DPC (Ireland) - IN-20-1-3
DPC - IN-20-1-3 | |
---|---|
Authority: | DPC (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | Article 32 GDPR Data Protection Act 2018 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 15.12.2022 |
Fine: | n/a |
Parties: | An Garda Síochána |
National Case Number/Name: | IN-20-1-3 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | Data Protection Commission (in EN) |
Initial Contributor: | Sainey Belle |
The Irish Data Protection Commission held that a branch of the national police service, An Garda Síochána, failed to implement adequate security measures, policies and procedures in respect of the processing of highly sensitive data.
English Summary
Facts
An Garda Síochána published a list containing the names and address of 108 data subjects, including vulnerable subjects and persons of interests in ongoing investigations on an Intelligence Bulletin board located in a room in the station, to which any person other than a police guard should not have had unaccompanied access. The room was accessed by a contractor who was undertaking repair works at the An Garda Síochána station. The list, containing the personal data, was ultimately shared on social media.
Holding
1. As the data was concerning ongoing investigations and included the data of vulnerable subjects, the Commission considered it to be highly sensitive. 2. There was an absence of specific policies and procedures and security measures in relation to breach in An Garda Síochána’s processing of personal data, such that they failed to satisfy the requirements of sections Article 32 GDPR (as implemented in Article 72(1), 75 and 78, and by extension 71(1)(f) of the Irish Data Protection Act 2018). 3. A failure to undertake a risk assessment prior to the commencement of processing on the Intelligence Bulletin, in order to determine the appropriateness of security measures in relation to the harm that might result from the processing. 4. An Garda Síochána did not demonstrate or indicate that any pre-breach assessment was conducted pursuant to its role as a Controller of data. 5. In circumstances where the personal data processed on the Intelligence Bulletin concerned ongoing investigations and the personal data of vulnerable data subjects, a finding that the nature of that personal data was highly sensitive.
As part of the remediate actions, An Garda Síochána was reprimanded and ordered to bring its processing up to the standard provided by the GDPR with regard to the security of the Intelligence Bulletin through the network of police stations throughout Ireland.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.