Data Protection Commissioner can’t protect their data – Leaked Annual Report for 2007

Below is the press release going out at 11am tomorrow from the DPC but I found it by accident on their site and the full report is here. It’s kind of pathetic that you can actually access the full report from their site because of a badly configured publishing system.

UPDATE: Report is now here.

Once again the report is a crock with investigations that don’t go anywhere with eircom and Newtel reoffending. Newtel got mentioned in 2005, 2006 and 2007. Four in a row next year?

The Data Protection Commissioner launched his report for 2007 today. He has emphasised the responsibility of public and private sector organisations to respect the privacy of those who entrust them with their personal information. Equally the Commissioner has also drawn attention to the need for an appropriate balance to be struck between the ever increasing desire to seek the personal data of all of us as part of the security agenda and the individual’s right to privacy. In this respect he raises the question, “Have we not succumbed to terror and submitted to extremism when we loose the liberty to live our lives without constant intrusion by the State in the name of security?”

Enquiries and Complaints
During 2007 the Office of the Data Protection Commissioner opened 1,037 new complaint investigations, up substantially from 658 in 2006. This very large increase in the number of complaints relates in part to an increase in complaints in relation to unsolicited text (SMS) messages. The Report updates on the actions which the Commissioner has taken to address this issue. He currently has more than 350 prosecutions before the Courts in this area. These prosecutions follow strong action taken by the Commissioner who sent teams of investigators into the premises of those involved to collect evidence. The Commissioner has increasingly made use of his powers to send his officers into premises which contain personal data without notice to ensure that data protection requirements are being met.

The Report updates on the Commissioner’s actions in relation to the issue of unauthorised access to personal data in the public sector, a large number of complaints received in relation to the marketing practices of Sky and also includes case studies of a number of specific investigations into the use of personal data including:

• The use made by Baxter Healthcare of two medical reports relating to a former employee;
• The inappropriate use of CCTV footage by the West Wood Club in Sandymount and covert CCTV by the Gresham Hotel in Dublin;
• Suspension of the operations of a cold-call marketing operation by Newtel communications;
• Inappropriate disclosure of employee information by Aer Lingus;
• A very serious case of inappropriate access to personal information held by the Revenue Commissioners;
• The failure to supply a reasonable means for opting-out from email direct marketing by Ryanair.
• Extensive engagement with Eircom following the receipt of a large number of complaints in relation to unwanted marketing telephone calls. This resulted in a €35,000 donation by Eircom to charity to resolve the complaints
• Excessive information of local residents retained by Croke Park
• Unsolicited email marketing by Tesco arising from technical difficulties

In addition to actual formal complaints received and progressed, the Office dealt with approximately 20,000 telephone enquiries together with over 4,000 email enquiries and a smaller number of enquiries by post.

Other Activities
In a wide ranging report on his Office’s activities for 2007 that reflects the variety of issues the Office is called upon to address, the Commissioner also focuses on:
• The benefits that flow from an increasing awareness of privacy and data protection issues on the part of members of the public, the media and institutions holding our data;
• The occasions when he was obliged to resort to the use of his legal powers to protect and promote the interests of data subjects;
• The responsibility of private sector organisations to protect the personal data of their customers and clients;
• Breach notifications as an example of good practice;
• Developing codes of practice within particular sectors and public bodies to allow a better understanding of data protection requirements among those entrusted with personal data;
• The continuing challenges posed by new technology and the use made of the internet.

The Commissioner has taken the opportunity to highlight his engagement with Government on a variety of issues including the proposed DNA database, the intention to introduce what is known as an “eBorders” system to track all of our movements as we enter and leave the country and a very satisfactory outcome in terms of ensuring that the planning system respects privacy while maintaining transparency.

The Report also includes for the first time an unscientific list of the top ten threats to privacy as identified by the staff of the Office of the Data Protection Commissioner. This list, which is by no means authoritative, is intended to provoke discussion of privacy issues.

