February 2019

Created with Sketch.

February 2019

The Institute of Legal Research & Standards






On the 28thFebruary the new Data Protection Commission launched its first annual report since the introduction of the GDPR covering the period 25 May 2018 to 31 December 2018.

The report states the total number of complaints received was 2,864 with the largest single category being “Access Rights” and there were 3,542 valid security breaches recorded with the largest single category being “Unauthorised Disclosures”.

Complaints received by the DPC have increased by 56% from 2017 to 2018 and reports of valid security breaches have increased by 70% from 2017 to 2018.

The report contains chapters on (1) Roles and Responsibilities of the New Data Protection Commission, (2) Review 25 May – 31 December 2018 (3) Complaints (4) Data Breach Notifications (5) Information and Assessment Unit (6) Special Investigations (7) Technology Multinational Supervision (8) Technology Leadership (9) Consultations (10) Legal Affairs detailing 5 prosecution case studies and 2 judgements (11) Binding Corporate Rules (12) EU and International (13) Communications (14) DPC Consultation on “Children” and “Regulatory Strategy” (15) DPC’s operational effectiveness and strategic perspective and (16) Corporate Affairs.

The report also contains 19 case studies.

To read the report in full see https://www.dataprotection.ie/sites/default/files/uploads/2019-02/DPC%20Annual%20Report%2025%20May%20-%2031%20December%202018.pdf



In this month’s Gazette the Technology Committee and the Guidance and Ethics Committee advise they have issued a practice note on data retention and destruction of hard and soft copy files.


The practice note repeats and revises the positions as stated in the 2005 practice note in relation to the periods of retention following the completion of a transaction and deals with the deletion of a file.


The Committees state it is worth explaining to your client at the outset that your firm has a retention policy in place – this can be set out in your firm’s written terms and conditions or clients can be advised about the existence of the retention policy via an online privacy policy.


The practice note will be published in full in the March edition of the Gazette.  To view the current article of the Committees see https://www.lawsociety.ie/globalassets/documents/gazette/gazette-pdfs/gazette-2019/janfeb-2019-gazette.pdf#page=20and also see the practice notes section of the Law Society website.



In this month’s Gazette, Terry McAdam writes an article on GDPR and how firms should carry out a Data Protection Health Check review.  He states when individuals are choosing a service provider, they look to see how personal data is safeguarded and he states there is a demand from clients for the following: –

“          To ensure the organisation is appropriately complying with its current data protection     obligations,

To identify opportunities to optimise the efficiency and effectiveness of the activities       that underpin such ongoing compliance, and

To ensure the level of resources applied to achieving compliance is appropriate.”

In carrying out a Data Protection Health Check review firms should look at the following: –

DATA PROTECTION POLICIES – Key policies include Data Retention, Data Subject Request Management & Data Breach Management.

DATA SUBJECT REQUESTS – He states “within the context of a legal practice, it is particularly important that those charged with managing data-subject requests are equally aware of the data they must provide to data subjects and, where applicable exemptions exist, to allow such requests to be rejected (or partially complied with) so as to not compromise future legal proceedings.”

DATA BREACH MANAGEMENT – Effective internal processes need to be in place due to the short timeframe within which a data breach needs to be reported to the DPC and he states sharing real life summaries with staff boosts awareness.

DATA-PROCESSING DOCUMENTS – “Normally, the sharing of personal data between a legal practice and its client will be governed by a letter of engagement. There are also other scenarios where firms will need to share such personal data with other organisations. Typically, such scenarios are governed by either data-sharing or data-processing agreements. The latter usually overseeing scenarios where data is being shared with a contracted provider to allow the delivery of services to the legal practice in line with agreed specifications or instructions. Data-sharing agreements, while similar in nature, relate to the sharing of data with a party that will act as a data controller in parallel with the legal practice – for instance, another legal firm or a professional expert.”

