Recent News

August 2009
Data Breaches: Data Protection Commissioner issues Guidance.

The Data Protection Commissioner has recently remarked on an increasing trend towards voluntary disclosure to its office upon an organisation becoming aware that there has been an unauthorized or accidental disclosure of customer or employee personal information. 

This is hardly surprising given recent well publicised data breaches in Ireland and the United Kingdom, often involving the loss of laptops of employees.  Such an occurrence has already lead to prosecution in the UK.  Recently, the Information Commissioner’s Office (ICO) found Amicus Legal Ltd, a UK-based insurance firm, in breach of the UK Data Protection Act after a laptop containing customer sensitive information was stolen.  Although the laptop, which was not encrypted, was privately owned by a consultant contracted by the company, it was Amicus Legal Ltd., as data controller, who was held to be in breach of the 1998 Act.  Sally-Anne Poole, head of enforcement and investigations at the ICO, noted the seriousness of the breach and urged companies to treat data protection “as a corporate governance issue affecting the whole organisation.” 

In Ireland, the Department of Finance has recently issued guidance on the issue of data protection and has requested government department and agencies to immediately report of any data breaches to this office.  In addition, the Minister for Justice, Equality & law Reform has assembled a working group on the subject of breaches of data protection, which is expected to report to the Minister in the coming months. 

Meanwhile, the Data Protection Commissioner in Ireland has issued interim advice on the appropriate steps to take in the case of a compromise of personal data held by a company or organisation.  Both data controllers and subjects are advised to report any such breach or compromise.  On receiving such a report the Data Protection Commissioner will discuss the need to inform those directly affected by the breach and a detailed report of the incident may be requested.  However, as the Data Protection Commissioner has confirmed “prevention is better than cure”, in other words, there is no substitute for properly designed systems to secure personal data. 

For advice on compliance with your data protection obligations, please contact Fiona O’ Connell, or your usual O’ Flynn Exhams contact partner.