The Defence Forces will review its data protection rules after an officer lost crucial notes

A report from Ireland’s privacy watchdog also shows Facebook brought in new policies after ‘intense’ negotiations.

By Paul O'Donoghue

THE DEFENCE FORCES launched a review of how it holds information after a former army officer lost notes relating to an official complaint, according to Ireland’s data watchdog.

The case was one of a string included in the Irish Data Protection Commissioner’s annual report, in which it reported a rise in the number of reported data breaches last year.

The number of ‘valid’ violations it was notified about was up 6% to more than 2,300 in 2015 and the privacy watchdog outlined several instances involving significant breaches.

One described how a Defence Forces officer failed to keep another army member’s data secure after being appointed to handle their complaint.

When the Defence Forces Ombudsman was brought in to review the matter, it was found that notes of an interview that the inspecting officer carried out with the complainant were unable to be produced.

The notes had been stored at an “unsecure location”, later found to be the officer’s house, and were “damaged or lost following flooding and a burglary at that location when the (officer) was on an overseas mission”.

data commissioner breach notifications Breach notifications are on the up
Source: Data Protection Commissioner

The Data Protection Commissioner said that the Defence Forces “unequivocally acknowledged that the loss of the data in this case should not have occurred and was fully regretted”.

The commissioner added that the Defence Forces “informed us that it had recently undertaken a full review of practices and procedures in respect of both the processing and disclosure of data to mitigate the possibility of any future unauthorised or accidental disclosure of personal data”.

Facebook privacy rules

Elsewhere, the data watchdog advised that Facebook Ireland had announced new privacy rules in September 2015 following “intense engagement with the office over a number of months”.

These rules allow users to opt out of “online behavioural advertising” through Facebook.

This means that once a user rejects the service, Facebook will apply the choices that have been made everywhere they use the social network across all their devices.

Online behavioural advertising generally refers to how companies collect information about user’s online activity, like what websites they visit.

Facebook Ireland recently elevated its Dublin-based head of data protection and privacy to its board ahead of an anticipated European showdown over its data regime.

Other issues

Overall, the commissioner dealt with over 31,000 queries and received 932 complaints during the year, down slightly from 960 in 2014.

data commissioner complaints Complaints are down from a peak in 2012
Source: Data Protection Commissioner

It also carried out 51 audits and inspections “including those on major holders of personal data in the public and private sectors”.

These audits found a number of issues, including:

  • Some insurance companies held penalty-point data beyond the legal limit of three years. The commissioner said it is engaging with the companies audited “to agree on an acceptable retention period and archiving solution”
  • Excessive use of CCTV systems by many organisations, which the commissioner said should only be used for operations activities, like health and safety, and not for purposes like staff monitoring
  • A lack of a data retention policy among many groups. The commissioner said that bodies need to be clear about what information they are retaining, for how long and why

The watchdog’s running costs amounted to just under €3 million during 2015, up from slightly less than €2.3 million the year before.