Action is needed to tackle deficiencies in how the public service protects the personal data of citizens before such action is triggered by a “crisis”, the Data Protection Commissioner has said.
Billy Hawkes was speaking today on the publication of his annual report for 2013, which is his final annual report in the office. He retires in August.
Mr Hawkes highlighted a number of issues of concern and said his audits of State organisations had “in too many cases, shown scant regard by senior management to their duty to safeguard the personal data entrusted to them – a duty that is all the greater because of the legal obligation to provide such personal data to the State”.
“Laudable objectives such as fraud prevention and greater efficiency must meet a test of proportionality in the manner in which data is used.”
In one case study published in the report, his office received a complaint from a man concerned about inappropriate access to his details by an employee of the Department of Social Protection– namely his ex wife.
There were 12 instances of unauthorised access to his records between February 2004 and July 2009. An investigation was carried out by the department and the matter was referred to the HR division for possible action under the Civil Service Disciplinary Code.
Mr Hawkes said once again this case highlighted “the unacceptable practice by some individuals of snooping through official records for personal reasons unconnected with their official duties”. Taking no action against individuals caught in engaging in such activity was “not acceptable” and it should be clear to all users there there were “serious negative consequences” for unauthorised access to personal information for unofficial purposes.
“Varying degrees of personal information relating to every citizen in the State is held on databases within Government Departments and officials who have access to this information to conduct their official duties are entrusted to access and use that information in accordance with the requirements of their functions,” he said.
“Straying beyond the boundaries of their official duties in terms of accessing personal records amounts to unlawful activity by the individuals concerned. For that reason, it is critical that data controllers, such as a Government Department in this case, have robust disciplinary policies in place to deal with any breaches.”
Mr Hawkes told The Irish Times he believed "the State system in general is not paying sufficient attention to its responsibilities for the quantum of data it holds on all of us".
"I suppose if I had a parting wish as Data Protection Commissioner it is that there would be system-wide action taken on data protection – that would be the responsibility of the Department of Public Expenditure and Reform - rather than have it triggered by a crisis, which I think is inevitable unless action is taken."
In relation to the audit of the An Garda Síochana Pulse system, which was published earlier in the year, Mr Hawkes recommended in his report that the force should have a dedicated data protection unit.
He said he expected the force to now “actively enforce” the terms of a directive from headquarters and to take “strong and appropriate disciplinary action against any persons abusing their access to Pulse and prosecutions against any person found to be using such access for gain”.
He also expressed concern about the use for criminal purposes of the fingerprints of individuals who were required to provide such prints in connection with applications for asylum, visas and residence.
In his report, Mr Hawkes said the debate resulting from the revelations last year by the former NSA contractor Edward Snowden of the extent of access by US and European intelligence agencies to personal data had "thrown a welcome spotlight on the general issue of state access to personal data".
A recent decision by the Court of Justice of the European Union to invalidate the EU Data Retention Directive relating to phone and internet data had "clearly set out the need for proportionality in this area".
"The CJEU judgment also shows the importance of challenging such privacy-destroying measures, as was done in this case by Digital Rights Ireland, supported by the Irish Human Rights Commission. "