DPC (Ireland) - IN-20-1-3

From GDPRhub
DPC - IN-20-1-3
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 32 GDPR
Article 6 GDPR
Data Protection Act 2018
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 15.12.2022
Fine: n/a
Parties: An Garda Síochána
National Case Number/Name: IN-20-1-3
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Data Protection Commission (in EN)
Initial Contributor: Sainey Belle

The Irish DPC held that a branch of the national police service, An Garda Síochána, failed to implement adequate security measures, policies and procedures in respect of the processing of highly sensitive data. This information was displayed on a bulletin board in a police station and, after being accessed by an independent contractor, ended up on social media.

English Summary

Facts

In this case the controller 'An Garda Síochána', a branch of the Irish national police service, displayed the details of an ongoing investigation on a bulletin board in one of their police stations. This information included a list containing the names and address of 108 data subjects, including vulnerable subjects and persons of interests in ongoing investigations. No individual, other than a police guard, should have had unaccompanied access to the room. A contractor who was undertaking repair works at the An Garda Síochána station entered the room unaccompanied. The list, containing the personal data, was ultimately shared on social media.

Holding

Following an investigation the DPA held that, firstly, there was an absence of specific policies, procedures and security measures in relation to data breaches in An Garda Síochána’s processing of personal data. Secondly, there was also an absence of specific security measures in place at the time of the breach relating to the circumstances of the breach, which resulted in the failure of An Garda Síochána to implement a level of security appropriate to the harm that might result from An Garda Síochána's processing of personal data. Thirdly, the authority observed a failure to undertake a risk assessment prior to the commencement of processing on the Intelligence Bulletin, in order to determine the appropriateness of security measures in relation to the harm that might result from the processing. Fourth, An Garda Síochána did not demonstrate or indicate that any pre-breach assessment was conducted pursuant to its role as a controller of personal data. Fifth, and finally, as the data in question concerned ongoing investigations and included the data of vulnerable subjects, the DPA considered it to be highly sensitive.

In light of the above, the DPA found that the controller failed to satisfy the principle of integrity and confidentiality in Article 6(1)(f) GDPR and the requirements of Article 32 GDPR (as implemented in Article 72(1), 75 and 78, and by extension 71(1)(f) of the Irish Data Protection Act 2018). As part of the remediate actions, An Garda Síochána was reprimanded in respect of the above infringements, and ordered to bring its processing up to the standard required by the GDPR with regard to the security of Intelligence Bulletins throughout the network of police stations in Ireland.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.