The number of formal complaints made to the office of the Data Protection Commissioner(ODPC) rose by 78 per cent over the course of 2001, according to figures released today.
The office of the Data Protection Commissioner was established under the 1988 Data Protection Act and sets out the general principle that individuals should be in a position to control how computer data relating to them is used.
While the number of enquiries dropped slightly from 3,100 to 2,900, the fall-off has been attributed to the use of the ODPC webiste (www.dataprivacy.ie) which recorded 17,000 hits throughout the year, many of which were to do with queries related to access to personal data, the credit reference system and direct marketing.
According to Mr Joe Meade, the Data Protection Commissioner, the number of formal complaints rose to 233, most involving organisations in central and local government (38 per cent); other complaints related to the direct marketing sector (18 per cent); public services (12 per cent); financial services (7 per cent); telecommunications and IT sector (9 per cent); and the health and medical sector (4 per cet);
The balance of 17 per cent was made up of the broad range of commercial and non-commercial data controllers.
Overall 35 per cent of complaints were upheld, 33 per cent were not upheld, and 32 per cent were resolved informally.
"The privacy rights of citizens and consumers cannot be taken for granted", Commissioner, Mr Meade said at the launch of the 2001 Annual Report.
"I intend to use my full powers against any organisations which abuse people’s trust and which invade their privacy".
The Commissioner’s Report gives details of his investigations into complaints made by individuals, who were concerned about the use of computer files.
In this regard, he said, he was concerned that the number of legal professionals and legal firms registered with his Office was so low.
Registration is a legal requirement for any organisation holding sensitive types of computer data, such as data about health, ethnic origin and criminal convictions.
"I think it is to be expected, in the modern legal environment, that many legal professionals will have extensive day-to-day involvement with matters of a sensitive nature relating to the health, criminal convictions and ethnic background of their clients; and, indeed, that such matters will be recorded and processed on computer to some degree," he said.
While he had raised the matter with the Law Society and the Bar Council, he added, he indicated that he will take more proactive steps in the year ahead to ensure that legal professionals are complying with their legal obligations.
Among the cases tackled by the Data Protection Commissioner were:
- MBNA Bank:A number of individuals were unhappy about receiving unwanted telephone calls at home from this major credit card company.
- Eircom:– Arising from the MBNA investigation, the Data Protection Commissioner discovered that direct marketers had been availing of a 'super-database', made up of the electoral register, to which phone numbers had been automatically "teleappended" by Eircom.
- Ryanair:the Data Protection Commissioner investigated a complaint about abuse of credit card details by Ryanair. This complaint was not upheld.
- Concern:The charity was found to have broken data protection law – albeit inadvertently – by allowing its donor database to be used for direct marketing by a financial institution.
- Victim Support:the Data Protection Commissioner clarified that details about victims cannot routinely be transferred by An Garda Síochána to the Victim Support organisation, unless the victim's consent has first been obtained. However, formal written consent was not necessary. [see p34 of Report]
The health sector also featured in the report where it was recommended that code of practices should be reinforced emphasising that confidentiality and security of patient data should be coupled with information and consent.
The Annual Report outlines European guidelines on how to strike an appropriate balance between worker privacy, on the one hand, and the rights of employers, on the other hand.
The European guidelines make clear that, while legitimate business interests must be protected,the report says, "no business interest may ever prevail over the principles of transparency, lawful processing, legitimisation, proportionality, necessity and others contained in data protection laws."