Tag Archives: Data Protection

Graham Dwyer leaving Dun Laoghaire Courthouse on September 18, 2013 after being charged with the murder of Elaine O’Hara

This morning/afternoon.

The Supreme Court is to make orders upholding Graham Dwyer’s successful High Court challenge to Ireland’s data retention laws and dismissing an appeal by the State.

The court confirmed a European ruling that Ireland’s data legislation breaches EU law and this decision must apply to past as well as future cases.

Via Independent.ie:

Confirmation of the decision came from Chief Justice Donal O’Donnell after a lawyer for the State said it had no objection to the orders being made.

It means the Supreme Court will not have to reconvene for any further hearing in the matter and will simply issue the orders.

Foxrock architect Dwyer, who is serving a life sentence for the murder of childcare worker Elaine O’Hara, plans to use the ruling to bolster a separate challenge he has taken against his conviction.

….If the Court of Appeal finds that the data evidence should have been excluded from his trial, it will have to weigh up whether there was enough other evidence to prove the case against Dwyer.

Graham Dwyer case: Supreme Court will dismiss State appeal against data ruling (Independent.ie)

Previously: Unjustifiable Breach


From top: today’s Irish Daily Mail; HSE CEO Paul Reid and Anne O’Connor, Chief Operations Officer, HSE at Dr Steevens’ Hospital for the weekly HSE operational update this afternoon

This afternoon.

HSE briefing at Dr Steevens’ Hospital, Dublin.

HSE CEO Paul Reid addressed an Irish Daily Mail report this morning from a whistleblower who claims thousands of people who had been vaccinated have had their personal data compromised.

The whistleblower said IT system being used by the HSE was compromised and patients’ confidential data was accessible.


In relation to a Irish Daily Mail report, Paul Reid said they have ongoing discussions with the data protection commissioner.

He said the first stage is the Data Protection Impact Assessment (DPIA) which would have been a similar process they worked through in relation to testing and tracing – what levels of access for data, what levels of controls.

He said it was similar in terms of deployment of the IT system for the vaccine rollout. As part of that, he said there are different phases of control processes, and processes for deployment of that system.

“It’s a national system because there are people going into various locations – hospital groups, community organisations, vaccination centres – they’re not from a particular hospital or community organisation. So we always envisaged the processes were always defined that it would be a national view in the first instance.”

He said that when they move to vaccination centres, it’s expected the control view will be who is to be administered in that centre. Right now it is on a national basis, he said, and control processes are around as people are administered onto the system .

He said he is not aware of the case reported in the Daily Mail.



Latest Covid-19 briefing from the HSE (RTÉ)

Thousands have highly personal details exposed in COVID-19 vaccine data breach (Extra.ie)


From top: Johnny Ryan, Of the Irish Council for Civil Liberties; Helen Dixon, Ireland’s Data Protection Commissioner: A video explaining Real-Time Bidding (RTB)  and ‘the biggest data breach in history’

This morning.

Google and several data brokers are violating the EU’s privacy rules by harvesting people’s personal information to build highly detailed online profiles including some firms’ collection of information on sexual orientation, health status and religious beliefs, according to a report published today.

Via PIltico.eu

The accusations — from Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, an NGO — come 18 months after Ireland’s privacy regulator began a probe into how Google collects and shares people’s online information for its advertising business.

Several other European data protection authorities subsequently received separate complaints into so-called real-time bidding (RTB), a system by which advertisers use data to target people with paid-for messages when they surf the web.

Ryan said the real-time bidding system, which broadcasted web users’ online behavior and habits to multiple advertising companies and data brokers, infringed on the region’s privacy rules that required data to be kept secure and used proportionately.

The [Irish Data Protection] Commission has failed to stop that ongoing biggest data breach in history and as a consequence people across Europe and in Ireland are exposed to intimate profiling including of health conditions and political views and location over time, because the RTB system leaks that data into the data broker market,” he told POLITICO.

Google and data brokers accused of illegally collecting people’s data: report (Politico.eu)


Solicitor Simon McGarr

This afternoon.

The European Court of Justice yesterday ruled that Privacy Shield, the EU-US data protection agreement, is invalid.

The case was referred by  the Irish High Court after a 2015 complaint to the Data Protection Commissioner made by Austrian privacy activist Max Schrems.

Solicitor Simon McGarr, who represented Digital Rights Ireland in the early parts of Schrems case, writes:

The case resulted in a decision on two different legal mechanisms for sending personal data from the EU to the US – the EU-US Privacy Shield and the general-usage Standard Contractual Clauses.

Privacy Shield was always basically farcical and it’s an embarrassment that it was allowed to linger as long as it did.

But the Standard Contractual Clauses element of the case is where the long-term consequences are going to come into play.

