Many organisations in Ireland deploy little resources to manage data protection compliance and view saving money as sufficient justification for poor data protection practices, according to the Data Protection Commissioner.
Helen Dixon also said her office does not have the resources to replace the requirement for organisations to procure their own expert advice and build their own capacity when it comes to being data protection compliant.
Writing in her annual report for 2015, Ms Dixon says despite claims to the contrary, there is no inherent conflict between her office being able to hear complaints from individuals on the one hand and provide guidance to organisations who may perhaps be infringing people's rights on the other.
Both roles are prescribed in EU legislation underpinning her office's functions, she says, and giving guidance to companies like Facebook and LinkedIn can help boost privacy protections for individuals in the future.
2015 saw email queries to the Office of the Data Protection Commissioner rise by 6% to 14,427, with an additional 16,713 phone enquiries and 885 postal requests for information.
In total, 932 complaints were opened, down 28 on 2014.
A record number of decisions under the data protection acts were made by Ms Dixon's office , with CCTV in the workplace, direct marketing by SMS, spam emails and banks failing to keep personal contact information up to date the main problem for complainants.
62% of complaints focused on the right of people to access personal data held by others about them, with 11% centered on electronic direct marketing.
23 complaints were received from individuals who were unhappy at search engines' refusal to delete search results about them under the "Right to be Forgotten" principle, nine fewer than in 2014.
In one case the ODPC sided with Google in its decision not to remove from search results a person involved in a long-running tribunal.
In that case the commissioner's office felt there was a legitimate public interest in maintaining access to this information against a search of the person's name.
The ODPC successfully prosecuted four organisations for 24 offences around direct marketing and opt-out rules under electronic communication privacy regulations.
However, overall the commissioner says the decrease in complaints in this area is evidence that the prosecution strategy is working.
Worryingly, the commission was notified of 2,317 valid data security breaches in 2015, up 129 year-on-year, with over half being unauthorized disclosures like postal and electronic communications.
The ODPC carried out 51 audits in the public and private sectors in 2014, including on the insurance industry and the franchise section of Dublin City Council.
In her report, Ms Dixon describes as being of major significance on a number of levels last year's European Court of Justice judgment striking down the Safe Harbour agreement which allowed the legal transfer of European residents' data to the US by American multinationals.
She said as of today it still remains to be seen whether the proposed replacement for Safe Harbour, known as Privacy Shield, will be a viable solution.
2015 also saw the establishment of a Special Investigations Unit to carry out targeted and pro-active probes and a Forensics Technical Lab to assist in technical audits and investigations.
An increase in the office's budget last year meant the organisation was able to nearly double its team and open a new office in Dublin in addition to its main office in Portarlington, Co Laois.
The ODPC had been criticised for being located a distance from where most large tech multinationals are located, and for working from a small office over a shop in the midlands.
Ms Dixon says that having worked with many organisations last year, it was clear that some appear to struggle with the principles based nature of data protection legislation, and they claim it is difficult to interpret and apply the principles in the specific scenarios in which they are dealing.
However, she says that from what she and her staff have seen, little real attempt is made in some cases to interpret and apply the principles, while in other cases organisations appear to not even be conscious that what they are proposing represents a significant interference with an individual's data-privacy rights, and even view costs savings as sufficient justification for any action.
In the past Ms Dixon's office has been criticised within Ireland and abroad for not doing enough to monitor activities of the big tech multinationals here.
As a result the commissioner says she undertook an ambitious programme of speaking engagements to the industry last year - speaking at 60 events within Ireland and a number abroad.
She said her hope is that this will help to "dispel fundamental misapprehensions as to purported differences between Irish data protection law and the regimes in other EU states."
On issues around the establishment of the post-code system, Eircode, Ms Dixon says she her staff dealt with a number of queries in relation to it, and worked with operator Capita to develop a code of practice and frequently asked questions to help resolve the issues.
However, she says the volume of queries around the topic underlines the need to test fully when rolling out projects where people's data is involved.
Ms Dixon said issues related to the Department of Education's Primary Online Database remain under investigation, and show that strong analysis, risk identification and management, data protection impact assessment and effective communication are the foundations of any successful large scale government data projects.
