A health science focused university notified the DPC of a breach arising from inappropriate disposal of materials containing personal data. An employee worked from home on a recruitment project. The employee worked on printed copies of a number of job applications and accompanying CVs. The organisation had instructed employees working from home to minimise printing and to destroy documents before disposal. However, the employee placed the recruitment documents intact into a domestic recycling bin. High winds caused contents of the bin, including the recruitment documents, to be dispersed.

In concluding its examination of the breach, the DPC made a number of recommendations . These focused not just on the work practices of employees, but most importantly on the technical and organisational measures of the controller. While it is important for staff to understand and implement good data protection practices, it is the responsibility of the controller to ensure that they do so and have the means — including, where appropriate, devices such as shredders — of delivering the required standard of protection .

.

A notification was received from a statutory body whose functions include the investigation of complaints concerning experts’ professional conduct, training or competence. The personal data breach occurred when a letter concerning a complaint against a specialist was attached to an email and sent to an incorrect address. The attachment contained personal data of several persons, including health data, and was encrypted. However, the password for the encrypted letter was issued in a separate email to the same incorrect address.

The nature of the personal data and the context all indicated a high risk to data subjects . The DPC accordingly confirmed that all affected persons had been notified of the breach, the risks and measures being taken in response to them, as required by Article 34 of the GDPR . The DPC reminded the organisation of its continuing obligation to secure personal data that was accidentally disclosed, and of the importance of ensuring security when emailing personal data . The statutory body has undertaken a review of all its data protection processes, policies and procedures .

Misaddressed emails are one of the most common causes of breaches reported to the DPC . Encryption is a valuable tool that can help to protect against accidental disclosures . However, it is advisable to use a separate medium — such as a telephone call or SMS message — to send the password, as a single mistake in an email address can negate the benefits.

Over a period of 12 months, the DPC received notifications of a series of similar breaches from a data controller involved in financial matters. The controller sold services through a nationwide retail network owned and operated by a third party, which acted as its processor. The breaches occurred when existing customers of the controller made purchases at the processor’s outlets, but used an address different from the address they had previously registered with the controller.

Recent changes to the controller’s customer database systems had not been fully coordinated with those for sales, resulting in sales documents containing personal data being sent to customers’ old addresses rather than their new ones . The controller had instructed the processor not to accept purchase requests until changes of address had been registered, but some counter staff did not consistently follow the correct procedures .

When the DPC flagged the pattern of breaches, the controller agreed that there was a systemic problem that required attention by its senior management . While a technical solution was being designed and tested, the controller and processor adopted interim measures including re-training of staff, increased supervision, and a notice that appeared on screens used by processor staff when effecting sales, prompting them to confirm that the customer’s current registered address was correct . The controller implemented the changes in its IT systems to prevent sales documents being sent to incorrect customer addresses, and the recurring breaches ceased .

The DPC received separate breach reports from 12 credit unions that employed the services of the same processor, which was based in the UK. The breach by the processor arose from a coding error made by the processor when implementing measures introduced in response to the Covid-19 pandemic.

Credit unions are required to report information to the Central Bank of Ireland concerning their borrowers and the performance of their loans . The Central Bank utilises this information to maintain the Central Credit Register (or CCR) . Lenders and credit rating agencies in turn use this information to verify borrowers’ debts and credit histories . A large number of lenders, particularly credit unions, use the services of data processing companies to prepare such CCR returns and forward them to the Central Bank .

During 2020, the Irish Government introduced a series of measures to mitigate financial distress caused by the pandemic and resulting lockdowns . These included measures allowing financial institutions to pause loan repayments without adversely affecting borrowers’ credit ratings . Lenders were instructed to use particular codes in the CCR returns to flag paused loans. This was intended to prevent those loans being interpreted as delinquent or otherwise suggesting that the relevant borrowers’ cred- it-worthiness had deteriorated .

In this incident the processor employed by the 12 credit unions used incorrect codes on CCR returns dealing with paused loans . The incorrect codes indicated that the borrowers affected had undergone a ‘restructuring event’ — a restructuring event typically occurs when a borrower is unable to repay a loan over the agreed period, and the lender agrees to change the loan’s terms to improve the borrower’s ability to repay . This can greatly reduce a borrower’s credit rating, so an inaccurate CCR record of a restructuring event could have serious conse- quences for the persons affected.

