Data Protection – What are your Obligations?
In today’s increasingly data-driven world of commerce, the assimilation, collection, processing and storing of data is almost an unavoidable reality for business owners. But what are the implications of this new commercial landscape; what are the obligations and what are the potential pitfalls faced? Two recent cases prosecuted by the Data Protection Commissioner demonstrate that there is no room for dropping your guard in seeking to meet the high standards set out in legislation.
In the first of these cases, a private investigator firm was successfully prosecuted for the manner in which it gained access to and processed personal information. The private investigators, in seeking to discover the addresses of debtors, had resorted to using personal information originally lawfully held by their principals – credit unions. By using this information, the investigators were able to obtain further details relating to the debtors in question by communicating with other sources, including the HSE and Dept. of Social Protection. It was apparent that the private investigators misrepresented themselves to achieve this end.
Personal Liability of Directors
The above gave rise to clear breaches of the data protection legislation, but the significant feature of this case is that for the first time since the enactment of the data protection legislation, company directors were successfully prosecuted for offences nominally committed by the corporate entity itself, but with the consent or knowledge of the company directors.
It is clear that this development may have serious implications outside the factual matrix of the case; in particular, Company Directors should understand that they may be held liable and prosecuted for breached of the data protection legislation for the commission of an offence by the company itself.
Obligation to Register as a Data Processor
In an even more recent case involving a very similar set of facts, and again for the first time under the Data Protection Acts, a private investigator (MJG Investigations) was successfully prosecuted for processing personal data without having first registered with the Data Protection Commissioner’s Office. In this case which involved the obtaining of data from the ESB and An Garda Siochana, the defendant was also convicted for obtaining personal data without the prior authority of the data controller charged with storing that data.
In the course of the case, the Data Protection Commissioner noted the consistent failure on the part of the Credit Unions who were criticised for their failure to conduct due diligence enquires prior to engaging the Private Investigators and passing on to them the personal data of data subjects. This should raise the concern of any persons or bodies involved in the retention or storing of customer or client databases, access to the information of which should be strictly controlled.
The above cases send out a strong message that, as fast as technology is developing and the boundaries of privacy stretched, the Office of the Data Protection Commissioner intends to vigorously monitor and enforce the legislative provisions to which it is charged. It is therefore vital that all persons engaged, to whatever extent, in the collection of processing of personal data do so with the security of an updated and coherent data protection policy in place.
Should you wish to discuss how we can assist your business in ensuring that it is on top of its data protection obligations, or if you are unsure as to how the above issues may affect you, please contact Regan Solicitors and we will be delighted to clarify the issues for you.