Basically, now you can’t just sign a contract and have both sides promise to be good. Now, you have to look at the legal systems the parties live under to see if that contract can really be held to.

This is particularly significant for transfers of personal data to the US, which hasn’t followed the EU and a good chunk of the world in accepting that data protection is a human right, and whose hunger for mass-surveillance data from its tech companies was revealed by the Snowden revelations.

As the Irish DPC said after the ruling, utilising much of the nation’s store of understatement as they spoke, “it is clear that, in practice, the application of the SCCs transfer mechanism to transfers of personal data to the United States is now questionable.”

All of the bromides and reassurance statements coming from the US and the EU Commission during the day was the sound of losers, who had lost, not wanting to admit just how bad their loss was. [more at link below]

What is this Schrems judgment about? (Simon McGarr)

Yesterday: ‘This Is A Total Blow To The Irish DPC And Facebook’


From top: Independent TD Denis Naughten; Chief Medical Officer Dr Tony Holohan; HSE CEO Paul Reid; Sinn Féin TD Matt Carthy

Yesterday afternoon.

Chief Medical Officer at the Department of Health Dr Tony Holohan told the Special Committee on Covid-19 Response:

“We have had reports of employers receiving results in respect of individual patients, that’s a breach of confidentiality. Full stop.”

It followed claims about the practice made in the Dáil last week by Independent TD Denis Naughten while he was asking the Minister for Health Simon Harris about Covid-19 infection rates at meat plants.

During his contribution, Mr Naughten said:

“It has happened in a number of instances across the country.”

At the time, Mr Harris told the Dáil that he couldn’t speak to the claims because he didn’t know any details about Mr Naughten’s claims.

Yesterday morning, RTÉ’s Fran McNulty reported that Mr Naughten’s claims had since been confirmed in a letter the TD received from the minister. He also reported that the Data Protection Commissioner said such a practice was not legitimate.

Later in the afternoon, CEO of the HSE Paul Reid addressed the committee and he was also asked about the practice. Mr Reid said “there is one case that we know of”.

He had this exchange with Sinn Féin TD Matt Carthy:

Paul Reid: “There is one case that we know of where the employer was notified of a significant number of positive cases and that is at the discretion of the public health official and the judgment he or she makes…”

Matt Carthy: “Does Mr Reid agree with what Dr Holohan said earlier on? I think his words were that this practice would clearly breach patient confidentiality. Does Mr Reid not agree with that?”

Reid: “The way we want to do this is directly through the GP and the individual. That is the route we have taken throughout this process.”

“There are exceptional cases where public health officials have a responsibility and have a derogation in terms of managing a major outbreak. That would be a responsibility that they take in extremely exceptional cases such as in a pandemic or a major outbreak.”

Carthy: “We are in a pandemic. Does that mean that the derogation, as defined, applies to anybody?”

Reid: “No, it would not because throughout the vast ultimate majority of all of the cases we have tested the result is communicated back through the GP to the individual. That is our process. That is the way it works.

Carthy: “Does Mr Reid stand over the position whereby, in some instances, employers are informed about their workers’ health before the workers themselves?”

Reid: “No. Ultimately, that is not the way we want to see this done. We want to see it done directly through the individuals in the first instance. That is exactly the way we want to see it done. That is the way we have done it throughout this process.”

Carthy:Are you going to work to stop it then?

Reid:The deputy specifically asked me about a case, the details of which I do not have but have been trying to get since this morning. I will get it. The Deputy specifically asked me about a case of a plant or a particular organisation, which I understand was on public health terms, the way that was managed, in the exceptional pandemic situation.”

Last night the HSE announced that the practice of informing employers about employees’ test results would be suspended.

In addition, Mr Naughten also tweeted about the unfolding story after Mr Reid said he was aware of one case…



HSE to suspend practice of telling employers workers’ test results (RTÉ)

Previously: The Last To Know

Finding Out In The Worst Way

Data Protection Commissioner Helen Dixon; Labour TD Alan Kelly

This morning.

The Data Protection Commissioner Helen Dixon is fielding many questions about the Public Services Card at a meeting of the Public Accounts Committee.

But separate to the Public Services Card, and in response to a question from Labour TD Alan Kelly, Ms Dixon told the committee that, in terms of the supervision and enforcement of data protection law, Irish taxpayers will incur costs for having multi-nationals headquartered in Ireland.

Ms Dixon said:

“Once the Irish DPC [Data Protection Commissioner] starts administering fines and sanctions on companies, there has been a debate about whether all of that goes to the Irish Exchequer and whether that isn’t shared across the EU member states.

“At the moment, it’s our understanding that it goes to the Irish Exchequer.

“So, already, there’s an opposite debate to the question you’re opening up which is that: well is that fair? If Ireland supervises most of these big tech companies and there are infringements and fines, does Ireland get to keep the fines? So that’s an open question that’s ben raised a number of times.

