Personal information including bank statements and payslips relating to three strangers was sent by the Department of Social Protection to a man who sought his own details under the Freedom of Information Acts.
Niall Smith from Limerick told The Irish Times he received the documents attached to his own several months ago and reported it to both the department and to the Data Protection Commissioner.
The information included birth dates and financial information. Mr Smith claimed there were enough details about three strangers for him to have perpetrated identity theft had he been minded to do so.
While postal data breaches are relatively common, the department has also come to attention for data breaches in which private investigators illegally “blagged” personal information over the phone.
The Wicklow-based directors of a private investigation firm were successfully prosecuted by the commissioner in one such case last October.
The department also made an out-of-court settlement of €12,500 in March with a man whose ex-wife, who worked for the department, looked at his personal information after they had broken up.
Duty of care
It was sued under the Data Protection Acts under a provision that obliges organisations to hold a duty of care towards those whose personal data they process.
Mr Smith said he was “disgusted” such important personal information was sent in error by the department.
“If I had of been of a different nature I could have used the details I received to steal the identity of three innocent people.
He questioned whether there were similar breaches that had gone unreported.
“Private companies would lose contracts if they did this. However, the department seem to be above reproach.”
In a statement, the department said it was aware of the case and, when notified, acted “immediately in accordance with procedures”.
“The individuals were notified in the first place by phone and were also written to on the same day – March 23rd, 2015.
It said the commissioner was notified on March 25th.
Asked about the number of data breaches affecting the department this year, it said it was aware of four, including the case in Limerick.
“These affected eight people in total. In all four breaches the office of the Data Protection Commissioner was notified.”
Of just over 1,500 valid data breaches reported to the commissioner in 2013 – the most recent full year for which figures are available – some 60 per cent related to postal data breaches and 10 per cent were email breaches.
There is no statutory obligation on organisations to report such incidents where people’s personal information is compromised.
The commissioner’s code of practice states, however, that they should be reported as soon as an organisation becomes aware of them, except when they have been reported without delay to the affected individuals, where they affect no more than 100 people and where they do not include sensitive personal data or information of a financial nature.
A man whose ex-wife allegedly looked at his personal information on Department of Social Protection computer systems obtained an out-of- court settlement of €12,500 last March on the day his case was listed for hearing.
The man said he had requested his personal information from the department under the Data Protection Acts and the Freedom of Information Acts in the wake of his marital break-up.
He said it had taken a long time to establish what records his ex-wife had allegedly accessed, but that an investigation established they had been looked at 12 times between February 2004 and July 2009.
“I had to go to extraordinary lengths and a long, convoluted FOI process,” he said.
“There should be random checks and serious repercussions for those who are caught,” he added.
The Data Protection Commissioner issued a formal decision in February 2013 that the man’s personal data had been processed by the department in a manner that contravened the Data Protection Acts.
In its annual report last year, it said, without naming the parties, that the case once again highlighted the “unacceptable practice by some individuals of snooping through official records for personal reasons unconnected with their official duties”.
The department said that while it could not comment on individual cases it treated its responsibilities in terms of protecting the data of its clients “with the utmost seriousness”.
In the small number of instances where data breaches had been substantiated, sanctions up to and including dismissal had been applied.
“The department has extremely rigorous data- protection and information security policies, standards, procedures and guidelines in place, and every effort is made to ensure that personal customer data is used solely for business purposes and that it is not compromised in any way.
“The department oversees a large volume of business every year and any breach - while regrettable - must be seen in that context.”
It said its policies, procedures and guidelines were kept “under constant review” and updated as appropriate.
The man’s solicitor, Fintan Lawlor, said he believed the courts would protect individuals whose data rights had been breached.
Data controllers should be aware of recent cases that showed if an individual could prove they had suffered damage as a result of a data breach they were likely to secure damages.