A private investigator who illegally obtained personal information from an official in the Department of Social Protection and passed them on to insurance companies and a bank has been convicted and fined a total of €4,000.
James Cowley (65), Brookdale Lawns, Rivervalley, Swords, Co Dublin, was prosecuted by the Data Protection Commissioner and appeared before the Dublin District Court on Monday.
The court heard the suspicions of the commissioner were raised in July last year after the office was notified of a data breach involving Permanent TSB. The bank had inadvertently sent PPS numbers to a number of individuals, one of them being Mr Cowley.
The commissioner’s office inspected Mr Cowley’s business last October.
Mr Delaney told the court he examined Mr Cowley's surveillance reports for PTSB, the State Claims Agency, Allianz insurance and Zurich insurance and confirmed that personal details involving the charges before the court had been obtained from the same official in Department of Social Protection.
The details he obtained included family information, such as whether an individual was married or had a partner, their current and previous employers, whether they had children and whether they were claiming an social welfare benefit.
They included cases where Mr Cowley had been asked to trace individuals or to see whether there was a link between claimants in a car crash.
In the case of one of the individuals he was asked to trace, he learned that they were due to be married on a particular date and turned up at the wedding to conduct surveillance, the court heard.
Mr Delaney said there was “nothing unlawful” about a bank or insurance company hiring a private investigator and they had good reason to do so.
But he was dealing with Mr Cowley’s methodology and what he did after sourcing the personal data.
Mr Cowley was charged under section 22 of the Data Protection Acts 1988 and 2003 with obtaining personal data without the prior authority of the data controller (the department) and of disclosing the information to another person.
The court heard Mr Cowley had made a contribution of €1,000 towards the DPC’s legal costs.
Counsel for Cowley Lisa Daly BL told the court her client hugely regretted his behaviour and wanted to apologise to all those involved, Ms Daly said.
“He foolishly did not realise the ramifications of the seriousness of his actions,” she said. He had since closed his company.
Ms Daly asked the court to consider a charitable donation in view of Mr Cowley’s early guilty plea, his lack of previous convictions and the fact he had not come to attention since.
Judge John O’Neill said he was “not convinced” by the argument he should seek a charitable contribution in lieu of a conviction.
“Privacy is a huge topic nowadays and an invasion of privacy therefore is serious. How could I justify going down the road you want me to go by asking your client to make a charitable contribution? We have more and more instances of breaches of privacy, breaches of people’s rights and there is a greater emphasis on trying to protect these rights.”
He recorded convictions on four of the 13 charges and said he would mark the others as taken into account. The judge imposed a fine of €1,000 on each of the four charges, giving Mr Cowley four months to pay each of them.
He set a recognisance of €500 cash lodgment in the event the defendant wished to appeal.
The Department of Social Protection said it did not comment on ongoing investigations but concirmed there were three investigations being carried out under the Civil Service Disciplinary Code into suspected breaches of its data protection policy.
“Any breach of trust with regard to the confidentiality of information is treated as serious misconduct under the Disciplinary Code, the sanction for which may be dismissal,” it said.
Speaking after the case, Mr Delaney said: “The era of private investigators being able to illegally access personal data from state databases and get away with it are over. One by one, they will be brought before the courts to face the consequences of their actions.”
Mr Delaney said that in 2014, after his office had successfully prosecuted two separate private investigation firms, it had issued a “very clear warning” to those operating in the sector that if any of them continued to commit offences under data protection law the office would pursue them and prosecute them.”