Friday 19 September 2014

Tough challenges ahead for new Data Protection Commissioner

Never have the issues of data protection and personal privacy had such high profile
Irish Times 18th September 2014

What does Ireland need from its new Data Protection Commissioner?
We now know who has replaced former Commissioner Billy Hawkes, who retired from the role in August: civil servant Helen Dixon, who up until now has been registrar with the Companies Registration Office.
Prior to that, she was a principal officer in the Department of Enterprise, Trade and Innovation. She also worked for US technology company Citrix at its Europe, Middle East and Africa office in Ireland, as manager of Technical Support Services.
Pivotal point
She comes to the role at a pivotal and daunting point. Never have the issues of data protection and personal privacy had such high profile. Along with media coverage of repeated breaches of data in this country and internationally, the general public has had more than a year of leaks from the trove of documents obtained by former US government contractor and whistleblower Edward Snowden.
Those – revealing a shocking degree of large scale surreptitious digital data gathering on ordinary citizens by US and UK surveillance agencies – have rattled international relations.
In particular, the revelations have spurred the EU to push for more restrictions on access to its citizens’ data and greater national and international oversight.
On the US side, elected representatives, privacy organisations and the general public have demanded explanations and more transparency in how law enforcement agencies acquire and use personal data.
And, somewhere in the middle, with their exact involvement still a mystery, sit many multinational companies – especially in the technology and online sector – which handle teraflops of data from customers and service users around the world, every day.
Some are known to have passed data to US agencies, with many of these continuing to request they be given permission from the US government to reveal more about what they are asked for, and when and how they complied. Others state they had no idea US and UK agencies were siphoning off their users’ data.
In this tense atmosphere, the EU has signaled that it will bring in a more restrictive and clearly defined Data Protection Regulation next year. This must by transposed directly, not piecemeal as had been the case with the existing directive, which came out of legislation in a pre-internet era.
All indications are that the EU will require data misuse complaints against companies be referred to the Data Protection Commissioner in the EU state in which the company has its European headquarters.

‘No data breach’ says Irish Water, despite sending 6,329 letters to the wrong address

The Data Protection Commissioner has not said whether a breach took place.
The Journal, 10th September 2014
IRISH WATER HAS apologized for sending more than 6,000 letters with incorrect names to customers, but says it does not believe the mistake represents a data breach.
The semi-state company had been investigating the possibility of a data breach after it emerged that letters sent to 6,329 multiple home-owners this month were wrongly addressed.
Ironically, the letters had asked customers to confirm their personal details, to allow Irish Water to update their customer database before water charges come into force next month.
Responding to an enquiry from TheJournal.ie, a spokesperson from the office of the Data Protection Commissioner did not address whether or not a data breach had taken place.
In their statement this evening, Irish Water confirmed the mistake had come to their attention last Tuesday, and that they had reported it to the Data Protection Commissioner.
In line with this process, Irish Water has sent letters to owners of multiple properties asking them to confirm the details of properties they own. Irish Water is aware that incorrect names have appeared on correspondence issued to 6,329 of these individuals. This became apparent on 4th September.
Irish Water acted immediately to resolve this issue and all of the property owners affected have been advised accordingly.
On becoming aware of the issue, Irish Water also immediately informed the Office of the Data Protection Commissioner (DPC) and our understanding is that the issuing of the letters does not constitute a breach and that the Office of the DPC are satisfied with how Irish Water have dealt with the issue.
Our customer contact centre (1890 448 448) is available to respond to any customer queries or concerns.
Irish Water has apologised for any confusion and concern that this might have caused affected customers.
Despite an enquiry by TheJournal.ie, the Office of the DPC did not clarify this evening whether or not a data breach had occurred.
A spokesperson did, however, say the DPC had “concluded its investigation.”
Irish Water notified this office on 4th September of a potential data security breach…
Irish Water notified the affected individuals of the matter and sought return of the incorrectly addressed letters.
Irish Water have informed this office of the steps being taken to prevent a repeat of this type of incident.
On this basis, this office concluded its investigation into the matter.