Database on citizens had to be taken down swiftly
Analysis: Government department dropped the ball in allowing information on ‘live’ people to go online in searchable form
The message displayed on the irishgenealogy.ie site after the civil registration details were removed last Friday.
In a matter of minutes last week The Irish Times was easily able to find (with their permission) all the following information about several colleagues and friends on a Government genealogy website: dates and places of birth, mothers’ maiden names, spouses’ names, marriage dates, places of marriage, spouses’ parents’ names.
Without exception all were surprised or disturbed to learn of the easy availability of such information – in particular mothers’ maiden names which are commonly used as a security question for banking and other purposes.
Even knowing the first names of someone’s children and rough ideas of their ages would have easily yielded information on minors also. This was a potential gold mine of information for people with more nefarious ambitions than researching their family tree.
Sketchy details were enough. If you didn’t know someone’s age the website allowed you to guess it by keying in a date range plus or minus several years.
You could work your way back from birth dates to guess when the person’s parents might have married.
A single search for an unusual surname with the births, marriages and deaths options selected could throw up several family links on a single page.
Almost certainly millions of records – taken directly from the General Register Office’s information on births, marriages and deaths – were contained on the irishgenealogy.ie website launched by former minister for heritage Jimmy Deenihan in March 2013.
There is no doubt about the enormous benefit to genealogists and other researchers of having certain information available online. Census details, such as the 1901 and 1911 censuses which have been put online in recent years, have proven very valuable for research purposes, including to this writer in researching background on a relative who fought in the first World War.
But personal data on living individuals enjoys protections that data about dead people does not – for very good reason.
If combined with other information that individuals or organisations might already hold or be aware of, the potential for the misuse of this database of registry office data online for other purposes was clear.
There was ready potential for anyone with malicious or fraudulent intent to use dates of birth, anniversary dates or mothers’ maiden names to attempt to hack into someone’s online banking, or worse.
A would-be employer could also easily use it to glean someone’s age or marital status – information they are no longer allowed to ask.
There was also, of course, the potential for it to be “scraped” or harvested by commercial or other interests.
While conducting some searches on the database, the user was asked to key in a random string of characters displayed on the screen to “prove” the search was being conducted by a human being. But this was no guarantee the data couldn’t be abused.
What hadn’t occurred to those who developed the site for the benefit of genealogists clearly raised instant alarm bells when it was drawn to the attention of the Data Protection Commissioner last Thursday. The database simply had to be taken down.
The commissioner ascribed it to cock-up rather than conspiracy. But the office said it highlighted the need for organisations, including Government departments, to think and plan carefully before they undertake any projects involving the use of people’s personal information.
People have a fundamental right to the protection of their personal data enshrined in European and Irish law. In this case a Government department dropped the ball and potentially exposed citizens to trouble and distress.