Data Protection and ICT Regulation

 “We operated mainly by persuasion. But we did not hesitate to use enforcement powers where there was evidence of rights being wilfully ignored”.(1)

Personal Data was traditionally thought of as paper files that were held in filing cabinets in businesses and Government offices relating to the personal information that they held about individual workers and citizens respectively, however, with the advent of new technologies people’s personal data is now flying through cyber space at unprecedented levels. Contrary to the general view that Data Protection is a new concept introduced to address security issues relating to the Internet, it was in Germany in 1970 that the first data protection laws were enacted, however it should be noted that data protection laws were not enacted for the mere protection of individual’s privacy in relation to their personal data, but rather to ensure that there were standard protocols in place to ensure that personal data could free-flow across the borders of Europe. Kelleher and Murray tell us that improved privacy standards are nothing more than a spin off from the European Communities desire to build an internal common market (Kelleher, D. Murray, K. 2007). However, Stewart Room states that, “The maintenance of free flows of personal data between countries is the second aim of data protection laws, with the first being the protection of privacy”.(2)

In Ireland the job of the Data Protection Commissioner and the Data Protection Acts of 1988 and 2003 are to ensure that the private data relating to Irish Citizens is protected within the parameters of the above mentioned acts. In 2011 Data Protection is a mine-field for businesses and Government agencies as the Internet has introduced numerous security and privacy issues. There are now two-billion internet users worldwide and as highlighted by a Report by, Symantec Intelligence Quarterly, security threats to the Internet are increasing at an alarming rate.(3)

So what is privacy, ‘The quality or condition of being secluded from the presence or view of others,’(4) however, some internet security experts tell us that privacy no longer exists. Steve Rambam says, “Privacy is dead-get over it”(5), Bruce Schneier in his essay, ‘The value of Privacy’, states that, “Privacy protects us from abuses by those in power, even if we’re doing nothing wrong at the time of surveillance”.(6)

So it is in this complex tapestry of rights, protections and security risks that the Data Protection Commissioner must ensure that the individual data relating to Irish citizens is protected. It is clear from the Data Protection Commissioner’s (Billy Hawkes) Report for 2010 that the work of his office was financially restricted due to a 20% reduction in funding, and this reduction in funding could be one of the main reasons why the Commissioner focused on persuasion rather than enforcement, when it came to dealing with those Data Controllers/Processors who broke the rules.

Equally it is fair to say that the Data Commissioner’s Report highlights a number of prosecutorial case-studies that show that the Data Commissioner is not a toothless tiger. The Commissioner investigated Insurance Link, a database of insurance claim histories relating to 2,441,838 insurance claims made by Irish citizens. While this insurance claims data base was only supposed to be used by regulated insurance companies to try and stamp out insurance fraud, it became clear to the Commissioner that there was no transparency when it came to outside businesses accessing the data base, insurance company employees had unregulated access to the data base and the Commissioner found that this access had been abused.

However, the Commissioner prefers to use persuasion to encourage companies and Government agencies to comply with Data Protection law, the Commissioner focuses on Education and information to bring companies and Government agencies into line with the required standards for Data Controllers/Processors. Due to the difficult financial circumstances that the Commissioner finds himself in due to cut backs he is reluctant to initiated court proceedings as these proceedings have to be outsourced which are costly. The Commissioner has made cost savings within his office by producing prosecutorial templates that mean that legal expertise does not have to be engaged until the last possible moment.

While the Commissioner asserts that Irish Citizens are well informed about their Data Protection Rights and the safe guards provided by his office, the Commissioner mentions an Irish Times poll (13 Dec, 2010)(7) in which it was found that Irish citizens, did not feel that Data Protection legislation was robust enough. The Commissioner wants to encourage companies and Government departments to build-in Data Protection safe-guards when putting their systems in place, and he emphasises the need for these protections to be constantly reviewed and undated.

Cases of Data Protection breaches highlighted by the Commissioner’s Report put the consequences of such breaches into context, the Commissioner singles out a Data Base breach at a GAA Club in the north when 500, 000 personal files including medical records were accessed by a hacker. While the Security Breach Code of Practice is now mandatory in the Republic the Commissioner is concerned at the rise in such reported breaches.

The Commissioner is satisfied that there has been a decline in the number of reported breaches under the Privacy in Electronic Communications Regulation (S.1.535 of 2003 as Amended)(8) such breaches include direct marketing text messages and so forth. The Commissioner attributes this decline in reporting to a number of prosecutions brought by his office in 2008 including high profile names such as Jackie Skelly Fitness.

