In a turn up for the books the Irish Data Protection Commission (DPC) is being investigated for possible General Data Protection Regulation breaches in relation to the body’s data protection officer being prevented from successfully completing their work.
Article 80 of GDPR states that it is permissible for a person to nominate a not-for-profit body acting in the public interest to lodge a complaint with a national regulator where he or she alleges infringements of their rights under the EU law. Along with this, GDPR also permits not-for-profit bodies to seek “an effective judicial remedy” on behalf of such complainants, where they believe their rights have been infringed.
Using Article 80 Digital Rights Ireland, on behalf of technology journalist and Irish Times columnist Karlin Lillington, submitted the complaint. Digital Rights Ireland is a data privacy advocacy group.
The group submitted the complaint following revelations that the secretary general of the Department of Employment Affairs and Social Protection directed that amendments be made to to the department’s online privacy policy to delete a reference to its collection of people’s biometric data. This decision was taken after the Department of Social Protection made repeated denials that it processed biometric data in relation to the public services card, even though it stores over three million photographs Public Services card holders on its databases.
The data protection officer was on annual leave in August when the amendments were enacted. A Freedom of Information request The changes were made when and records obtained under the Freedom of Information Acts showed that the officer stated he would not have agreed to the amendments and he had no prior knowledge to them.
A senior investigator with the Data Protection Commission replied, in a statement released in response to the complaint on November 23rd, said that “we consider that potential breaches of the GDPR have been highlighted”. It went on to say that the commission said it was “making enquiries into this matter” with the department and would provide an update soon. This is despite claims, last Wednesday that the Department of Social Protection remains “unaware” of any ongoing investigation into the incident in question.
Under GDPR, which was introduced by the European Union on May 25 this year, the data protection officer must be independent and an organisation employing one is not permitted to give them any instructions regarding their duties.
In most cases, the penalty for a company or organisation breaching GDPR legislation is 4% of annual global revenue or €20m, whichever figure is higher. However, privacy legislation enacted by the Irish Government has restricted any possible to €1 million.