A SECONDARY school in Co Kildare was ordered to remove monitoring cameras from student toilets after their parents made a complaint to the Data Protection Commissioner.
The case is outlined in the commissioner’s annual report for 2010, published yesterday. Data Protection Commissioner Billy Hawkes said the use of CCTV continued to give rise to regular complaints.
Cameras were installed in the students’ toilets and the students “objected to this intrusiveness”, his report said. “When their concerns were dismissed, they walked out of the school in protest.”
As the cameras were operating in contravention of the Data Protection Acts, the commissioner ordered their immediate removal.
The commissioner said schools must provide a “convincing justification for the use of every camera in and around its premises”.
He said cameras were not a substitute for supervision “and they should not be used for that purpose”.
It said complaints about CCTV were not confined to students and that staff had also complained about the use of CCTV to monitor their movements, which was “rarely proportionate” under the Data Protection Acts.
The commissioner also received a number of complaints about the use of biometric systems to record attendance at schools and other premises. One large secondary school was forced to put in place measures to ensure students were either able to consent to the use of the system, or allowed an alternative method of recording attendance.
Funding for the Data Protection Commissioner’s office was reduced last year, from just over €1.8 million in 2009 to just under €1.5 million. The commissioner’s office opened 783 complaints for investigation in the course of the year compared to 914 in 2009.
Of those, some 231 concerned breaches of electronic privacy regulations, relating for example to unsolicited marketing text messages and e-mails.
There was an increase in unsolicited text messages for marketing across every sector of the economy, which the commissioner believed seemed to have been exacerbated by the economic downturn.
Complaints about access rights by individuals to their personal information were more than 39 per cent of the total complaints – up from 259 to 308 last year.
The commissioner said this probably reflected the larger number of labour disputes arising from redundancies.
In total, there were 410 reports of data breaches where personal information was lost or stolen – up by 350 per cent on the previous year.
This rise was attributed to the more exacting demands of a code of practice on reporting such data breaches, which was introduced in July.
The report contains as an annex the outcome of a special investigation into the handling of claims data in the insurance sector’s Insurance Link system, which revealed “significant breaches” of data protection laws.
Insurance companies and a number of other bodies were found to have committed major breaches of data protection laws in how they accessed and managed a system containing some 2.4 million claims records.
Some staff at insurance companies accessed details of family members and even celebrities merely out of “prurience” or curiosity, the report found.
In some cases, staff accessed data about houses and cars that they were considering purchasing.
Companies using the database include Axa, Allianz, Aviva, FBD, Royal Sun Alliance, the ESB, Dunnes Stores, Dooley Car Rental, Quinn Insurance and several local authorities, including Fingal County Council, South Dublin County Council, Dublin City Council, Cork City Council and Limerick City Council.
Mr Hawkes said many users of the Insurance Link system seemed to have viewed their access to this “massive holding of personal data” as “a right without corresponding responsibilities” – “They often paid scant, if any, regard to data protection requirements.”
The report has been referred to the Central Bank.
DATA PROTECTION COMMISSIONER REPORT CASE STUDIES:
1Ice Broadband was prosecuted for failing to co-operate with an investigation that originally stemmed from complaints in 2009 about an e-mail sent by the company to more than 300 customers.
Among other things, the e-mail stated that the customer’s account was in arrears and threatened cancellation of the account. The company had exposed all the e-mail addresses openly in the “To” field of the mail.
The firm, which subsequently went into liquidation, was found to have committed a “serious breach” of the data protection rights of over 300 people.
2Crunch Fitness Ltd was prosecuted in January 2010 for sending a direct text marketing message without consent. A woman who had no previous relationship with the company complained, but received a second message despite this, and the commissioner then prosecuted. Crunch Fitness was fined €500.
3Black Dog Communications Ltd was prosecuted after it sent a direct marketing text message to a 13-year-old girl who clicked on a link and inadvertently subscribed to a premium rate service. It emerged the company had obtained the number from a database as a result of the child entering a competition in a magazine. The company paid a donation of €3,000 to Goal and a contribution towards prosecution costs after the judge imposed the Probation Act.
4Tesco was prosecuted after a number of complaints from individuals who had unsuccessfully attempted to unsubscribe from direct marketing e-mails.
It was the second time the company had come to the commissioner’s attention for this issue. The company was convicted on two charges, and penalties of €1,000 were imposed on each. It said it would suspend all e-mail marketing in Ireland until errors in its systems were corrected.
5Hacking of the selfcatering.ie website compromised details of 9,500 credit cards, and possibly 50,000 personal contact details.
The site was not properly secured and did not comply with payment card industry standards.