Thursday 26 March 2015

Increase seen in law suits for failing to protect personal data

Thu, Mar 26, 2015

Increase seen in law suits for failing to protect personal data


Data Protection Commissioner Helen Dixon said there had been an increase in the number of civil cases taken against organisations for failing to protect personal data.

Conference hears case against government department settled before court hearing

 There has been in increase in the number of civil law actions taken against organisations and even government departments for failing to protect people’s personal information, a conference has heard.

Such an action against one government department for allegedly breaching a person’s data protection rights settled ahead of a listed court hearing this week.

The action, understood to have been against the Department of Social Protection, is one of an increasing number of such cases being taken against companies or public bodies that allegedly fail in their duty of care to protect people’s personal information.

The issue was raised at a Public Affairs Ireland (PAI) data protection conference in Dublin on Wednesday.

Several such cases under the Data Protection Acts have been listed for hearing in the past year or so, but they have generally been settled on the steps of the court.

They included the case of a woman who sued a pharmacist for allowing her husband view CCTV footage which showed her buying a pregnancy test. Another such case involved a GP who handed over excessive personal information about a patient to an insurance company.

The actions are taken under section 7 of the Data Protection Acts, which provide that a data controller owes a duty of care to individuals in respect of the personal information it collects or processes.

Data Protection Commissioner Helen Dixon told the PAI conference there had really been “no activity” in relation to such civil lawsuits until “very recently” but that there were now “quite a number of cases” where people were taking actions under section 7 of the Acts.

The commissioner cannot impose direct fines on organisations that fail to respect data protection rights. This will change under proposals in a new European data protection regulation currently being negotiated.

Ms Dixon also noted a recent case involving a GP who had handed over excessive personal data about a patient to an insurance company. Her office had been called as a witness. The case was settled after a day in court.

“In that particular case, the witness from the [Data Protection Commissioner] said that it really had huge impact on them to hear the data subject in that case set out for the court the damage that was suffered as a result of that unfair disclosure of their data – the excessive data disclosure – to the insurance company.”

The person had gone on to suffer enormous health problems as a result of the data breach.

Ms Dixon said she was aware of another case listed that had directly involved a government department, but it had been settled out of court.

While she did not identify the government department concerned, the commissioner said she imagined the person in question had been paid damages.

Rob Corbet, a partner and Head of Technology and Innovation at Arthur Cox, also confirmed in his speech to the event that there had been an increase in the number of people suing for breaches of their data protection rights.

The commissioner reminded those in the public sector of their responsibilities in relation to handling personal data, noting her office had successfully prosecuted private investigators last year for offences involving the ‘blagging’ of people’s personal details from a government department.

Ms Dixon said that over 100 data breaches involving public sector bodies were reported to her office every year.

“Fortunately, in most instances in recent years these have concerned breaches that are really non-systemic and haven’t affected a great volume of data subjects.”

Minister for Data Protection Dara Murphy, who also addressed the event, spoke about the Government’s key priorities for the year.

He said he had established an inter-departmental committee on data issues, bringing together the key individuals dealing with data protection in each government department.

Mr Murphy said the committee would assist in the delivery of “more effective public policy through the improved use of data”.

He said exciting advances in technology created huge potential for society and for the economy.

Departments and State agencies needed to show leadership and commitment to data protection rules as they evolved over the next year, during which a conclusion to negotiations on the new European General Data Protection Regulation is expected, he said.

The minister said the committee’s engagement would be formalised in the coming weeks with the establishment of a “data issues forum”, with input from business, civil society and other key stakeholders.

Dr Eoin O’Dell, Associate Professor of Law at Trinity College Dublin, addressed the conference on the challenges posed for privacy by new technologies and the Internet of Things.

He said that increasingly, the kind of personal and public data becoming available, as well as the sharing of public sector information and datasets online, would have an impact on decision-making processes.

“All of this is heading towards a nice, bright Utopian future. But, I think that this rhetoric needs to be accompanied by an attention to privacy, both on our own part in the creation of the data, and in our professional lives in the use of the data.”

