More than 6,600 data security breaches were notified last year, the State’s data watchdog has said.
The Data Protection Commission (DPC) said that the most frequent cause of breaches was unauthorised disclosure, which accounted for 86 per cent of cases.
In its 2020 Annual Report, the DPC found that the number of breach notifications jumped by 10 per cent compared to 2019 figures.
Launching the report, Commissioner for Data Protection, Helen Dixon said that it handled 10,151 cases last year, up nine per cent on 2019 figures.
The figures revealed the DPC received 4,660 complaints under the GDPR last year.
The most frequent GDPR topics for queries and complaints continued to be access requests, fair-processing, disclosure, direct marketing and right to be forgotten delisting or removal requests.
Other agendas
A total of 4,476 complaints against organisations from individuals were resolved last year.
The complaints raised ranged from issues with securing access to their personal data from all types of organisations, to complaints about excessive personal data collection, to unauthorised and unnecessary disclosure of personal data to third parties.
Cases concerning employment law disputes continue to be heavily represented in the range of complaints received.
The DPC said that a “phenomenon” it continued to see last year was organisations and individuals attempting to misuse the GDPR to “obfuscate or pursue” other agendas.
An ongoing issue arises with organisations deleting CCTV footage after they are on notice of an access request for that footage
Commissioner for data protection, Helen Dixon said: “That said, there can be genuine confusion on the part of many as to how GDPR does and does not apply, and sometimes issues are just not black and white.
“Where inaccurate assertions circulate, whatever the reason or motivation, these will only be resolved over time as we call them out.
“As an example, an ongoing issue arises with organisations deleting CCTV footage after they are on notice of an access request for that footage claiming the GDPR requires them to delete it every seven days.”
The watchdog said over 35,000 contacts were received through the DPC’s information and assessment unit, including 10,000 telephone calls and 23,200 emails.
Ms Dixon said: “The progress the DPC has made in 2020 provides a solid platform on which to build across our enforcement and complaint-handling functions in particular.
“The GDPR must be understood as a project for the now, but equally for the longer term.
“The DPC intends to continue as a leader in its full implementation.”
Tusla breaches
It emerged in the report that, in April 2020, the DPC issued a decision in respect of an own-volition inquiry regarding three personal data breaches notified to the DPC by child welfare agency Tusla.
The breaches occurred when Tusla failed to redact documents when sharing them with third parties.
The first personal data breach occurred when Tusla unintentionally provided the father of two children in care with their foster carer’s address.
The second breach occurred when Tusla unintentionally provided an individual who was accused of child sexual abuse with the address of the child who made the complaint and with her mother’s telephone number.
The third breach occurred when Tusla unintentionally provided the grandmother of a child in care with the address and contact details of the child’s foster parents and the location of the child’s school.
The DPC also said it increased its staff members 145, while its budget increased to €16.9 million and to €19.1 million in 2021.
