Latest Data Protection Newsletter

What caught our eye …..

?October was Cybersecurity Awareness month and Ambit Compliance's 2 part podcast with Paul Johnstone from the Garda National Cyber Crime Bureau covers interesting topics which should always be at the forefront of your mind. Please feel free to listen at the following?link.?

Here's what caught our attention In October 2022!

IRELAND: New guidance from the?Data?Protection?Commission on processing Data Protection Subject Access Requests (SARs) was issued on 5th October 2022. This guidance is available?here?and key points include; what is reasonable when verifying the identity of a data subject when a SAR is received, and time limits for responding to a SAR with particular importance on clarification of the request. Whilst previous practice may have allowed time to 'stop' or 'pause' when awaiting clarification from the requester to narrow the scope?of the request, this new guidance explains that time continues and the Data Controller should aim to respond within the statutory one month timeframe.?

IRELAND: While not essentially GDPR or DP related, a new Court of Appeal decision relating to 'vexatious' requests for Freedom of Information requests has found that, "a pattern of conduct existed that amounted to an abuse of the FOI process," which is a material decision as the current legislation states that FOI requests should be considered on a 'standalone basis'. Will this approach be adopted or have an impact on repeat SAR requesters? Time will tell.?

NETHERLANDS:?A remote working Dutch employee who was fired by his employer based in the United States?for not keeping his webcam on during work hours has been awarded €75,000 in damages by a Netherlands court.?The employee commenced legal proceedings in his home country over charges of unfair dismissal.?The court quoted the European Convention for the Protection of Human Rights and Fundamental Freedoms stating that video?surveillance of an employee in the workplace, whether it is covert or not, should be considered an intrusion into the employee's private?life.

UK: Interserve Group Limited - 24th October?2022.?Between 18 March 2019 and 1 December 2020 Interserve Limited (“Interserve”) failed to process personal data in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures as required by Article 5(1)(f) and Article 32 GDPR. This rendered Interserve vulnerable to a cyber-attack (Phishing Email) which took place in the period 30 March 2020 to 2 May 2020 and affected the personal data of up to 113,000 employees of Interserve. Fine by Information Commissioner's Office (ICO) - ￡4,400,000.

?The Moral of the story is…

Each month we analyse a decision of the Data Protection Commission to understand what it means for companies big or small.

This month we have taken a closer look a DPC case study regarding a hotel’s handling of an individual’s access request (source: DPC Annual Report 2021)

What happened?

?A complaint was received from an individual who had submitted an access request to a hotel (the data controller) for a copy of all information relating to them (Subject Access Request). The hotel asked the requester to provide:

1.???????a copy of a utility bill; and

2.??????a copy of photo ID?verified?by An Garda Síochána.

The DPC asked the data controller to set out the particular concerns it had regarding the identity of the requester in circumstances where the postal address and email address being used by the requester were the same as those provided by them during the booking and check-in process at the hotel. The data was subsequently released to the requester.

What did the DPC say?

?In relation to the general approach to requesting ID where data subjects seek to exercise their rights, the DPC stated that controllers should only request the minimum amount of further information as is necessary and proportionate to prove the requester’s identity.?

Seeking proof of identity would be less likely to be appropriate where there was no real doubt about identity; but where there are doubts, or the information sought is of a particularly sensitive nature, then it may be appropriate to request proof. Bearing in mind the general principle of data minimisation, seeking more information than that already held as a means of proving identity is likely to be disproportionate.?

What does that mean for my organisation?

Data Controller's should only request the minimum level of identity verification as is proportionate to the information provided to the Data Controller in the first instance. For example, if all that was required to book the hotel was an email address and home address, then proof of this, (if there is doubt)?should be all that is required to process the request.?

In cases where there is in fact special category personal, additional information may be proportionate but only that which would be sufficient to confirm identity, having regard to the data already being processed

?

1. Have clear, established Policies and Standard Operating Procedures to follow when receiving and responding to a Subject Access Request as a Data Controller;

2. Educate all staff on how to recognise, record and enact the relevant SAR Policy/Procedure;?

3. Have a DPO or Data Champion who can advise or assist with complicated requests which may be unusual or large; and

4. Ensure training is up-to-date on GDPR/Data Protection and Data Breach Management to run alongside the SAR policy to prevent any unauthorised?disclosure/deletion or omission.

?

Tales from the Coalface

Recently, with providing GDPR awareness training and creating awareness around data breaches, some of the most common questions posed to us from a compliance perspective are below. Here we answer the basic principles required for understanding a breach as a quick FAQ.

?

Q. What is a Personal Data Breach?

A.?A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.

?

Q. What to do when a suspected breach has occurred??

A. The GDPR says that when a security incident takes place, you should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the DPC if required.?Remember C.A.N. (Contain, Assess, Notify):

·??????Contain it – Initial action to contain the breach is paramount. Recall the email, delete the disclosure, conduct a search of items containing personal information, notify relevant authorities to assist, such as Garda, if necessary;

·???????Assess it – Consider the volume of data subjects, the type of personal information involved in the breach, and the likelihood of significant harm that could be suffered by the data subject(s) as a result of the breach;

·???????Notify your DPO or Data Protection (DP)Contact – They will assist in further assessing and if there is ANY risk to rights and freedoms of the data subjects they will assist in notifying the regulator (see next step!)

·???????Notify the Data Protection Commissioner (DPC) if required – The timeframe to report a breach is 72 hours from the time you, the Data Controller, became aware. Based upon the decision of the DPO/DP contact, complete the DPC report form to submit the report for further assessment; and

·???????Notify data subjects, if the risk is HIGH – a risk rating of the ?breach is based on the severity of the breach, the likelihood of harm and the volume of personal data involved.

?

Q. Are there ways to limit the likelihood of data breaches occurring??

A. Yes! As with most, prevention is better than cure, so well established and ratified policies and/or procedures relating to GDPR, Data Protection and Data Breach Management are essential. Some useful tips are as follows:

·???????Regular and relevant GDPR training to ensure staff awareness of how breaches occur and how best to prevent them;

·???????Train staff on the usage of your systems – all staff members should use systems in the same manner

·???????Implementing specific technical and organisational measures ;Clear Desk Policy, Cyber Security Policy; Multi Factor Authentication

·??????Data minimisation principle throughout the company where only necessary personal information is processed by staff.

?

?

Q. What is the purpose of the data breach assessment process??

A. The key principle is NOT to assign blame, but to look at how the breach occurred and provide learnings for individuals and the company. The assessment process is not a fault finding exercise, but an essential process in a good functional data protection policy. The key is to work with your DPO or Data Protection Contact to ensure compliance. And when unsure….. ask for guidance!