Record level of data privacy complaints made to Data Protection Commissioner
There has been a record number of data privacy complaints in Ireland over the last year, new figures from the Office of the Data Protection Commissioner show.
The regulator reported a spike in overall complaints last year to a record level of 1,479, rising from 932 in 2015.
However, it also received almost 35,000 “queries”, mostly by email and phone.
In her office’s annual report, published today, Data Protection Commissioner Helen Dixon said that there were 2,224 security breach notifications reported here, a slight decrease from 2,317 notifications reported in 2015.
She said that there were only 25 ‘Right To Be Forgotten’ requests received by her office in Ireland last year, with six upheld, 15 rejected and five “currently still under investigation”.
“Disappointingly, compliance with individuals’ access rights to their personal data remains low,” said Ms Dixon.
“Employee monitoring by means of CCTV remains a concern… [while] ongoing leaking of data from government bodies to private investigators remains a challenge to be tackled.”
The Yahoo investigation centres around a massive data breach affecting the personal details of 500m Yahoo users.
Ms Dixon said that her office had an active year engaging with multinational tech firms based in Ireland.
The result of such interactions, she said included Facebook Ireland updating its cookie-banner notification to include “more precise information” on its usage of cookies for commercial purposes. She also said that the office had consulted with Apple on “the review of its new education service” and participation in “several meetings with organisations exploring the possibility of establishing in Ireland as either a data controller or processor”.
Ms Dixon also criticised government departments seeking to sidestep data protection regulation themselves by saying her office should deal with issues that arise.
“State bodies need to comprehend that the obligations in law, and the requirement to be accountable for their processing of personal data, rest with them and they cannot simply legislate to transfer their obligations to the independent regulator,” she said.
Ms Dixon added that a proposed role for the DPC in the Health Information and Patient Safety Bill “represents a very serious challenge to the required independence of the DPC”.
Meanwhile, the DPC office is to double its staff to 130 people and is to seek a second new Dublin office.
The regulator’s office, which is responsible for overseeing some of the biggest tech companies in the world, has expanded from 30 people in 2013 to 70 people now. However, Ms Dixon says that the relentless pace of work means that further expansion is required.
“Such is the rate of our recruitment programme that an additional nearby premises is now being sought by the DPC to house the further staff members who will join the DPC over the next two years, bringing our Dublin-based staff to around 130,” said Ms Dixon.
The regulator intends to hire 35 extra staff this year and a further 25 staff next year.
The extra resources are partially necessary, she says, to prepare for one of the biggest legal events in data protection history next year, when the General Data Protection Regulation takes effect.
“Once the GDPR comes into force on 25 May 2018, the DPC will be the lead data-protection authority for the regulation of multinationals that have their ‘main establishment’ in Ireland under the one-stop-shop model,” she said.