There has been in increase in the number of civil law actions taken against organisations and even Government departments for failing to protect people’s personal information, a conference has heard.
Such an action against one Government department for allegedly breaching a person’s data protection rights settled ahead of a listed court hearing this week.
The action, understood to have been against the Department of Social Protection, is one of an increasing number of such cases being taken against companies or public bodies that allegedly fail in their duty of care to protect people’s personal information.
The issue was raised at a Public Affairs Ireland (PAI) data protection conference in Dublin on Wednesday.
Several such cases under the Data Protection Acts have been listed for hearing in the past year or so, but they have generally been settled on the steps of the court.
They included the case of a woman who sued a pharmacist for allowing her husband view CCTV footage which showed her buying a pregnancy test. Another such case involved a GP who handed over excessive personal information about a patient to an insurance company.
The actions are taken under section 7 of the Data Protection Acts, which provide that a data controller owes a duty of care to individuals in respect of the personal information it collects or processes.
Data Protection Commissioner Helen Dixon told the PAI conference there had really been “no activity” in relation to such civil lawsuits until “very recently” but that there were now “quite a number of cases” where people were taking actions under section 7 of the Acts.
The commissioner cannot impose direct fines on organisations that fail to respect data protection rights. This will change under proposals in a new European data protection regulation currently being negotiated.
Ms Dixon also noted a recent case involving a GP who had handed over excessive personal data about a patient to an insurance company. Her office had been called as a witness. The case was settled after a day in court.
“In that particular case, the witness from the [Data Protection Commissioner] said that it really had huge impact on them to hear the data subject in that case set out for the court the damage that was suffered as a result of that unfair disclosure of their data – the excessive data disclosure – to the insurance company.”
The person had gone on to suffer enormous health problems as a result of the data breach.
Ms Dixon said she was aware of another case listed that had directly involved a government department, but it had been settled out of court.
While she did not identify the government department concerned, the commissioner said she imagined the person in question had been paid damages.
Rob Corbet, a partner and Head of Technology and Innovation at Arthur Cox, also confirmed in his speech to the event that there had been an increase in the number of people suing for breaches of their data protection rights.
The commissioner reminded those in the public sector of their responsibilities in relation to handling personal data, noting her office had successfully prosecuted private investigators last year for offences involving the ‘blagging’ of people’s personal details from a government department.
Ms Dixon said that over 100 data breaches involving public sector bodies were reported to her office every year.
“Fortunately, in most instances in recent years these have concerned breaches that are really non-systemic and haven’t affected a great volume of data subjects.”
Minister for Data Protection Dara Murphy, who also addressed the event, spoke about the Government’s key priorities for the year.
He said he had established an inter-departmental committee on data issues, bringing together the key individuals dealing with data protection in each government department.
Mr Murphy said the committee would assist in the delivery of “more effective public policy through the improved use of data”.
He said exciting advances in technology created huge potential for society and for the economy.
Departments and State agencies needed to show leadership and commitment to data protection rules as they evolved over the next year, during which a conclusion to negotiations on the new European General Data Protection Regulation is expected, he said.
The minister said the committee’s engagement would be formalised in the coming weeks with the establishment of a “data issues forum”, with input from business, civil society and other key stakeholders.
Dr Eoin O’Dell, Associate Professor of Law at Trinity College Dublin, addressed the conference on the challenges posed for privacy by new technologies and the Internet of Things.
He said that increasingly, the kind of personal and public data becoming available, as well as the sharing of public sector information and datasets online, would have an impact on decision-making processes.
“All of this is heading towards a nice, bright Utopian future. But, I think that this rhetoric needs to be accompanied by an attention to privacy, both on our own part in the creation of the data, and in our professional lives in the use of the data.”