The number of complaints made to the Office of the Data Protection Commissioner (ODPC) rose by 79% last year.

The ODPC's annual report for 2017 shows that there were 2,642 complaints lodged with the data regulator, up from 1,479 a year earlier.

Complaints about denied access to records made up more than half of the total amount, the commissioner said.

A record number of data breaches were also notified to the office, with 2,973 reported by organisations and members of the public.

This represented a 26% increase on the previous year, with the bulk of the breaches coming from the financial services sector.

However, the ODPC has warned that number is likely to increase this year, as the EU's General Data Protection Regulation (GDPR), which comes into force on 25 May, will introduce mandatory reporting for such breaches.

"Becoming compliant under the GDPR is far from a box-ticking exercise," wrote Commissioner Helen Dixon in the annual report.

"It will ultimately allow individuals greater control of the collection and processing of their data through a new modernised, harmonised EU legal order for data protection."

There were 21 complaints made by people seeking to exercise their so-called "Right to be forgotten", which is the right to have internet search results amended so that certain personal details are no longer listed in the results.

Of these six complaints were upheld, 12 were rejected and three are currently under investigation.

The ODPC's Special Investigations Unit continued its work in the private investigator sector resulting in several prosecutions.

It also opened investigations in the hospital sector on the processing of patient data, on Tusla (the Child and Family Agency) regarding the governance of personal data concerning child protection cases and on the Public Services Card of the Department of Employment and Social Protection.

There were 215 new complaints in relation to electronic direct marketing over the period, with 146 of those investigated and six prosecutions.

The ODPC also continued its investigation into the massive data breach at Yahoo, which saw the records of 500 million users of the internet service compromised in 2014.

A central aspect of that investigation, the ODPC says, concerns the extent to which Yahoo's Europe Middle East and Africa office in Dublin complied with its obligations to ensure that the processing of EU users' personal data by parent Yahoo Inc. was sufficiently secure.

Last year also saw a rise in the number of IT security compromises reported, with the number of notifications more than doubling from 23 cases in 2016 to 49 in 2017.

Cases such as these usually include ransomware and malware attacks, the report says.

Contact with multinationals

Contacts between the ODCP and large multinationals also continued during 2017.

For example, the report highlights how there was intensive engagement with WhatsApp and Facebook to ensure there continued to be no transfer of user data from the former to the latter for ads serving and product enhancement until the ODPC is satisfied that there is a lawful basis for doing so.

The ODPC also highlighted how problems with data protection in the public sector continue, but that must change under GDPR.

"Public bodies must be standard bearers for the highest standards of data protection, but unfortunately numerous historical examples have shown that government departments often struggle at least as much as private enterprises with compliance," Ms Dixon said.

"We believe it is essential therefore that they are subject to the full extent of the new regime."

The commissioner has previously criticised the government's Data Protection Bill 2018, which transposes GDPR into Irish law, because it does not allow public bodies to be fined for breaches in the same way as private ones.

In the report, the ODPC also calls on the Government to immediately prioritise the re-working of the existing legal framework for access to retained data.

"This will ensure that Ireland is compliant with the clear standards necessary for a modern system of access, built on a sound legal foundation that provides legitimacy by respecting the rights of citizens and features (amongst other things) stringent and specific judicial oversight, as well as effective avenues for redress for individuals whose rights or interests have been found to have been prejudiced," the commission stated.

The annual report shows that the budget at the ODPC grew to €7.5 million last year, with staff numbers rising to 85, making it among the most highly resourced national data protection authorities in the EU, it claims.

There were 2,594 complaints closed in 2017, compared to 1,438 in 2016, and while the majority of those were resolved amicably, a total of 34 formal decisions were issued.

Most of the cases where there was no amicable settlement involved issues arising from the financial crash.

"Cases involving the transfer of loan books to new lenders and receiverships where buy-to-rent owners are involved appear in some cases incapable of being resolved to the satisfaction of the data subjects, as their fundamental grievance relates to the underlying transaction itself or the actions of the lender, rather than data protection issues per se," the report said.

Demand for advice also increased, with general consultation queries increasing by 69% in 2017 to a total of 1,818 queries.

There were also 91 audits or inspections carried out.

