email to the same incorrect email address with the password.
Although encryption is an important step in protecting sensitive information, the protection it provides can be undone if the proper steps are not taken. Encryption keys should be shared through a separate medium such as SMS, if possible.
Improper disposal of materials
An educational institution had an employee working from home due to pandemic restrictions. The employee worked on printed copies of a number of job applications and resumes. The employee was instructed by his employer to destroy the documents before disposing of them and there was a policy in place that required the documents to be securely destroyed before disposal. The employee had not provided a shredder and disposed of the documents in the household recycling bin. Strong winds caused the contents of the bin to disperse.
Having good information handling policies is important, but employees must also have the means to implement those policies. If employees are required to securely destroy documents, then they must have a shredder or other means of securely destroying the documents.
With the recent publication of the Data Protection Commission’s regulatory strategy and the content of the annual report, it is clear that the DPC intends to take a more robust approach to enforcement. This will require investments by employers in the continuing professional development of their staff. The case studies in the annual report show the importance of getting the basic steps right and serve as a helpful reminder of some things that can go wrong.