Irish Government Department Probed in Possible GDPR Breach

December 7, 2018


In a turn up for the books, the Irish Data Protection Commission (DPC) is being probed for possible General Data Protection Regulation breaches in relation to the body’s data safety officers being prohibited from successfully finishing their work.

Article 80 of GDPR states that it is allowable for an individual to appoint a not-for-profit organization acting in the public interest to lodge a grievance with a national watchdog where he or she charges violations of their privileges under the EU rule. Together with this, GDPR also allows not-for-profit organizations to seek “an effective legal solution” on behalf of such complainants, where they think their rights have been infringed.

Using Article 80 Digital Rights Ireland, on behalf of technology reporter and Irish Times writer Karlin Lillington, submitted the grievance. Digital Rights Ireland is a data secrecy support group.

The group submitted the grievance after disclosures that the secretary general of the Division of Employment Affairs and Social Defense ordered that changes be made to the division’s online secrecy policy to remove a reference to its collection of folks’ biometric data. This decision was taken after the Division of Social Protection made recurrent refusals that it treated biometric data in relation to the public services card, although it saves more than three million pictures of Public Services card holders on its databases.

The data safety officer was on yearly leave in August when the amendments were legislated. A Freedom of Information request. The modifications were made and records obtained under the Freedom of Information Acts disclosed that the officer stated he would not have agreed to the modifications and he had no prior knowledge to them.

A senior examiner with the Data Protection Commission responded, in a statement issued in reply to the grievance on November 23rd, said that “We think that possible breaches of the GDPR have been emphasized”. It went on to say that the commission said it was “making investigations into this matter” with the division and would provide an update soon. This is in spite of claims, last Wednesday that the Division of Social Protection remains “ignorant” of an ongoing inquiry into the incident in question.

Under GDPR, which was launched by the EU on May 25 this year, the data protection officer should be independent and an organization hiring one is not allowed to give them any directions concerning their responsibilities.

In most cases, the fine for a company or organization breaching GDPR rule is 4% of yearly international income or €20m, whichever figure is higher. However, privacy law passed by the Irish Government has limited any possibility to €1 million.