Tracking Access and Ensuring Compliance: Data Protection Case Study
The latest Annual Report of the Data Protection Commissioner has been published, giving an insight into how organisations, citizens and regulators are tackling the issues in this fast-moving field. Even more than the statistics and analysis, I often find that the case studies published in the report are very illuminating. They show how things can go wrong - or indeed be handled quite correctly - in Irish organisations handling personal data. They also provide some indication of how the Commissioner will view these everyday data protection issues. One case - involving an Garda Síochána - was particularly intriguing.
What Happened
The Commissioner received a complaint from a couple against An Garda Síochána (AGS), concerning the loss of an evidence file which included quite sensitive personal data regarding medical treatment. The couple had previously made a criminal complaint to AGS and then made an access request. When they did, however, it emerged that the file - containing their original statements, a DVD and postal documents - had been misplaced.
When The Commissioner studied the 'chain of custody' of the file, it quickly became apparent that it was last seen in the investigating officer’s possession. That officer had been instructed by a superior to update the couple about the criminal complaint and to then return the file to the District Office for filing. However, the file wasn't returned, and was then lost.
The Decision
Even though the officer's failure to return the file breached AGS procedures, and he was disciplined over the incident, the Commissioner held that AGS had breached the Data Protection Acts. Why? As a data controller, it failed to take appropriate security measures to ensure the safe storage of the complainants’ sensitive personal data which was contained on the evidence file in question.
Insights
As the Commissioner writes, "this case demonstrates that the obligation on a data controller to maintain appropriate security measures goes beyond simply putting in place procedures regarding the storage and handling of personal data. Such procedures are only effective as a security control if they are consistently adhered to." Data controllers, the Commissioner adds, should take meaningful steps - including training, auditing and potential disciplinary measures for non-compliance - to ensure that staff follow the rules.
Of course, to do this, it's also important that you are able to track when data is accessed, and who may have possession of a file at a given time. If you're not doing this already, it will be impossible to monitor and audit staff compliance with procedures. Moreover, if something goes wrong and the Commissioner comes calling, you won't be able to even supply the 'chain of custody' for personal information. Particularly in the context of sensitive personal data, this could make life very messy very quickly.
Find Out More
What training should you supply to all staff members?
Essential Data Protection Training
See how to track access to personal data