Personal data accessed inappropriately by public servants

Data Protection Commissioner criticises State agencies over use of information on welfare databases


There has been a “disturbing failure of governance” in some public bodies in relation to their use of personal information stored on State databases, the Data Protection Commissioner has said.

Publishing his annual report for 2012 today, Billy Hawkes outlined an audit his office undertook of the so-called Infosys system which holds information from a range of social welfare databases. They are also accessible by other agencies on a read-only basis.

The audit followed a major investigation within the department into one employee’s access patterns to personal data. A criminal investigation is also underway into that matter.

Mr Hawkes said a “worrying degree” of inappropriate access to personal data by State employees was detected as a result of his investigation.

In particular, his office uncovered cases of inappropriate access within the HSE that “indicated an unacceptable lack of awareness within the HSE as to what actually constituted inappropriate access”.

The commissioner said sharing of data could bring benefits in terms of efficient delivery of public services.

“But it must be done in a way that respects the rights of individuals to have their personal data treated with care and not accessed or used without good reason. The failures revealed by the Infosys audit need to be addressed on a public-service-wide basis before any other such sharing arrangements are put in place.”

The office also carried out a major audit of the Garda’s Pulse system during the year and uncovered widespread inappropriate access to records by gardai, including to information on celebrities.

“Whereas there is quite rightly significant pressure on government to improve efficiency through data sharing, you cannot expect the public to support that if in fact they are not satisfied that people working in the public sector will treat personal data sensitively,” Mr Hawkes said.

“ In the case of the Department of Social Protection, it has data on practically everyone in the country and we have a right to expect that that data will only be accessed and used for reasons related to public functions.”

Data protection issues related to the activities of multinational companies continued to absorb an increased amount of resources, the commissioner said.

The office is likely to face a significant additional burden following the introduction of a proposed new European regulation on data protection, currently being debated by MEPs.

Overall running costs for an office of about 30 staff were just under €1.6 million last year.

Mr Hawkes said he was satisfied “as of now” with the additional resources allocated to it that it could do the job assigned to it.

But it was crucial that the Government had promised it would be given more resources if, as he expected, more companies chose to come under his office’s jurisdiction under the so-called “one-stop shop” arrangement under the new EU law.

“That would involve extra resources because as we’ve seen from our audit of Facebook and, now, our audit of LinkedIn that these are extremely resource-intensive activities.

“We have to operate to an extremely high standard because other data protection authorities are monitoring what we are doing, insisting as they should, that we perform to a very high standard – because their residents are impacted by the activities of these companies.”

His office dealt with about 9,500 queries in 2012 and opened 1,349 complaints for investigation. This was a new record high and compares with 1,161 complaints the previous year.

The number of complaints about unsolicited direct marketing text messages, phone calls, faxes and emails increased to 606 last year compared with 253 in 2011, 231 in 2010 and 262 in 2009.

Some 195 prosecutions were taken against 11 entities.

These included successful prosecutions against three companies for illegally using social welfare information on individuals which they had obtained through a private investigator.

In February, FBD, Zurich and Travelers Insurance pleaded guilty to 10 sample charges each and all three offered to make donations of €20,000 to charity.

A number of firms were also prosecuted for sending unsolicited marketing communications by text and by other means. They included Advance Pitstop, Citywest Hotels, Therapie Laser Clinics, Meteor, Three and Carphone Warehouse.

In the case o f Meteor, it admitted senting unsolicited texts to between 11,000 and 18,500 individuals due to a human error.

Eircom and Meteor were prosecuted over the loss of personal data belonging to over 10,000 Emobile and Meteor customers which had been stored on two unencrypted laptops which had been stolen from Eircom’s offices.

Both companies pleaded guilty to charges relating to the failure to protect the personal data on the laptops. The court applied the Probation Act conditional upon each company making a donation of €15,000 to charity.

Last year, the commissioner made a total of 36 formal decisions. Some 30 of these fully upheld the data subject’s complaint, two partially upheld the complaint and four found that there was no breach of the law.

A total of 864 investigations of complaints were concluded.

Mr Hawkes said his office dealt with 1,666 personal data security breach notifications last year. This was again up on previous years. Of these, 1,592 were found to be valid security breaches - an increase of 400 on the previous year.

The commissioner noted that while the complexity of certain data breaches increased, it was the “more mundane situation” of correspondence being sent to the wrong address that continued to account for the largest percentage of security breaches.

A full two thirds of breaches related to such issues.