Media Release
Embargo Tuesday 6 April 2004 - 11.00 am
Solicitors, Catholic Church, Government Ministers, Garda access to phone records, Head hunters, Aer Lingus, Marketing Minors, Biometrics, Employment Vetting and Medical matters feature in the Data Protection Commissioner’s Report.
Annual Report for 2003 published
‘‘I found it was necessary to prosecute two legal firms to make them fulfil their statutory registration requirements with my Office’’ said Data Protection Commissioner, Mr Joe Meade, today 6 April, at the launch of his 2003 Annual Report. Though these were the first ever prosecutions taken by a Commissioner since the Office was established in 1989 - and were successful - further prosecutions will, if necessary, be taken in future against anyone who breaches the Acts [ p 21]. He aims to have a practical and partnership approach to his work however.
New data protection legislation came into effect in July 2003. It increased the Commissioner’s powers, enabled him to be more proactive and to carry out audits and inspections. 2003 was extremely busy for his Office (it is to be decentralised) with activity overall increased by on average 25%.
He restates his view that a proportionate response be taken for anticrime and national security measures, as otherwise peoples’ human right to privacy could be diminished. In that regard he has suspended judicial review proceedings begun in 2003 against the Minister for Justice pending the enactment at an early date of legislation regarding the retention of communications traffic data. [p 4]. He also satisfied himself by on site investigation that the Gardai only got access to phone records in a proper and legitimate manner.
It would be disproportionate to introduce a Garda vetting facility in respect of all employment sectors as a form of State-endorsed character reference. Its function is to identify individuals who are unsuited to certain types of employment by virtue of a real or perceived risk that they might present. [p 47].
Storing Biometric data centrally should not be necessary except in very limited circumstances [p 50 ] while legislation alone is not the ‘silver bullet’ to combat SPAM [p 42]. The processing of Genetic data poses special problems and needs to be dealt with appropriately [p 51]
Investigations
The Commissioner’s Report gives details of his investigations into complaints made by individuals, who were concerned about the use of personal data. Among the issues considered by the Commissioner were:
· FOI – The Commissioner stopped the Minister for Communications, Marine and Natural Resources continuing publishing the personal details of people who made FOI requests to his Department on the website. The Commissioner wanted to ensure that a person should be able to exercise his/her legal rights under Freedom of Information legislation without having to forego their privacy rights [p 45].
· Drogheda Hospital investigation– Patients were concerned that their medical records were sent for review without their consent when a consultant’s procedures raised concerns. The Commissioner did not accept this as patient care, and preventive measures taken made the actions appropriate [p 28]. Similarly a hospital was correct in seeking a review of another medical consultant’s action without getting his prior consent or that of his patients [p 38]. In another complaint a doctor acted properly in refusing to release a person’s medical file [p 33]. Data protection law does not prevent appropriate measures being taken especially in the medical area.
· PMI Ltd. marketing database caused minors to be marketed for a credit card – Due to an administrative error by PMI in compiling a marketing mailing list, minors were marketed for a credit card by a bank. The bank had rented the mailing list in good faith from PMI. [p 30]. His Report contains guidance notes that consent to market minors must be of a high nature and he cautions marketers accordingly. [See p17 of report].
· Realm Communications and SMS messages – The Commissioner ruled that unsolicited automated SMS marketing messages were wrong and in breach of the law, and any future such actions will be prosecuted by him in line with new regulations to combat SPAM.[ p 34]
· A head hunting employment firm should not have disclosed one of its client’s details to his current employer. [ p35]
· Aer Lingus did not breach data protection principles when members of IMPACT were not paid pay increases while SIPTU members were [ p 36]
· Baptismal Records of the Catholic Church – These are a statement of fact and need not be deleted when a person no longer wishes to be classed as a Catholic.[p 37 )
Enquiries and Complaints
The Data Protection Commissioner noted that the number of enquiries with his Office was in the region of 10,000 which was a significant increase from previous years while the official Data Protection website, www.dataprotection.ie, recorded approximately 30,000 ‘hits’ during the year. The most common specific queries related to general information; the right to access personal data; the credit reference system; direct marketing and medical matters. The Commissioner noted that the complexity of enquiries was increasing. [pgs 15/16]
The number of formal complaints concluded in 2003 was 199 while 258 new complaints were received (189 in 2002). Indeed for 2004 some 140 have been received to date. Complaints mainly concerned organisations in central and local government (9%); direct marketing sector (12%) and SMS (10%); public services (15%); financial services (14%); telecommunications and IT sector (9%); health and medical sector (7%). The Commissioner indicated that 20% of complaints were upheld, 18% were not upheld, while 62% were resolved informally. [pgs 19 /21]
Registrations
Registrations with his office rose by 28% to 4,618 (fee income of €455,000 compared to €350,000 in 2002) due to a more proactive approach. [p 21]
[Note: The Annual Report is available for download in PDF version from the Data Protection Commissioner’s website : www.dataprotection.ie]
Media Queries Mr Seán Sweeney
Telephone (01) 874 8544
Fax (01) 874 5405
eMail mailto:
Website www.dataprotection.ie