The credit unions in question became aware of the processor’s coding error in relation to their CCR returns several weeks after the processor first sent CCR returns for them using the incorrect codes to the Central Bank .

A private financial sector organisation notified the DPC that a customer had made a request to obtain their IBAN and BIC numbers, which were held on file. The customer making the request was personally known to the member of staff dealing with the request. The member of staff, deviating from approved practices, used their personal mobile phone to send a picture of what they believed to be the requested information over a messaging platform (WhatsApp). However, the staff member erroneously sent details pertaining to another customer to the requesting customer.

The customer who received this information contacted the organisation to advise that the information received did not relate to their account and that they had undertaken to delete all offending material from their device. The organisation communicated with staff to remind them that only authorised methods of communication should be utilised when handling future requests of this nature . The organisation has also issued an apology to all affected data subjects .

The DPC issued a number of recommendations encom- passing the use of only approved organisational commu- nication tools, making staff fully aware of acceptable and non-acceptable behaviour when using organisational com- munications tools, and to ensure staff have undergone appropriate training in terms of their obligations/respon- sibilities under the provisions of the GDPR and the Data Protection Act 2018 .

In May 2020, the DPC received a breach notification from an Irish data processor and subsequently a notification from an Irish data controller operating in the voluntary sector who had engaged this processor to provide webhosting and data management services.

The breach related to a ransomware attack that occurred in the data centre utilised by the data processor, and which was the result of malware gaining access via a Remote Desktop Protocol (RDP) 1 port to the server .

The DPC engaged with both the controller and processor and through a number of communications — including the issuing of technical and organisational question- naires focusing on areas of potential non-compliance with data protection regulation . These areas included the processor’s use of a data centre within the US to store back-up data without adequate agreements and sufficient oversight by the controller over its processor as required under Article 28 of the GDPR . The DPC engaged intensively with both parties and the DPC concluded this case by issuing recommendations to both controller and processor . Thereafter the DPC continued to engage with both parties to ensure that implementation of the DPC recommendations had occurred .

A commercial and residential property management company notified the DPC that an employee of a security company whose services they retained had used their personal mobile phone to record CCTV footage of two members of the public engaged in an intimate act, which had been captured by the management company’s security cameras.

The video taken was subsequently shared via WhatsApp to a limited number of individuals . The business advised the DPC that they communicated to staff who may have received the footage that they must delete it and requested no further dissemination of the video .

Both the property management company and the security company were able to demonstrate that adequate policies and procedures did exist, however appropriate oversight and supervision to ensure compliance with these policies and procedures were lacking .

Following recommendations made by the DPC to the property management company, the company has subsequently engaged with its staff to deliver further data protection training with an emphasis on personal data breaches . In addition, further signage was displayed prohibiting the use of personal mobile devices within the confines of the CCTV control room .

A public sector health service provider notified the DPC that a number of files containing patient medical information had been found in a storage cabinet on a hospital premises which was no longer occupied.

The records were discovered by a person who had gained illegally accessed a restricted premises and subsequently posted photographs of the cabinet containing the files on social media . The public sector organisation in question informed the DPC that, having become aware of the breach, a representative of the organisation was sent to locate and secure the files. The files were removed from the premises and secured .

This breach highlights the importance of having appropriate records management policies; including mechanisms for tracking files, appropriate secure storage facilities and full procedures for the retention or deletion of records . The DPC issued a number of recommendations to the organisations to improve their personal data processing practices .

The data controller, a public body, notified the Data Protection Commission (DPC) about an incident involving the transportation of hard-copy legal files containing special-category personal data and risked the personal data falling into the hands of unauthorised individuals.

The controller had contracted a courier company to transport the files to another department but the files went missing in transit . It transpired that the controller did not retain a backup of the original files, resulting in a loss of personal data. The controller did not have sufficient procedures in place for the secure removal and storage of hard-copy files that contained special-category personal data . The breach could have been prevented had the organisation properly considered its requirements when transporting such materials to another location and the inherent risks involved in such activities, and implemented more secure measures to ensure the protection of personal data .

A private sector (educational) data controller reported an incident of phishing, where a staff member had clicked on a suspicious website link and entered their credentials resulting in their email account becoming compromised.

The data controller had not enabled multi-factor authen- tication on its email accounts . Had this technical measure and appropriate cyber security training been in place from the outset this data breach may have been preventable .