Insurance companies rebuked by Data Protection Commissioner for not deleting penalty point records
Published 21/06/2016 | 08:30
Insurance companies are not deleting records of penalty points as they are supposed to under law, according to the Irish Data Protection Commissioner.
An examination of the insurance industry’s practices by the data watchdog has revealed that the three-year legal limit put in place to give motorists a second chance may not be fully observed.
“The audit found evidence of the retention of penalty-point data beyond three years,” said the annual report from Helen Dixon’s Data Protection office.
The sector, she said, was given “particular attention” last year.
“Under the Road Traffic Act, penalty points remain on a licence record only for a period of three years,” said the report.
“The Office is continuing to engage with the companies audited in 2016 to agree on an acceptable retention period and archiving solution.”
Ms Dixon’s report said that the purpose of the audits was to examine existing facilities within insurance companies to access penalty-point data in conjunction with the roll-out of a new facility by Insurance Ireland, allowing for direct access to penalty-point data in real time However, this facility came up short when put under the microscope.
“We will continue to examine this area further in 2016,” said the privacy regulator’s report.
Elsewhere in her report, the Data Protection Commissioner revealed that she rejected requests from an unnamed “key” tribunal witness to delete their name from certain Google searches.
Ms Dixon’s report says that 23 complaints were received by the state’s data privacy body in relation to the ‘right to be forgotten’ from online search engines. However, the privacy office only upheld seven of the complaints, while 16 of them were refused.
“One rejected complaint centred around a long-running tribunal, where the Office concurred with Google’s position not to delist certain URLs found following a search conducted using an individual’s name,” said the annual report.
“Given that the individual concerned had given key testimony at this important tribunal, it was considered that there was a legitimate public interest in maintaining access to this information against a search on that individual’s name. A search against other keywords in the original content would still have produced a result in the search engine.”
Under European law, an individual can request that a personal name be delinked from searches that return web links deemed outdated or irrelevant. However, freedom of information advocates fear that the rule is sometimes exploited by white collar individuals to whitewash misdeeds or matters of genuine public interest.
Overall, the Irish Data Protection Commissioner’s Office received 932 complaints from members of the public last year, most relating to denial of access to personal records.
“The largest single category of complaints related to access rights, which accounted for over 60pc of the total and reflecting the extent of the difficulties some individuals experience exercising their statutory right of access,” said the annual report.
“The second largest category of complaint concerned electronic direct marketing.”
The number represents a 3pc fall from the year before.
However, the number of data breaches notified to Helen Dixon’s office was up 6pc to 2,317.
And her office applied three enforcement notices against Aer Lingus, O2 and Arizun Service Irelan.
Meanwhile, the introduction of the Eircode system was the cause of “many queries” on data protection grounds last year.
“A number of these arose in relation to the Eircode database, from individuals whose names were included alongside their Eircode and were available on the Eircode Finder,” said the annual report. “A limited number of queries were also received regarding incorrect spelling and allocation of townlands associated with Eircodes.”
And there were a “small number” of complaints about the roll-out of the Department of Education’s Primary Online Database.
“Issues cited around the legal basis for the collection and processing of the personal data involved, the quality of the information notices provided to parents, the use of the PPSN as an identifier in the database and the purported linking of funding to schools with parents’ compliance in providing their children’s data,” said the report. “Some matters remain under ongoing investigation.”
However, the Data Protection Commissioner has warned that Irish companies will soon face stricter laws on data protection. European legislation, in the form of the upcoming General Data Protection Regulation, will shake companies out of their current complacency, she said.
The new rules, to be implemented in 2018, will legally oblige all data controllers to notify data protection authorities of any personal data security breach that occurs with 72 hours.
Ms Dixon said that current standards of data protection observance are not up to the mark.
“What becomes clear from dealing with many organisations in Ireland is that they deploy little resources themselves to manage data protection compliance,” she said. “Some organisations appear to struggle with the principles-based nature of data protection legislation and suggest that it is difficult to correctly interpret and apply the principles in the specific scenarios with which they are dealing.”
“From what I have seen, little real attempt is made in some cases to interpret and apply the principles and to examine implementation from the perspective of affected data subjects. In other cases, organisations appear to not even be conscious that what they are proposing represents a significant interference with an individual’s data-privacy rights and view efficiency and cost-saving as automatically sufficient justifications for any action.”
“It is helpful, therefore, that the forthcoming General Data Protection Regulation will bring an increased power of enforcement for data protection authorities.”
“First and foremost, it will explicitly put back onto organisations the clear obligation to properly organise themselves to ensure they are adequately protecting the individual’s fundamental right to data privacy and can demonstrate their accountability in this regard.”