“In relation to the costs, I think it’s well possible that the Irish taxpayer will end up, by virtue of these companies being headquartered here, incurring costs.

“The Irish taxpayer has incurred costs already in relation to the case that you referenced that’s before the Court of Justice at the European Union on transfers of data because it arose from a complaint by Max Schrems against Facebook Ireland.

“Facebook Ireland being located here means that we are responsible.

“However, under this Co-operation and Consistency Mechanism that operates around the one-stop shop in the EU now, if there’s a dispute in relation to the findings that I make – so I’ve to circulate a draft decision in relation to any of these cases that concern multi-nationals to my fellow EU Data Protection authorities.

“And if ultimately they have a different view, that I can’t reconcile into my findings, I institute a dispute resolution mechanism before the European Data Protection Board and it may take over the decision making. And if a company affected by that decision disagrees with it, it takes an annulment action to the Court of Justice of the European Union.

“So, there will be a certain number of cases that may end up being taken out of Ireland’s hands because of disagreement between data protection authorities and the European Data Protection Board will then have to bear the cost for defending those cases before the CJU.

“But, undoubtedly, the effect of having the multi-nationals headquartered in Ireland is going to give rise to costs for Ireland in terms of the supervision and enforcement of data protection law.”

Watch the proceedings live here

Screen Shot 2015-05-26 at 10.54.51

Former Federal Data Commissioner in Germany, Peter Schaar

“Former Federal Data Commissioner in Germany, Peter Schaar, says that it isn’t for tax reasons why Facebook has chosen to locate their EU headquarters in Ireland, but rather it’s for our relaxed data protection laws.”

“Speaking to The International New York Times, Schaar said that while Ireland had attracted companies like Google, Facebook, LinkedIn and Apple, it is Ireland’s loose interpretations of data protection law that is most appealing to them.”

Of course Facebook would go to a country with the lowest levels of data protection. It’s natural they would choose Ireland,” Schaar told the New York Times.”


“Of course Facebook would go to a country with the lowest levels of data protection” (Newstalk)

Who’s the Watchdog? In Europe, the Answer Is Complicated (Mark Scott, International New York Times)

Pic: GMX Newsroom


How safe is YOUR sensitive information.

Nikkeboentje writes:

I recently  discovered that Irish Life started sending letters to my old address (I have not lived there since September 2010). I believe this started around April 2014.

The letters included half yearly statements and other financial information of investments that I have with Irish Life. It is information that I don’t really want anyone to know about, especially not the tenants who are now living in my house.

Anyway, I asked Irish Life to make a formal investigation of why this happened (they were not aware of the issue until I notified them) and if it was necessary to inform the Data Protection Commissioner. They said that their compliance team would be looking into it.

After several weeks, I was told that it was a system error when they updated software. They did not tell me how many other clients were affected but they said that I was not the only one. They also said that they would notify the Data Protection Commissioner.

I contacted the Data Protection Commissioner’s office directly to ensure that the breach had been reported…it had NOT been. So, the Data Protection Commissioner’s office contacted Irish Life.

I had an update from the Data Protection Commissioner’s office to day and what REALLY surprised me is that they have no power to prosecute or penalise financial institutions over a breach of data protection (I am not referring to my personal issue but generally).

If a financial institution sent the wrong letters (containing sensitive information) to hundreds or thousands of clients, they cannot be punished under the current legislation. However, if I received an unsolicited text message from a financial institution, then they could be fined €5,000.

It shocked me a bit to think that there is currently no penalty for companies who have a serious breach of data protection (again I am not referring to my little incident but more generally).



Screen Shot 2014-09-08 at 10.23.40


Also: Um.

IN FULL: Data Protection Notice (IrishWater)

Thanks Annie West


Alan writes:

You will notice from here that Irish Water is NOT authorised to use PPS numbers. From the FAQ’s:

Q9. What do I do if someone who is not entitled to use the PPS Number asks me for it?
A9. If you believe that a person asking for your PPS Number is not entitled to do so, do not give them your number until you have contacted Client Identity Services of the Department of Social Protection, Social Wefare Services, Shannon Lodge, Carrick-on-Shannon, County Leitrim (Telephone 01-7043281) for advice. You can also email Client Identity Services at cis@welfare.ie.

I have emailed CIS and Irish Water about it this evening. You will notice on the link: “The legislation governing the allocation and use of the PPS Number is contained in the Social Welfare Consolidation Act 2005, the Social Welfare and Pensions Act 2007 and the Social Welfare and Pensions Act 2010. Only Specified Bodies named in the above Social Welfare Acts can use the PPS Number.”

I could be wrong, but I don’t believe that any Social Welfare act was passed this year to allow Irish Water use PPS numbers.