CKT

Data Protection Trends in 2020 – DPC publish Annual Report

On 25th February 2021, the Data Protection Commission (DPC) published its 2020 Annual Report.

Here is a snapshot of some of the key highlights;

  • The number of cases handled by the DPC in 2020 increased to 10,151 (up 9% on 2019 figures).
  • 4,660 complaints from individuals were received under General Data Protection Regulation (GDPR).
  • The most frequent GDPR topics for queries and complaints continues to be access requests, fair processing, disclosure, direct marketing and right to be forgotten (delisting and/or removal requests).
  • Valid data breach notifications were up 10% on 2019 figures to 6,628.
  • Over 35,000 contacts were received through the DPC’s Information and Assessment Unit, including 10,000 telephone calls and 23,200 emails.
  • In December 2020, the DPC issued its first fine in a cross-border case, fining Twitter International Company €450,000 as a result of the company’s response to, and handling of a data breach.
  • On 31st December 2020, the DPC had 83 statutory enquiries in hand, including 27 cross-border enquiries.

The Annual Report also sets out some interesting case studies which show the approach taken by the DPC in dealing with complaints and data breaches.  These included;

Unauthorised Publication of Staff Photo in Workplace Newsletters

This involved a complaint from an individual regarding the publication of their photograph in an article contained in a workplace newsletter without their consent. The data controller who was the individual’s public sector employer, informed the individual that it should have obtained consent to use the photograph in the workplace newsletter and that a data breach had occurred. Both the complainant and the data controller agreed to work with DPC to try to amicably resolve the issue. An apology from the employer was issued to the individual. The DPC also provided recommendations that a consent information leaflet be distributed to staff in advance of using photography, audio and/or video and that a consent form for photography, audio and video be completed and signed prior to images or recordings being obtained, which the controller subsequently implemented.

Litigation Privilege Exemption Inappropriately invoked

Individual had instructed their solicitor in relation to a negligence action against the hospital arising from the care they received. The hospital had released medical records but the individual was awaiting nonclinical notes which the hospital were refusing to release on the basis that they were subject to litigation privilege. Specifically, the individual was of the view the various staff statements had been withheld. The DPC requested sight of the documentation withheld from the individual in response to the access request in order to be satisfied that the exemption had been validly applied. The DPC was not satisfied that litigation privilege applied as it found that the statement had been prepared for the dominant purpose of an internal review and no litigation had commenced or been threatened at the date of their creation

Inadvertent Publication of Personal Data on Twitter

A public sector organisation notified the DPC that they had inadvertently published personal data via their social media platform (Twitter) as a result of human error.  The tweet was removed without undue delay. Taking this into account and the steps taken to mitigate against the risk of this type of incident recurring, the DPC issued a number of further recommendations to the organisation on the appropriate use of social media platforms and how its social media accounts should be secured and limited to a specified number of authorised personnel.

Financial Information Sent to Wrong Customer

The DPC was notified that a customer had made a request to obtain their IBAN and BIC numbers.  The customer was personally known to the member of staff dealing with the request who deviated from approved practice, using their personal mobile phone to send a picture of what they believed to be the requested information over WhatsApp, however the information pertained to another customer.

The customer contacted the organisation to advise that the information received did not relate to their account and that they had deleted it from their device. The organisation communicated with staff to remind them that only authorised methods of communication should be utilised when handling future requests of this nature and issued an apology to the affected data subjects.

The DPC issued a number of recommendations encompassing the use of only approved organisational communication tools, making staff fully aware of acceptable and not acceptable behaviour when using organisational communication tools, and ensuring staff have undergone appropriate training in terms of their obligations and responsibilities under GDPR.

Conclusion

On launching the report, the Commissioner for Data Protection, Helen Dixon commented that, “The progress the DPC has made in 2020 provides a solid platform on which to build across our enforcement and complaint-handling functions in particular. The GDPR must be understood as a project for the now, but equally for the longer-term. The DPC intends to continue as a leader in its full implementation.”

The full report is available here

If you have any questions relating to this article, please contact Yvonne Joyce, Partner, Comyn Kelleher Tobin.