A charity that works with men who have behaved violently in the home has been censured by the Data Protection Commission after video recordings of counselling sessions involving up to 120 men went missing.
MOVE (Men Overcoming Violence) Ireland made a mandatory report regarding the data breach to the DPC in February of 2020 after 18 portable SD cards suspected of containing recordings of men discussing their “behaviour and attitudes with regard to domestic violence” went missing.
MOVE is a rarer form of outreach charity in that it deals with perpetrators of violence as opposed to victims with the aim of “supporting the safety and wellbeing of women and their children who are experiencing or have experienced violence or abuse in an intimate relationship”.
The recorded counselling sessions in question, which were first noted as being missing in the Sligo area in December 2019, may have shown the men participating in those sessions, while the personal data contained on the SD cards included the “disclosure of behaviours, feelings and attitudes towards current or ex-partners, other family members, and friends” who may have been named by those being counselled, the DPC said.
The Commission found that MOVE had infringed GDPR by failing to implement measures to ensure a level of security appropriate to the risk inherent in recording such sensitive information.
Together with an official reprimand, the DPC ordered MOVE to bring its data processing in terms of recording group sessions into line with Articles 5 and 32 of the GDPR.
A fine of €1,500 was also administered, one of the smallest the Commission has handed out to date.
Asked why such a low fine was administered for such an apparently broad-ranging breach, a spokesperson for the DPC said it must “arrive at a figure that is effective, proportionate and dissuasive having regard to the circumstances of each individual case and the turnover of the data controller”.
“The sensitivity of the personal data is one of the factors that the DPC had regard to in calculating the fine,” they added.
MOVE Ireland did not respond to a request for comment.
The DPC has the power to impose fines for GDPR breaches ranging as high as either €20m or 4% of a body’s turnover, whichever is higher.
In its full report on the matter, the DPC noted that MOVE’s turnover in 2019 had been €686,421.
The report also notes that MOVE disputed the amount of the administrative fine proposed, that it believe it was “unclear” as to whether what had happened constituted a breach of data protection, and that it did not believe it had a responsibility to report itself for the breach and that the fact it had done so should mitigate in its favour.
In fact, all such breaches are supposed to be reported to the DPC within 72 hours.
The nature of the breach was greeted with incredulity by sources within the outreac
