Ireland's surveillance and interception laws require a thorough modernisation to bring them up to date, the Data Protection Commissioner’s annual report has found.
Writing in her office's 2016 annual report, Helen Dixon says the update is also needed to ensure that the rights of individuals are adequately protected, in particular through independent oversight of how these far-reaching powers are deployed.
Following stinging criticism in previous years, the commissioner claims that last year saw some encouraging improvements in her office's engagement with public-sector bodies and departments.
She again criticises them for in many cases being slow to adjust to the reality that data-protection rights cannot simply be legislated away to an independent regulator.
Like in previous years, 2016 saw a number of cases where staff in certain public sectors bodies disclosed individuals' data to third parties, including situations where private information was given to a spouse or other family member on request, the report outlines.
The commissioner also points to ongoing leaking of data from government bodies to private investigators which she says remains a challenge to be tackled.
Ms Dixon also uses the report, published today, to highlight a failure by organisations to ensure that individuals are adequately on notice of how their data is being processed.
In particular she mentions employee monitoring using CCTV which she claims remains a concern for many.
The monitoring and processing of CCTV images can be lawfully justified in many cases, she states, but a trend is emerging of employers failing to make the rules around use on CCTV footage in disciplinary processes clear to employees, she claims.
Prosecutions were taken by the commissioner's office in 2016 for a range of offences committed under the Data Protection Acts and the ePrivacy Regulation, the report says.
Nine entities were prosecuted for electronic marketing offences.
The commissioner also expresses her approval for plans by the European Data Protection Supervisor to establish a Digital Clearing House.
It will voluntarily bring together data protection authorities and consumer and competition regulators to examine how cooperation can lead to web-based service providers being more accountable for their conduct, she states.
Ms Dixon says questions need to be asked about whether consumers are being left "between a rock and a hard place" by the placing of so much power around internet tracking and interest based ads in the hands of a few big platforms, given that media outlets are also signed up to these same ad exchanges.
The ODPC also had increased levels of interaction with multinational tech companies based in Ireland during the past 12 months.
It continues to investigate the massive data breach at Yahoo which exposed 500 million users' personal details.
Ms Dixon says that case provided "a salutary reminder of the sheer quantity of our personal data stored by online service providers".
She also reminds data controllers based in Ireland but working for US internet companies who are responsible for transferring that data across the Atlantic that clear and ongoing obligations exist under Irish law requiring them to ensure the data is adequately safeguarded.
"While in some cases it may be impossible to adequately safeguard against particularly sophisticated criminal hacking, with proper monitoring, audits and controls, in many circumstances the existence of a breach of systems may be identified much sooner and mitigation action taken," she writes.
The ODPC also engaged with Facebook on a number of matters, including an update to its cookie banner notification to include more precise information on its usage of cookies for commercial purposes.
It also investigated Facebook's decision to share user data from WhatsApp with the social network to ensure WhatsApp users had properly consented to the practice.
Overall the Office of the Data Protection Commissioner dealt with 33,249 queries by email, phone and post during 2016.
It investigated 1,479 complaints, with issues around access requests remaining the number one cause.
The commissioner also issued a record 59 formal decisions, of which 55 fully upheld the complaint.
The number of complaints concerning electronic direct marketing remained relatively stable compared to previous years, at 118.
The ODPC also received 26 "Right to be Forgotten" complaints, where people had requests to have search results removed denied by search engines such as Google.
Of these, six were upheld, with 15 rejected and five under ongoing investigation.
Among those upheld was an individual who sought the removal of results related to a conviction for assault causing harm for which they were sentenced to six months' imprisonment suspended for three years.
The ODPC upheld the appeal, because seven years had passed from the date of the conviction and the story was therefore considered no longer relevant.
The number of valid data breaches notified to the commissioner's office fell from 2,317 in 2015 to 2,224 last year.
142 came from the telecoms sector while the number of network-security compromises including ransomware and malware attacks reported to it almost doubled to 23.
It also carried out 50 privacy audits and inspections including in-depth audits of State agencies including An Garda Síochána, Revenue, the Defence Forces and GSOC.
Its audit of the civil service shared-services provider PeoplePoint found "a concerning level of front-line human error in the handling of personal data and sensitive personal data in many cases".
The report also highlighted how 2016 saw an emerging trend towards name and shame style campaigns by public sector organisations.
The commissioner says public sector bodies involved in such initiatives need to be sure "the evidence is clear, that the naming and shaming produces the desired outcomes and that those outcomes cannot be achieved without interfering with privacy rights".
Last year also saw the first full year of operation of the ODPC's Special Investigations Unit.
Among the key focuses of it were the private investigator sector where there were two successful prosecutions.
It also finalised preparations to open a new investigation in the hospitals sector this year to examine the processing of patient sensitive personal data in areas of hospitals with patient and public access.
The ODPC opened its new office in Dublin during 2016 and expects to grow its staff there to 130 within the next two years, which means it will need to acquire more office space in the capital.
Ms Dixon says the main focus for her office in 2017 is on preparing for the introduction of the European General Data Protection Regulation next year.