Data Protection Update

by Killian O'Reilly

Last year, the Data Protection Commissioner was involved in two cases of note which highlight the provisions that companies are now required to abide by. The first related to CCTV footage of an accident on a Dublin Bus. The second related to the failure to protect personal data held on laptop computers.

Margaret McGarr fell on a Dublin Bus in October 2008 and the incident was captured on the CCTV footage system in the bus. After legal proceedings had been issued, the Solicitors representing Dublin Bus informed the Plaintiff’s Solicitors of the existence of the CCTV footage and invited her to view it. The Plaintiff’s lawyers then sought a copy of the footage and other material under the Data Protection legislation. That request was refused by Dublin Bus which claimed that the footage had been prepared in contemplation of litigation and, on that basis, attracted the protection of legal professional privilege. The matter was referred to the Data Protection Commissioner who ruled that Dublin Bus was required to provide the Plaintiff with a copy of the footage. Dublin Bus appealed that decision to Dublin Circuit Court where Judge Linnane agreed with the Commissioner and ordered Dublin Bus to hand over the footage.

Dublin Bus again appealed that decision to the High Court on a point of law. It asked the High Court to decide whether the legislation required a party holding Data (as defined under the legislation) to provide it to another party who was suing it. The High Court decided that Dublin Bus had “not raised a point of law giving rise to grounds for overturning Judge Linnane’s decision” and the appeal was dismissed. In other words, the High Court held that just because party A is suing party B, that does not relieve Party B of its obligations to party A under the Data Protection legislation.

In another case late last year, the Commissioner brought a legal action against Eircom and two subsidiaries for their failure to encrypt two computer laptops which were stolen and for then waiting for more than one month before notifying the Commissioner’s office and those customers who may have been affected by the breach.

There is a specific Statutory Instrument which imposes certain requirements on providers of electronic communication services (SI 336/2011). The theft of the laptops potentially affected over 10,000 customers and included their personal and banking details.

Under the legislation, Eircom was required to notify the breach to the customers who had potentially been impacted and the Data Protection Officer “without undue delay”. The Commissioner considered that “without undue delay” meant notifying his office and the customers within two workings days. Ultimately, Eircom made a contribution of €15,000 to charity and the charges in Dublin District Court were dismissed.

What both of these legal cases demonstrate is that the obligations on Data Controllers under the Data Protection legislation are often clear and unambiguous. The Commissioner’s office has shown that it will not shirk from its responsibilities in holding Data Controllers to account.

If you require any further detail or advice, please contact Killian O'Reilly in O’Rourke Reid
Dial: +353 1 240 1209

This document is for information purposes only and does not purport to represent legal advice.  
© O’Rourke Reid 2013