Data protection chief warns HSE and credit unions on poor privacy
Published 24/06/2015 | 02:30
The Data Protection Commissioner has rapped the knuckles of the HSE and a credit union for giving out financial information about employees and members.
The data chief's annual report for 2014 details how a HSE employee's salary details were wrongly given out by the health body to an accountancy firm representing the employee's ex-wife. The HSE admitted that it was harangued into providing the details without the employee's consent and should not have done so.
The report also documents how a credit union disclosed a member's loan and savings information to the member's daughter due to a sloppy staff mistake. And it criticised the growing practice among letting agencies of demanding bank details, utility bills and PPS numbers before prospective tenants could view properties.
The report also details a surge in reported data breaches during 2014 as companies and institutions declared more and more errant use of data. Examples include financial statements mailed out to wrong addresses or sensitive information being passed on to brokers or other third parties who are not legally entitled to it.
The report details nine prosecutions for data protection offences and 38 audits, including those of LinkedIn and An Garda Síochána.
Pure Telecom, Carphone Warehouse, Next Retail and Airtricity Ireland were all prosecuted for marketing offences. Meanwhile, MCK Rentals and Michael Gaynor were prosecuted for improper accessing of personal data - or 'blagging' - from State agencies to give to credit unions.
The office of data protection also got 32 complaints referring to delisting requests for Google search results under the European 'right to be forgotten' law.
In total, the office received 960 complaints related to data privacy issues last year.
Meanwhile, Data Commissioner Helen Dixon said that the agency still had "questions and issues outstanding" in its ongoing regulation of Facebook.
"We are still looking at issues of social plug-ins, cookies and the sharing of data," she said. "There are a lot of things that remain in the mix."
Ms Dixon said her office performed a "substantial on-site review" of Facebook last year, which included "legal and technical examinations".
She also said her office's recommendations for how Dublin-based LinkedIn treats personal data had yet to be fully implemented. The Irish Data Protection Office completed an audit of LinkedIn last year.
"We're satisfied that the majority of the recommendations have been accepted and implemented by LinkedIn, but there are one or two areas that are still under discussion between us where we don't think the service meets a best-practice compliance level," she said.
Apple also consulted with her office over its new mapping service, she said.
Ms Dixon said that the Irish Data Protection office would remain "the lead regulator" for Facebook and other tech multinationals based in Ireland, despite some disquiet among other European governments about Ireland's pre-eminent role within Europe.