CKT

Data Protection Trends in 2021 – DPC publish Annual Report

The Data Protection Commission (“DPC”) published its Annual Report for 2021 on 24th of February last.

Here is a snapshot of the key highlights within the report;

  • The most frequent GDPR topics for queries and complaints continues to be access requests (42%), fair processing (19%), disclosure (10%), right to erasure (9%) and direct marketing (4%).
  • The DPC received 7,469 queries and 3,419 complaints from individuals in 2021 (an increase of 7% on 2020 figures)
  • In 2021, the DPC received 23,930 electronic contacts, 13663 phone calls and 1,594 postal contacts.
  • Valid data breach notifications were down 2% on 2020 figures with 6,549 valid breach notifications received.
  • On 31 December 2021, the DPC had 81 statutory enquiries in hand, including 30 cross-border enquiries.
  • Through Supervision action, the DPC brought about the postponement or revision of 7 scheduled big tech projects with implications for the rights and freedoms of individuals.
  • In August 2021, the DPC imposed a fine of €225 million on WhatsApp, arising out of an inquiry into provision of information and the transparency of that information, to both users and non-users of WhatsApp services. WhatsApp have exercised its statutory right of appeal against the DPC’s decision.
  • In December, the DPC published new guidance on the approach to the processing of Children’s data. Read more about this new guidance here .

The Annual Report also sets out some interesting case studies which show the approach taken by the DPC in dealing with complaints and data breaches.  These included: –

Exemptions applicable to CCTV footage

Solicitors acting for an individual in relation to a personal injury claim had submitted an access request seeking records of the incident including CCTV footage, the accident report form and witness statements. Access to these items had been refused on the basis that it was necessary to avoid any obstruction or impairment of the legal proceedings and\or operation of legal privilege.

The DPC advised the data controller to prepare a list of all items which the organisation was applying exemption to, while also documenting the exemption which they were relying upon. Upon investigation, the DPC identified that the documents did contain some personal data of the individual and requested the data controller to release to them with relevant reductions the information. In relation to the CCTV footage, the DPC stated that the primary reason for capturing the data was for security purposes and not for the defence of litigation claims and therefore requested the footage be released to the individual with relevant reductions.

Lack of appropriate security measures unauthorised disclosure in a workplace setting

A complaint was made by an employee against an employer asserting that their private information including attendances with the company doctor, details of personal injury claim being pursued against the company and details of the disciplinary procedure taken against the complainant had been placed on the company shared drive, available to be viewed by anyone within the company.

It became apparent during the examination of the complaint that a number of workplace computers have been used to access the data on the shared drive and having carried out an investigation, two employees, identified as having a significant role in the incident, had their employment terminated and the Gardaí were notified.

The breach occurred as the data was being transferred internally from the company’s human resources department to its legal department. During the transfer, a large volume of electronic files relating to legal cases involving a large number of individuals had the potential to be accessed and viewed by employees who would not ordinarily have access to them.  The decision to transfer the files in this manner was taken for pragmatic reasons i.e. the files were too large to be sent by email, however, given the sensitivity of the information contained in the files and the risks entailed with making them available to any employee of the company, there was no justification for placing the files on the shared drive with unrestricted access.  There were a number of alternative options including placing the files in a folder where access was restricted to limited individuals.

Disclosure due to misdirected email

A letter concerning a complaint made to a statutory body against a specialist was attached to an email and sent to an incorrect address. The attachment contained personal data of several persons, including health data but was encrypted. However, the password for the encrypted letter was issued in a separate email to the same incorrect address.

The DPC noted that this case study shows that encryption is a valuable tool that can help protect against accidental disclosures, however, it is advisable to use a separate medium such as a telephone call or SMS message to send the password, as a single mistake in an email address can negate the benefits of encryption.

Conclusion

2021 was another busy year for the DPC, with the Commissioner noting that “the GDPR is an important work-in-progress for all of us”. As part of its 5-year Regulatory strategy, the DPC intends to publish more guidance including more regular case studies of issues it has decided in order to assist those in “on-the-ground roles”.  This is to be welcomed as it should provide more certainty of what is required to ensure compliance with this evolving area of law.

The full report is available here.

If you have any questions relating to this article, please contact Yvonne Joyce, Partner, Comyn Kelleher Tobin.