The library records of 20 people living in north Co Dublin were edited to add in information of a “highly inappropriate, sexually explicit nature”, an audit by the Data Protection Commissioner (DPC) found.
The audit of a new system in Malahide Library was one of 91 carried out by the commissioner's office in 2017. The audits also included examinations of direct provision centres, the Irish Prison Service prisoner management system, and communications companies Three, Virgin Media and BT Ireland.
Commissioner Helen Dixon's annual report for 2017, published on Tuesday, says the office singled out the new library management system, Sierra, for attention following engagement with the libraries development unit of the Local Government Management Agency (LGMA) in 2015.
During that engagement, the DPC highlighted potential issues with the system in relation to inappropriate access to records and it instructed the agency to build in safeguards and “trigger mechanisms”.
The commissioner singled out the system for future examination once it was live across the majority of libraries in the State and Malahide Library was subsequently selected for audit.
‘Inappropriate data entries’
"Shortly before the August 2017 audit of Malahide Library, Fingal County Council contacted the DPC informing it of a recent incident where a library staff member based in another local authority inadvertently came across the borrower record of a library borrower in Fingal which contained data entries of a highly inappropriate, sexually explicit nature," the report said.
Fingal County Council established subsequently that the records of 20 Fingal library borrowers had been edited in this manner, and that these had been imported from the previous library management system into the new one.
The report does not outline the nature of the content and the DPC established that there was no way of establishing who had edited the records. It noted that staff in every library were using a generic login for the Sierra system.
The commissioner’s office subsequently instructed the libraries unit of the LGMA to put in place audit trails “as a matter of priority” and to create individual login usernames and passwords.
It also said library staff should be automatically prompted to change their passwords on a regular basis and warned that such changes to records would constitute a data breach from May under a new EU regulation.