23 Responses to “Data Protection Commissioner can’t protect their data – Leaked Annual Report for 2007”

  1. […] the meantime, drop by Damien’s and see how the Data Protection Commissioner’s office can’t protect its landmark yearly report on its we…. Pre-publication a document on a site before release is dicey… You never know who is snooping […]

  2. Protecting whatever data we give to any trusted companies or organizations are the trusted parties’ job. However, we, knowing that in this world of high-paced technology, should take part on taking care of our personal security. We should be vigilant on giving out our personal informations to anyone. I’m not saying that big companies that require us to give personal infos like SSN #s should not be trusted. But like stated in this report, we should not trust them immediately. As much as possible, if some personal infos are really not required to be given, do not give. Find alternatives. It’s sad to hear that the DPC can’t protect their own data.

  3. Smoke says:

    Well this has succeeded in giving the press an new angle on an other-wise dull story.

  4. […] you may want to subscribe to my site using a feedreader or email. Thanks for visiting – Damien.Looking for this? drill down 11 10.09% drill down 6 5.50% damien mulley drill down 4 3.67% data protection […]

  5. tipster says:

    Ohh err… RTÉ reported your “hack” this morning:

  6. Damien says:

    Glad they’re linking to the report. 🙂

  7. John says:

    @damien; Report has been removed from the link RTE has provided with a message saying that

    ERROR 404: The file you requested cannot be found.

    Our site has been redesigned and many documents have new locations.

    Please use the “Search” box below to assist you.


  8. Jack the Rat says:

    The world needs people like Damo…….ever onwards m’lad.

  9. 73man says:

    Quoth RTE: “A blogger succeeded in getting access to information…”

    By cleverly going to the DPC site and downloading the report….how does he do it?

  10. Justin Mason says:

    Nice work D! Looks like their web guys —, going by the HTML comments — have a little explaining to do….

  11. Justin Mason says:

    oh, hey, here’s a link to their site. Maybe they’ll check their referrer logs 😉

  12. […] Mulley was on the radio talking about the report this morning: Real Audio […]

  13. Cian says:

    Nice to see the Herald libeling you today Damien.

  14. Cian says:

    for reference the front page headline is “PRIVACY CHIEF CAUGHT OUT BY HACKER”, no names that I can see, but probably enough to take them to the cleaners in Ireland. I hope…

  15. le craic says:

    I just don’t see the big deal about this? w

  16. […] something. Below, you can see the relevant parts of the article. Now, what actually happened is set out here : the blogger in question simply linked to a document that was available on the website (though […]

  17. steve white says:

    well it ensured damien got to get on the radio(maybe he would have anyway) to put across a view that I think we all agree with that the data commissioner is weak

  18. tipster says:

    waider describes it as a cheap shot:

  19. simon says:

    OK. Hands up who else here has owned the front page of the Evening Herald and had a slot on his usual – RTE’s Boring Ireland on the same day. It’s not like Damo even issued a press release (or did you?).

    Just another case of “new meeja” makes news – err…. again.

  20. Todays Irish Independent –

    “Pity then, that some technological delinquent saw fit to hack into the veritable Fort Knox of our information banks — the Data Commissioner’s very Office — to release the information before Mr Hawkes’ appointed hour of publication. Larceny on such a scale; stealing the very bark from the State’s own most exalted watchdog, is enough to give Holmes and Watson indigestion. ”

    Is that you Damien?

  21. Damien says:

    Diarmuid, it seems obvious from the casual reader that the Indo are equating me to being a criminal and nefarious character of some sort. They must still be smarting from when I said their editor and his ilk were technological dinosaurs within earshot of O’Regan, thus them suggesting I’m a technological delinquent.

  22. barry says:

    Damien, great stuff, pity your intelligent use of knowledge about website structures gets more publicity than the real issue, the apalling lack of action on data abuse. There was a story earlier in the year that one of the staff caught in the Dept of Social Welfare was ‘allowed’ to resign…. instead of being fired/charged……

    Chalk on the radio said that ‘some’ staff were no longer with the department as a result of abuse of their positions, I wonder what ‘no longer with’ means???

    Bye, Barry

  23. […] they let people reoffend again and again. 2007 they let someone go after harassing thousands because it was their first […]