'Widespread, significant' breaches of data protection across State agencies

Monday 20 May 2013 22.05
The Data Protection Commissioner has warned that people's rights must be respected in data sharing
The Data Protection Commissioner has warned that people's rights must be respected in data sharing

The Data Protection Commissioner has discovered significant, widespread breaches of data protection law during an audit.

The audit looked at how information from the Department of Social Protection is shared with other government agencies.

Launching his 2012 annual report, Billy Hawkes said similar breaches have been found in an ongoing audit of An Garda Síochána, specifically in relation to the PULSE system.

While he accepts data sharing can bring benefits and efficiencies across the public sector, Mr Hawkes cautioned that it must be done in a way that respects people's rights to have their data treated with care.

He said an ongoing two-year audit of An Garda Síochána has revealed inappropriate access to the PULSE system by members of the force.

An ad-hoc, on the spot inspection of usage and access to PULSE in relation to a substantial number of public figures or celebrities who were recorded as witnesses or victims revealed significant abuse of the system.

One high-profile figure had their records accessed 80 times, while another had their records inappropriately accessed 50 times.

In relation to three high-profile media personalities and also a well-known inter-county GAA player, the number of times PULSE had been accessed appeared to bear no relation to the valid entries relating to these individuals.

In all cases, the report says, there was no commonality in the gardaí who looked up the individuals concerned.

The matter was raised urgently with garda management, who told the Office of the Data Protection Commissioner (ODPC) that a new system of audit and review was in place and awaiting implementation.

Last year, the ODPC also carried out an audit of INFOSYS, a database administered by the Department of Social Protection which is used by a range of external third party government agencies and bodies.

The audit uncovered what is described in the report as a worrying degree of inappropriate access to INFOSYS by State employees, including one employee who used it to access details about their son's girlfriend.

In particular, cases of inappropriate access within the HSE indicated an unacceptable lack of awareness within the organisation as to what constituted appropriate access.

The ODPC says while it is satisfied no entity sought to deliberately breach the law, it is nevertheless the case that the actions of a number of authorised users breached the act.

Last year the ODPC successfully took around 200 prosecutions, involving 11 separate entities. Most of these were in the areas of unencrypted laptops and breaches of unsolicited direct marketing rules.

Three insurance companies were prosecuted after social welfare data, sourced by private investigators, was found on insurance claim files held by the companies.

During the year, the ODPC began investigations into 1,349 complaints, a 16% increase on the previous year.

One third of the complaints were from individuals experiencing difficulties in accessing personal data about them held by other organisations.

Keywords: data protection