Fintan Lawlor is a dedicated data protection consultant and solicitor at Lawlor Partners. For more information see our website : www.lawlorpartners.ie

Wednesday 21 January 2015

Alan Shatter loses appeal against Mick Wallace data ruling

Irish Times, 21st January 2015

Former minister for justice Alan Shatter has lost his appeal against a decision by the Data Protection Commissioner that he breached data protection laws by disclosing information about Independent TD Mick Wallace on RTE’s Prime Time.

The commissioner found that Mr Shatter had failed to uphold his statutory duties under the Data Protection Act by disclosing during a televised interview in 2013 that Mr Wallace had been cautioned by gardaí for using a mobile phone while driving. Mr Shatter had appealed that decision to the Circuit Civil Court, arguing that the commissioner had pre-determined the matter before he made his finding.

Dismissing Mr Shatter’s appeal on Wednesday, Judge Jacqueline Linnane said that in her view the commissioner had considered the matter fully. She said the commissioner had taken into account the arguments put forward by Mr Shatter, that fair procedures were followed and that reasons were given for the final decision.

“I do not consider that it has been shown that the decision made was vitiated by any serious or significant error or series of such errors,” Judge Linnane said.

She also said the argument that Mr Shatter did not have standing to take the appeal was “well founded”, as his actions at the time had been carried out in his capacity as minister for justice.

Commenting on the judgment, Mr Wallace said it was a “good decision” and that Mr Shatter had pulled a political stroke by divulging details of his caution.

“I was very surprised that the minister did what he did. It seemed a bit out of character at the time. I think the data commissioner though was very, very thorough in how he analysed the whole thing,” the Wexford TD said.

In his appeal, Mr Shatter had claimed the commissioner pre-judged his inquiry into his actions on Prime Time and made “serious errors” in deciding that he breached data protection laws.

Eileen Barrington SC, for Mr Shatter, had told the court last November that the decision had consequences for the former minister “personally, politically and professionally” and was “a factor” in his resignation last May.

Ms Barrington said there was a “clear absence” of fair procedures in the commissioner’s decision-making process. She told the court on the same day that Mr Wallace lodged a complaint against Mr Shatter, the commissioner made a statement to RTÉ News to the effect that personal data had been disclosed during the Prime Time debate. This showed a “predetermination of matters” and was “quite inappropriate”.

She said that in a letter to Mr Shatter the following day, the commissioner said he was satisfied that personal data about Mr Wallace had been processed by the then minister. “The DPC wrongly started the process with the expression of a conclusion,” she said, adding that there appeared to be a “rush to judgment”.

Ms Barrington said the Data Protection Commissioner’s decision was “flawed” and wrongly applied definitions in the data protection laws. Mr Shatter could not be a “joint controller” of personal data, as the Data Protection Commissioner stated, because he “clearly” did not control its content and use. The information about Mr Wallace was passed to him orally by the Garda Commissioner and he never saw any relevant written records.

Barrister Paul Anthony McDermott, for the commissioner, had told the court that Mr Shatter had no right to take the appeal. He said that at all stages the complaint to the commissioner was made against the minister for justice, “who happened to be Mr Shatter at the time.”

Mr Shatter’s correspondence with the commissioner, on ministerial headed notepaper, made clear that he had acted at all times in his capacity as minister, Mr McDermott said, and the only person who could take such an appeal was Frances Fitzgerald, the current minister for justice.

“Mr Alan Shatter the private citizen wouldn’t have been given the information by the (Garda) commissioner, wouldn’t have been invited on Prime Time and wouldn’t have deployed the information in defence of the gardaí,” Mr McDermott said.

“This appeal failed from the outset because it is brought by someone who doesn’t have a right to take an appeal.”

Fintan Lawlor is a dedicated data protection consultant and solicitor at Lawlor Partners. For more information see our website : www.lawlorpartners.ie