In Ireland the Data Protection Commissioner has issued a reprimand for an employee relations firm after personal information that had been mailed to the Personal Injuries Assessment Board (PIAB) was intercepted while on the move.
PIAB, the State body that dictates personal injury claims awards, had hired the consultancy firm to conduct an investigation on the board’s behalf during May 2019.
The GDPR breach, which led to the reprimand, occurred in September 2019 when the consultancy firm mailed copies of appendices to its six final reports, including private data, to the PIAB of that year. This was regardless of the fact that the board had been warned not to do so by the board.
In a subsequent investigation into the breach, PIAB was found innocent by DPC in relation to any data breaches of its own. The group took possession of the hard copy of the final report at the start of October 2019.
When it was queried whether it had received both the appendices and the reports, PIAB confirmed that it had the reports and said “we do not require e-appendices or any further documentation to be forwarded to us”.
Despite this, the company shared the appendices on a USB key to PIAB almost two months later. It was accompanied with a covering letter. However, when the envelope arrived at PIAB it was discovered that the USB key was missing and the envelope had been damaged.
The consultancy group confirmed to the DPC both that it had not used a registered post for the delivery or used a secure envelope. Finally it was also confirmed that the files on the USB device had not been encrypted. The consultancy firm, which was not named in the DPC ruling, said the files were too big to be sent by email. it added that, since the breach the group had “learned more about encryption technology” and had us currently configuring that to include it in its processes.
A formal reprimand was issued by the DPC. However there was no fine; it was deemed that the “risk of damage to data subjects was low to moderate”.