Firms prosecuted over welfare data
Three large insurance companies have pleaded guilty to illegally using social welfare information on individuals which they obtained through a private investigator.
FBD, Zurich and Travelers Insurance all pleaded guilty to 10 sample charges each after they were prosecuted for breaches of the Data Protection Act.
The prosecutions followed a complaint from the Department of Social Protection in December 2010 after it emerged an official in a regional office had allegedly been providing personal information on individuals to other parties. The Department had noticed an unusual pattern of access to its systems by the official concerned, in conjunction with phone calls from the official to two particular numbers.
Gardaí also opened an investigation, but the three insurance companies were not subject to that garda inquiry.
Dublin District Court heard today the companies were all registered with the Data Protection Commissioner (DPC) to process certain personal information. This did not include social welfare information, which is contained on the database of the Department of Social Protection and which is not publicly available.
The commissioner obtained details of the welfare official’s access to the department’s computer systems for 2010, and was also led to the offices of Kildare-based private investigator Reliance Investigation Services by the phone records.
Assistant data protection commissioner Tony Delaney and officials from the commissioner’s office made an unannounced inspection of the private investigator’s premises on December 9th, 2010 and obtained its client list for that year.
Mr Delaney said VAT invoices found on the private investigator’s premises proved to be critical evidence which linked the investigator with the insurance companies.
The three firms prosecuted were also on the client list and a number of inspections followed at each of firm’s office.
Information found at the insurance firms, which the Department of Social Protection subsequently confirmed was from its records, included individuals' dates of birth, PPS numbers, addresses, employment history and information on claims made from the department.
While the individuals whose personal information was exposed were not named in court, the court heard that in a number of cases the details obtained by the insurance companies also included information on spouses.
Mr Delaney told prosecuting counsel Remy Farrell SC, instructed by Philip Lee Solicitors for the commissioner, that his office had had concerns about the issue going back to 2007. There had at that time been reports in the media about certain insurance companies illegally accessing State databases, including Garda information and welfare information.
He said such had been the commissioner’s concerns that a code of practice was developed in conjunction with the insurance industry, setting out the standards that should apply with regard to processing personal information.
This code also had an important appendix on the use and hire of private investigators, to ensure the companies would have full knowledge of how such investigators did their work, and to ensure that any data being obtained was from publicly available services.
Mr Delaney said the code published in August 2008 was a “very comprehensive document” which had been the result of “tedious negotiations” with the industry. He believed every insurance company was “well aware” of the code and of its provisions.
“For that reason, the Data Protection Commissioner is firm in his view that insurance companies know what the standards are and the rules that are in place,” he said.
Mr Delaney said his office viewed the matter as a “very very serious” data protection breach, where the private investigator had been giving information to the insurance firms on a “demand and supply” basis.
Mr Delaney said all three companies had given their full cooperation with the inquiry from the outset.
In total, the details of about 70-80 individuals are understood to have been accessed. About 15 people were the subjects of the 30 sample charges to which the companies pleaded.
All three companies offered to make donations of €20,000 to charity. They will also pay the Data Protection Commissioner’s legal costs.
Judge Ann Ryan noted that all three companies were now fully compliant with regard to their entries in the Data Protection Commissioner’s register and she was satisfied appropriate measures had been put in place to ensure this did not happen again.
The judge said that in light of the early guilty pleas, and the fact that the companies had no previous convictions under the Acts, she would apply the Probation Act if the donations were made by March 5th.
Judge Ryan said it was an “extremely serious matter” that people’s private details should be dealt with in such a manner.
She asked that the donations be given to the Capuchin Day Centre for homeless people, which she said provided a “fantastic” service for thousands of people throughout the city.
In a statement after the proceedings, the commissioner’s office said it was “very satisfied” with the outcome.
“We are satisfied that the companies in question have substantially improved their systems and are seeking to be fully compliant with data protection law,” the statement said.
The commissioner said the court outcome sent “the strongest possible message to other companies in the insurance sector and, indeed, all sectors generally that there will be severe consequences from breaches of the Data Protection Acts”.
“It also reinforces the obligation on Government bodies to protect the personal data which they hold, often data which citizens are legally obliged to provide.”
There remained room for “substantial improvement” in this area, as these proceedings had shown.
“We are not so naive to believe that these are incidents isolated to these companies and, therefore, this court outcome acts as a warning and a signal of intent that unlawful access to citizen data held on Government databases will not be tolerated by the Data Protection Commissioner.”
Deputy data protection commissioner Gary Davis said that while the three companies concerned were no longer carrying out the practice, his office suspected it was still going on in the wider sector.
He said the use of the private investigators to obtain social welfare information had been going on "on a large scale".
The Department of Social Protection said it takes its responsibility under data protection legislation "very seriously". A spokeswoman said it takes "a very serious view of breaches of its information security policies and procedures which are subject to the provisions of the Civil Service Disciplinary Code".
It said it did not comment on individual cases.