Cyber Risk & Data Privacy

Subscribe to Cyber Risk & Data Privacy via RSS

Dublin District Court, yesterday, convicted a private investigator on two charges of unlawfully obtaining personal information from the Garda Pulse system and disclosing it to without authority.  He was fined €2,500 for each offence. 

Pursuant to section 22 of the Data Protection Acts(DPAs) 1988 and 2003, it is an offence to obtain access to personal data without the prior authority of the data controller by whom the data is kept and to disclose the data to another person.

The private investigator allegedly obtained the information from a Detective, and member of the Garda, and used the information to provide

Continue Reading Private Investigator fined €5,000 for unlawfully obtaining personal data

Great day today attending the Health Informatics Society of Ireland 2014 Annual Conference.  In our Data Protection for Healthcare workshop together with Sarah Reade, Lead ICT Project Manager, Saint John of God Hospitaller Ministries and Jim Gregg, Irish Computer Society, we had a lively discussion on the data protection challenges faced by medical practitioners in the context of research and access requests. Continue Reading Health Informatics Society of Ireland 2014 Annual Conference

A recent ruling by the Employment Appeals Tribunal (EAT) highlights, once again, the issue of improper use of e-mail and internet at work.

A Dublin firm sacked a sales representative after she went through the private email account of her line manager.  However the EAT held that, in the circumstances, the claimant’s dismissal was a disproportionate sanction and awarded her €15,000.Continue Reading EAT awards €15,000 to woman dismissed for printing her manager’s emails

Apple Pay: an Introduction

One of the most exciting elements of the Apple iPhone 6 launch in September was the announcement by Apple of the Apple Pay feature. Apple Pay is a near field communication (NFC) based mobile payment system that comes pre-installed on the iPhone 6. NFC technology involves a short-range, low power wireless link evolved from radio-frequency identification technology that can transfer small amounts of data between two devices held a few centimetres from each other. It is the same technology that is behind the ‘tap and pay’ debit cards that have been rolled out by Irish banks in the last number of years.

While Apple Pay was launched with the iPhone 6 in the US, it has not yet been rolled out in Europe with rumours predicting an Apple Pay European launch in 2015.

It is clear that Apple Pay has the potential to be a ground breaking technology that may change the way that consumers use their phones and, indeed, how consumers pay for goods and services.Continue Reading Apple Pay – Challenges and Solutions

In Atkinson v Community Gateway Association UKEAT/0457/12, the UK EAT held that accessing an employee’s emails, in the course of a disciplinary investigation into the employee’s conduct, did not amount to an unjustified interference with the employee’s private life. The employee did not have a reasonable expectation of privacy, in circumstances where he had sent emails from his work account in breach of the email policy, which he himself had drafted, and was responsible for enforcing. In addition, the emails were not marked “personal/private”.Continue Reading Tribunal rules employee did not have a reasonable expectation of privacy in regard to his work emails

Bray District Court, yesterday, fined a firm of private investigators, and its two directors, €10,500 for unlawfully obtaining personal data.  The court found that the directors had used ‘subterfuge’ to unlawfully obtain the addresses of credit union clients in arrears. The directors posed as a VEC and hospital worker to obtain the information, via telephone calls, from employees at the Department of Social Protection (seven cases), and the Health Services Authority (HSE) (sixteen cases).Continue Reading Private Investigators fined €10,500 for unlawfully obtaining personal data

The Office of the Data Protection Commissioner (ODPC) recently released the results of the second Global Privacy Sweep. Twenty-six privacy enforcement authorities, including Ireland, participated in the Sweep, which examined 1,211 apps. The theme of the Sweep, Mobile Privacy, was chosen due to many privacy enforcement authorities having identified mobile apps as a key area of focus in light of the privacy implications for customers.Continue Reading Mobile Apps – Results of Global Privacy Sweep raise privacy concerns

The Article 29 Working Party (WP29), an independent European advisory on data protection and privacy, has published a statement in which it welcomes the ruling of the CJEU, of 8 April 2014, which invalidates the Data Retention Directive (2006/24/EC).  The CJEU found that the Directive entails a wide-ranging and particularly serious interference with the fundamental rights to privacy and to the protection of personal data, and fails to sufficiently circumscribe such interference to ensure that it is limited to what is strictly necessary for the purpose of fighting serious crime, thereby leaving it too open for Member States

Continue Reading Working Party publishes statement on CJEU ruling which invalidates Data Retention Directive

The CJEU in Joined Cases C-141/12 and C-372/12 has clarified the scope of a data subject’s right of access to a copy of their personal data. The CJEU’s ruling may serve to lighten the burden of access requests on organisations. It confirms that the Data Protection Directive 1995 (the Directive) does not establish a right of access to any specific document or file in which personal data are listed or used, nor does it specify the material form in which personal data must be made accessible. Member States enjoy a margin of discretion to determine the form in which to make personal data accessible, so long as it is intelligible. Accordingly, the CJEU found that the Dutch authorities, in this case, had met their legal obligations under data protection law by extracting from the relevant documents the personal data relating to the data subject.Continue Reading CJEU clarifies scope of right of access to personal data

The High Court, in Schrems v Data Protection Commissioner, 18 June 2014, has referred questions arising to the Court of Justice of the European Union (the CJEU). Judge Hogan has adjourned the High Court proceedings pending the reference to the CJEU. 

The Judge is asking the CJEU to examine two questions:

(1) Whether, as a matter of EU law, the Data Protection Commissioner (the DPC) is absolutely bound by the finding of the European Commission as manifested in Decision 2000/250/EC (i.e. that the Safe Harbour regime provides adequate protection for personal data), having regard to the subsequent entry into force of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (which provide, respectively, for the right to respect for private and family life, and to protection of personal data) notwithstanding the provisions of Article 25(6) of the Data Protection Directive?


(2) Or alternatively, whether the DPC may conduct his own investigation of the matter in light of the factual developments since that Commission Decision was first published (i.e. the Snowden revelations that data and communications were being intercepted by the NSA on a global scale).


The case is due to be mentioned in the High Court in two weeks before the matter is sent to the CJEU.Continue Reading Irish High Court refers Facebook Privacy case to European Court