With a mixture of persuasion and prosecution the Commissioner has helped companies and Government departments to come to terms with their stated obligations under the terms of the Data Protection Acts. Yet important areas of sensitive information continue to raise serious concerns, the Garda Pulse computer for example remains an area of great concern to the Commissioner. There are not enough checks and balances in place to monitor who is accessing the Garda Pulse system and this in turn has led to Garda investigations into how criminal gangs gained access to sensitive information or even how letting agents were vetting their tenants.

The Department of Social Protection also came to the attention of the Commissioner in 2010 when a whistle blower exposed the fact that a Department employee was illegally accessing files within the Department that investigation is continuing with a parallel Garda investigation at an advanced stage. It was also discovered that one of Ireland’s largest financial institutions had no means by which to determine who was accessing what information or when. The Commissioner also highlighted the fact that some banks and Credit Unions were using Anti-Money-Laundering legislation as a slight of hand to gain excessive information about customers.

While Data Protection is heavily engaged in the protection of personal data that is delivered or stored by electronic means, the reality is that in 2010 the Data Protection Commissioner dealt with 258 complaints relating to Data Protection breaches within the traditional post industry including personal and financial details being delivered to the wrong addresses. CCTV also raised its head as a Data protection offender in 2010 when two schools, one in Mayo and one in Kildare were ordered to turn off their CCTV systems. In the Kildare case the school had placed CCTV in the children’s toilets, which is beyond comprehension.

There are exemptions for certain types of personal data sharing, for example, Section 261 of the Social Welfare Consolidation Act 2005 allows for the sharing of personal data without consent, this legislation was introduced to reduce welfare fraud.

The Commissioner appears willing to give everyone an opportunity to get their house in order, he encourages education and facilitates that education by providing staff to give training and talks as and where possible. However, the Commissioner can be pushed too far as seen in the case of the non-compliant Ice Broadband Company who seemed to think they were a law onto themselves, they were eventually convicted for Data breaches. Google street view is an example of how a company can work in partnership with the Commissioner in order to ensure that its house is in order and there are many examples of this in the Commissioner’s Report.

It also has to be noted and as mentioned earlier, the big picture in relation to Data Protection as far as Ireland is concerned is the European Union, the European Network and Information Security Agency (ENISA) recently praised Ireland for its leading initiatives in relation to Data Protection and in particular it’s Mandatory Security Breach Code of Practice.(9) The ENISA(10) also raises the issue of cloud computing and the new risks and challenges thrown up by billions of pieces of personal information flying through cyber space, information that might traditionally have been kept internal to companies and government departments. This out sourcing of personal data and its endless possibilities in terms of economies of scale are a tantalising target for hackers. If Google street cars can pick up e-mails as they pass private houses, what can global hackers pick up as they trawl the clouds of multi-nationals and Government departments? These mainframe giants can be based in any country in the world and the tentacles of our progressive Data Protection safeguards may not be able to reach those cyber black holes.

In conclusion, it is fair to say that the Report by the Data Protection Commissioner for 2010 highlights the many constraints on his office due to the new economic dispensation. However, it is equally clear that the Commissioner has cut his cloth to meet that short fall, he has used persuasion, education and information where possible and he has used enforcement where it was clear that the rights of Irish citizens were being wilfully ignored. The Data Protection Commissioner has proven himself and his staff to be progressive and innovative; however, those who have mistaken his progressive attitude for weakness have discovered that he is not a toothless tiger.

White Paper by Vincent McKenna BSSc, PG Dip, MSc ©

References

www.dataprotection

Stewart Room, ‘Transborder Data Flows’

http://www.dataprotection.ie/documents/annualreports/2010AR

“Information Technology Law in Ireland”, Kelleher and Murray, 2nd Edition, Chapter 15, Data Protection.

Kelleher, D, Murray, K. Information Technology Law in Ireland, 2nd edition, Tottel Publishing, 2007. [http://www.ictlaw.com/]

http://www.symantec./security_response/

http://www.thefreedictionary

http://www.enisa.europa.eu/act/it/library/deliverables/dbn

http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

http://www.schneier.com/about.html

Irishtimes.com, 13 Dec, 2010

(1) http://www.dataprotection.ie/documents/annualreports/2010AR.pdf

(2) Stewart Room, ‘Transborder Data Flows’.

(3) http://www.symantec.com/security_response/index.jsp

(4) http://www.thefreedictionary.com/privacy

(5) http://video.google.com/videoplay?docid=-383709537384528624#

(6) http://www.schneier.com/about.html

(7) Irishtimes.com, 13 Dec, 2010

(8) www.dataprotection.ie

(9) http://www.enisa.europa.eu/act/it/library/deliverables/dbn

(10) http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

Leave a Reply