THE DATA Protection Commissioner has expressed concern that organs of the State may be using “draconian powers” inappropriately to access personal information and to clamp down on welfare fraud. Billy Hawkes said he had a “particular concern” at the balance being struck by the State in relation to the use of personal data in this area.
Publishing his annual report for 2009 yesterday, Mr Hawkes said there had been cases where information was being sought by the Department of Social and Family Affairs from other departments to which it had been provided for a “totally different reason”.
He said there had been instances where legislation placed before the Oireachtas, “which in the interests of clamping down on crime and social welfare fraud, gives very draconian powers to the State to interfere with people’s personal data”.
Mr Hawkes said the worst recent example was the provision inserted in the Social Welfare Act to give the department the power to access anyone’s bank account “with no constraint”. He said the department had given an undertaking not to use this power until such time as a code of practice had been agreed with his office.
Mr Hawkes told The Irish Timesthere was a "huge focus" on preventing fraud because of the State's budgetary situation and said it was important that there be proper investigation to clamp down on such fraud.
“If you’re a civil servant in the Department of Social and Family Affairs with that brief and you’re told ‘go after them, get them’, and you’re not given constraints, then you are going to use any powers you are given. Our concern is that powers are being given without being constrained.”
The report criticises the HSE in relation to the theft of a laptop from its offices in Roscommon in June last year. The machine, containing the personal data of clients, was unencrypted. Mr Hawkes said “the HSE failed to have security measures on the stolen laptop that were appropriate to the harm that could result to individuals from the loss of the data”.
He noted the HSE was also mentioned in his 2008 report in relation to a data security breach and said his recommendations were therefore “extensive and demanding”. They include a requirement that the HSE adopt a “comprehensive” policy in relation to breach management. Mr Hawkes said the HSE should prioritise the development of secure networks and devices for the transfer of patient data.
It is understood he has wider concerns about the lack of centralised responsibility for data protection issues within the HSE.
But his report notes a “positive development” in relation to the management and use of health information, namely the intention of the Department of Health and Children to bring forward a comprehensive Health Information Bill “which will provide a specific legal basis for intended uses of health information while at the same time safeguarding patient privacy”.
Last year, the office opened 914 complaints for investigation.
Mr Hawkes said the slight decrease on the 2008 figure could be accounted for in some respects by the “almost halving” over the last two years in complaints about unsolicited direct marketing text messages, phone calls, fax messages and e-mails.
Case studies
A number of companies have been prosecuted for sending unsolicited marketing messages by text, fax or other electronic messages, including: Map Dance Ltd (trading as Jackie Skelly's Gyms), Home RBVR Ltd (trading as Brasserie Sixty6 restaurant), and Prism Fax Services Ltd.
A major Irish-based airline (unnamed) breached the Data Protection Act by e-mailing a man's travel itinerary to his employer, after the employer requested it. The man was dismissed from his job following the disclosure of the travel information.
A customer complained that Quinn Direct Insurance had sought information on the number of penalty points on his driving licence for the previous five years, even though the statutory retention period for penalty points is three years. The Data Protection Commissioner asked Quinn to cease the practice "immediately". It subsequently revised its policy.
A complainant accepted an apology from a company (unnamed) after it returned the results of a DNA paternity test to a neighbour's house by accident. The complainant accepted the company's offer to refund the fee for the test in order to resolve the matter "amicably".