Data chief considered stopping use of sensitive information
Concerns voiced over organisations’ use of mothers’ maiden names as security questions
The Data Protection Commissioner considered telling organisations to stop using information such as mothers’ maiden names as security questions following the publication of civil records online.
The Data Protection Commissioner considered telling organisations to stop allowing information such as mothers’ maiden names to be used for security questions after millions of personal records were published on a government genealogy site last year.
In July last year, then commissioner Billy Hawkes threatened to take enforcement action against the Department of Arts, Heritage and the Gaeltacht after civil registration data on all births and marriages was made available on the irishgenealogy.ie website.
Even though such information is publicly available on registers held by the General Register Office, it had never before been made available in such volume and in such an immediately accessible form online, and for free.
The genealogy site, which had been established as part of the Government’s national genealogy policy, made it possible to build up huge amounts of personal background on individuals and their families within minutes, even by guessing their date of birth within a range of dates.
The availability of the records had been drawn to the attention of the commissioner’s office by The Irish Times after a member of the public raised concerns about the visibility of their own personal information on the site. The records were provided by the General Register Office, which comes under the remit of the Department of Social Protection.
Some records relating to the matter were previously released under the Freedom of Information Act. Additional records held by the Department of Social Protection have now been released after an appeal to the Information Commissioner.
Emails between the department and the DPC’s legal adviser reveal the commissioner expressed concern about the security of the genealogy site and that “nefarious” computer technology could be used to harvest some 24 million records on individuals and to build profiles of them using other ‘big data’.
In an email to a Department of Arts official marked ‘EXTREMELY urgent’, the commissioner’s legal adviser said the department needed to shut down the civil records search on the website “immediately”.
If the department failed to remove the information, the “Data Protection Commissioner will issue to the Minister an enforcement notice”.
In another email to the Department of Social Protection the legal adviser said the commissioner was concerned about what protective measures and safeguards had been put in place “for the practical operation of public access to these registers” especially with regard to the fact that the information in them was “key identifier” personal data of an individual.
“It is an area of concern for him that any organisation or person or entity could harvest this online data and use it to data match with other big data sources to build up identity profiles on individuals.”
There was “another very significant repercussion from the free, public availability of date of birth/place of birth and mother’s maiden name of an individual, as these were used by both public and private organisations to verify the identity of a customer to prevent identity fraud.
“The Data Protection Commissioner will be giving this further consideration and there is a strong possibility that public advice will have to issue from this office, that data controllers should no longer use these specific security questions.
This will cause significant problems for many organisations that have integrated these security questions into their systems,” the email added.
The records were removed from the website within 24 hours of the commissioner’s office being made aware of them.
The departments subsequently agreed to amend the site so that only limited information on civil registrations is available. Births over 100 years old, marriages over 75 years old and deaths over 50 years old are now publicly searchable.
Some church records have also recently been made available on the site.