The Data Protection Commissioner (Commissioner) has warned that
a recent landmark prosecution of three companies for data
protection breaches demonstrates that there will be "severe
consequences" for organisations which are found to have
breached data protection law.
The three companies, all insurance firms, pleaded guilty in
February 2012 to having illegally used a private investigator to
obtain social welfare information on a number of their customers.
The information, which included PPS numbers, dates of birth,
addresses, details of employment and earnings and social welfare
claims, was obtained by the Commissioner via a leak from the
Department of Social Protection.
The Commissioner's 2008 "Code of Practice on Data
Protection in the Insurance Sector" sets out specific
guidelines in relation to the disclosure of personal information to
Following the guilty pleas from each of the firms, no criminal
convictions were imposed, with the judge applying the Probation of
Offenders Act on the condition that each of the firms donated
€20,000 to charity.
Each firm also provided evidence to the Commissioner that they
had substantially improved their systems and procedures and are
seeking to be fully compliant with data protection law.
Following on from this ruling, a separate Garda (Irish police
force) investigation has been instigated relating to the leak from
the Department of Social Protection.
In a linked civil case, damages amounting to €15,000
were awarded based on a finding that an insurance firm had used
personal data (obtained in breach of its data protection policies)
to deny an insurance payout following the theft of a car. This was
the first time the Circuit Court had been asked to consider a
breach of data protection law and appears to be the first case
publicised in this jurisdiction where damages were awarded for a
breach of data protection rights.
The Commissioner released a statement to the effect that it was
not thought that this was an isolated case and that these
proceedings should be seen as an indication of the strong position
the Commissioner will take on the protection of personal data.
Importantly, the case highlights the more stringent approach the
Commissioner is now prepared to take with regard to the use of
consumers' personal information in the business environment.
Indeed, in his Annual Report for 2011, which was published on 30
April 2012, the Commissioner warned that he will use his
prosecution powers against organisations that persist in infringing
the law, noting that he had brought a total of 54 prosecutions in
In light of this, all industries dealing with personal data,
including financial institutions and insurers, should view data
protection compliance and procedures as a priority and consider it
a key part of their everyday operations.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
A US district court in New York has recently ruled that ReDigi, the operator of an online marketplace for pre-owned music downloads, is liable for copyright infringement.
In a decision earlier this month, a US district court in New York has ruled that ReDigi, the operator of an online marketplace for pre-owned music downloads, is liable for copyright infringement.
The processing of personal data is regulated by the Federal Act on Data Protection, its ordinances and by other laws.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”