DPC look­ing at State’s ‘po­ten­tial breaches’ of GDPR

Com­plaint al­leges in­ter­fer­ence with in­de­pen­dence of data pro­tec­tion of­fi­cer

The Irish Times - Business - - BUSINESS NEWS - ELAINE ED­WARDS

The Data Pro­tec­tion Com­mis­sion has said it is in­ves­ti­gat­ing “po­ten­tial breaches” of the Gen­eral Data Pro­tec­tion Reg­u­la­tion by a Govern­ment depart­ment, fol­low­ing a com­plaint that it al­legedly in­ter­fered with the role of its data pro­tec­tion of­fi­cer, an of­fence un­der the EU leg­is­la­tion.

The com­plaint is be­ing taken by Dig­i­tal Rights Ire­land on be­half of tech­nol­ogy jour­nal­ist and Ir­ish Times colum­nist Kar­lin Lilling­ton.

The pro­vi­sions un­der Ar­ti­cle 80 of GDPR al­low an in­di­vid­ual to nom­i­nate a not-for-profit body act­ing in the pub­lic in­ter­est to lodge a com­plaint with a na­tional reg­u­la­tor where he or she al­leges in­fringe­ments of their rights un­der the EU law. Dig­i­tal Rights Ire­land is a data pri­vacy ad­vo­cacy group.

GDPR also al­lows such not-for-profit bod­ies to seek “an ef­fec­tive ju­di­cial rem­edy” on be­half of such com­plainants, where they be­lieve their rights have been in­fringed.

The com­plaint was made af­ter it emerged in Au­gust that the sec­re­tary gen­eral of the Depart­ment of Em­ploy­ment Af­fairs and So­cial Pro­tec­tion or­dered changes to the depart­ment’s on­line pri­vacy pol­icy to re­move a ref­er­ence to its col­lec­tion of peo­ple’s bio­met­ric data.

Re­peated de­nials

This fol­lowed re­peated de­nials by the depart­ment that it pro­cessed bio­met­ric data in re­la­tion to the pub­lic ser­vices card, even though it holds more than three mil­lion pho­to­graphs of in­di­vid­u­als on a fa­cial image match­ing sys­tem.

The changes were made when the data pro­tec­tion of­fi­cer was on leave and records ob­tained un­der the Free­dom of In­for­ma­tion Act in Au­gust re­vealed the of­fi­cer said he would not have agreed to the changes and that they were not dis­cussed with him.

Dig­i­tal Rights Ire­land wrote to Min­is­ter for Em­ploy­ment Af­fairs and So­cial Pro­tec­tion Regina Do­herty af­ter the records were ob­tained by The Ir­ish Times, al­leg­ing “se­ri­ous in­ter­fer­ence” with the role of the data pro­tec­tion of­fi­cer (DPO).

The rights group said the DPO was first ex­cluded from a de­ci­sion to make changes to the pri­vacy state­ment and was then “given in­struc­tions re­gard­ing the ex­er­cise of his func­tions”. Both ac­tions con­sti­tuted vi­o­la­tions of the GDPR, it al­leged.

Se­nior in­ves­ti­ga­tor

In re­sponse to the com­plaint on Novem­ber 23rd, a se­nior in­ves­ti­ga­tor with the Data Pro­tec­tion Com­mis­sion replied that hav­ing ex­am­ined it, “we con­sider that po­ten­tial breaches of the GDPR have been high­lighted”.

The com­mis­sion said it was “mak­ing en­quiries into this mat­ter” with the depart­ment and would pro­vide an up­date “within the next month”. How­ever, on Wed­nes­day evening the Depart­ment of So­cial Pro­tec­tion said it was “un­aware” of any in­ves­ti­ga­tion into the in­de­pen­dence of the data pro­tec­tion of­fi­cer.

Un­der GDPR, the data pro­tec­tion of­fi­cer must be in­de­pen­dent and an or­gan­i­sa­tion em­ploy­ing one is not per­mit­ted to give them any in­struc­tions re­gard­ing the ex­er­cise of their tasks.

An in­fringe­ment, for an or­gan­i­sa­tion other than a pub­lic body, could po­ten­tially carry a penalty of up to €10 mil­lion. How­ever, Ir­ish leg­is­la­tion has lim­ited any po­ten­tial fines levied on pub­lic bod­ies to €1 mil­lion.

Newspapers in English

Newspapers from Ireland

© PressReader. All rights reserved.