To read this article in full see https://www.lawsociety.ie/globalassets/documents/gazette/gazette-pdfs/gazette-2019/janfeb-2019-gazette.pdf#page=35


The Data Protection Commission’s newly launched annual report contains 19 case studies.  The following detail two instances where Data Breaches occurred.


Data Breach Case Study 9 refers to the failure to implement data protection policies which were in place. An employee of a public sector data controller lost an unencrypted USB device containing personal data belonging to colleagues and service users.  Whilst the data controller had a policy and procedures in place regarding the use of USB and encrypted devices, the data controller lacked the appropriate oversight and supervision necessary to ensure that the rules were complied with.  The employee was not aware of the policy relating to the uses of the encrypted device and this breach could have been avoided had the public body fully implemented the policy and made staff aware of it.


Data Breach Case Study 12 refers to the loss of legal hard copy files containing special-category personal data in transit.  A public body, data controller contracted a courier company to transport files to another department and the files went missing in transit.  It transpired the controller did not retain backups of these original files resulting in the loss of personal data nor did it have sufficient procedures in place for the secure removal and storage of same.  This breach could have been prevented had the organisation implemented more secure measures taking into account the requirements and inherent risks involved in transporting hard copy files containing special-category personal data.


To view other case studies see https://www.dataprotection.ie/sites/default/files/uploads/2019-02/DPC%20Annual%20Report%2025%20May%20-%2031%20December%202018.pdf



The DPC this month issued a guidance note on transfers of personal data from Ireland to the UK in the Event of the “No-Deal Brexit”.   See https://dataprotection.ie/en/organisations/international-transfers/guidance-tranfers-personal-data-ireland-uk-event-no-deal

This month the CRO looks at planning for Brexit if the UK leave the European Union without a deal in place for companies who only have UK resident directors and the need to comply with section 137 of the Companies Act 2014.

To read in full see https://www.cro.ie/About-CRO/Contact-Us/Whats-New



On the 15thFebruary Revenue issued eBrief No. 22/19 which deals with changes made to the Employers’ Guide to PAYE to reflect the following changes which were effective from 1 January this year.  The changes made are as follows: –

  • Page 30: guidance in relation to Standard Capital Superannuation Benefit (SCSB) relief.
  • Page 38: guidance on how to make a payroll submission where an employee holds a PAYE Exclusion Order.
  • Page 39: guidance on how to make a payroll submission where an employee holds a PRSI exemption.
  • Page 55: correction of the 2018 USC rates.
  • Page 60: guidance on how to report a post-cessation payment relating to 2018 or prior years.
  • Page 128: new procedures for agents relating to ROS Inbox Notifications.
  • Page 135: introduction of a Revenue assessment from 1 January 2019.”


To view the eBrief and the Employers’ Guide to PAYE see https://www.revenue.ie/en/tax-professionals/ebrief/2019/no-0222019.aspx



The Information Commissioners Office in the UK details a case where a former senior local government officer was prosecuted for passing personal information of nine rival shortlisted job applicants to his partner.  This personal information included the candidates name, address, telephone number, CV and contact details of the referees which was against the law.

The 60-year-old government officer resigned and admitted to the court that he unlawfully shared data in breach of s55 of the DPA 1988 and he was fined £660 and also ordered to pay £713.75 costs and victim surcharge of £66.

His partner who had initially been successful, had her employment terminated because she had had been appointed based on an invalid recruitment process.

Steve Eckersley, Director of Investigations at the Information Commissioner’s Office, which brought the prosecution, said:

“People who supply their personal information to an organisation in good faith, such as when applying for a job, have a legal right to expect it will be treated lawfully and ethically.

‘Not respecting people’s legal right to privacy can have serious consequences, as this case demonstrates. Not only might you face a prosecution and fine, along with the attendant publicity, but you may also lose your job and severely damage your future career prospects.’”

To read the article in full see https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/02/former-council-officer-fined-for-emailing-cvs-of-rival-job-applicants-to-his-partner/