The Data Protection Commission has said it is investigating “potential breaches” of the General Data Protection Regulation by a Government department, following a complaint that it allegedly interfered with the role of its data protection officer, an offence under the EU legislation.

The complaint is being taken by Digital Rights Ireland on behalf of technology journalist and Irish Times columnist Karlin Lillington.

The provisions under Article 80 of GDPR allow an individual to nominate a not-for-profit body acting in the public interest to lodge a complaint with a national regulator where he or she alleges infringements of their rights under the EU law. Digital Rights Ireland is a data privacy advocacy group.

GDPR also allows such not-for-profit bodies to seek “an effective judicial remedy” on behalf of such complainants, where they believe their rights have been infringed.

The complaint was made after it emerged in August that the secretary general of the Department of Employment Affairs and Social Protection ordered changes to the department’s online privacy policy to remove a reference to its collection of people’s biometric data.

Repeated denials

This followed repeated denials by the department that it processed biometric data in relation to the public services card, even though it holds more than three million photographs of individuals on a facial image matching system.

The changes were made when the data protection officer was on leave and records obtained under the Freedom of Information Act in August revealed the officer said he would not have agreed to the changes and that they were not discussed with him.

Digital Rights Ireland wrote to Minister for Employment Affairs and Social Protection Regina Doherty after the records were obtained by The Irish Times, alleging “serious interference” with the role of the data protection officer (DPO).

The rights group said the DPO was first excluded from a decision to make changes to the privacy statement and was then “given instructions regarding the exercise of his functions”. Both actions constituted violations of the GDPR, it alleged.

Senior investigator

In response to the complaint on November 23rd, a senior investigator with the Data Protection Commission replied that having examined it, “we consider that potential breaches of the GDPR have been highlighted”.

The commission said it was “making enquiries into this matter” with the department and would provide an update “within the next month”. However, on Wednesday evening the Department of Social Protection said it was “unaware” of any investigation into the independence of the data protection officer.

Under GDPR, the data protection officer must be independent and an organisation employing one is not permitted to give them any instructions regarding the exercise of their tasks. An infringement, for an organisation other than a public body, could potentially carry a penalty of up to €10 million. However, Irish legislation has limited any potential fines levied on public bodies to €1 million.