DPC (Ireland) - IN-20-1-3
| DPC - IN-20-1-3 | |
|---|---|
 | |
| Authority: | DPC (Ireland) |
| Jurisdiction: | Ireland |
| Relevant Law: | Article 32 GDPR Data Protection Act 2018 |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 15.12.2022 |
| Fine: | n/a |
| Parties: | An Garda Síochána |
| National Case Number/Name: | IN-20-1-3 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | Data Protection Commission (in EN) |
| Initial Contributor: | Sainey Belle |
The Irish Data Protection Commission held that a branch of the national police service, An Garda Síochána, failed to implement adequate security measures, policies and procedures in respect of the processing of highly sensitive data.
English Summary
Facts
In this case the controller 'An Garda Síochána', a branch of the Irish national police service, published a list containing the names and address of 108 data subjects, including vulnerable subjects and persons of interests in ongoing investigations on an Intelligence Bulletin board located in a room in the police station, to which any person other than a police guard should not have had unaccompanied access. The room was accessed by a contractor who was undertaking repair works at the An Garda Síochána station. The list, containing the personal data, was ultimately shared on social media.
Holding
The Irish DPA investigated the complaint, seeking to determine whether infringements of Articles 71(1)(f), 72(1), 75 and 78 GDPR had occured.
The DPA held that, firstly, there was an absence of specific policies and procedures and security measures in relation to breach in An Garda Síochána’s processing of personal data, such that they failed to satisfy the requirements of sections Article 32 GDPR (as implemented in Article 72(1), 75 and 78, and by extension 71(1)(f) of the Irish Data Protection Act 2018). Secondly, there was also an absence of specific security measures in place at the time of the breach relating to the circumstances of the breach, which resulted in the failure of An Garda Síochána to implement a level of security appropriate to the harm that might result from An Garda Síochána's processing of personal data. Thirdly, the authrity observed a failure to undertake a risk assessment prior to the commencement of processing on the Intelligence Bulletin, in order to determine the appropriateness of security measures in relation to the harm that might result from the processing. Fourth, An Garda Síochána did not demonstrate or indicate that any pre-breach assessment was conducted pursuant to its role as a controller of personal data (Article 78(a)-(g) GDPR). Fifth, and finally, as the data in question concerned ongoing investigations and included the data of vulnerable subjects, the DPA considered it to be highly sensitive.
As part of the remediate actions, An Garda Síochána was reprimanded in respect of the above infringements, and ordered to bring its processing up to the standard required by the GDPR with regard to the security of Intelligence Bulletins throughout the network of police stations in Ireland.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
