Private Investigator used civil servant to access personal data
Sleuth used mole in Department of Social Protection to mine their computer system for personal information on people.
A PRIVATE investigator, who used a mole in the Department of Social Protection to mine their their computer system for personal information on people, has been fined €4,000.
James Cowley (65) with an address at Brookdale Lawns, Rivervalley, Swords, Dublin pleaded guilty to 13 charges under Section 22 of the Data Protection Act for unlawfully obtaining access to personal data and disclosing it to third parties without authorisation of the Department of Social Protection.
Permanent TSB Bank had hired him to trace people while insurance companies including Zurich, Alliance and the State Claims Agency used his services to carry out surveillance on possible bogus claimants in personal injuries cases.
He was able to access, and revealed, private background information on several people and in one instance could tell when a person was was getting married, and also turned up at the wedding.
The court heard he had been in the British Army before working with a security firm and then he set up his private investigation business which he ran for 31 years but is now looking for other work.
Convicting and fining him Judge John O'Neill said: “Privacy is a huge topic nowadays and invasion of privacy is serious” adding that there is now a greater emphasis on protecting those rights.
The case followed a probe by the office of the Data Protection Commissioner which prosecuted him and summonsed him to appear before Dublin District Court on 61 counts. Prosecuting solicitor Clare McQuillan told the court that 48 charges were being withdrawn and it was then indicated Cowley would be pleading guilty to the remaining 13 counts, involving 13 people.
Assistant data protection commissioner Tony Delaney told the court that last year he got a data breach notification from Permanent TSB after they inadvertently sent two PPS numbers to private investigators one of whom was Mr Cowley.
He asked Permanent TSB to send him copies of trace reports, dating back to 2012, which Cowley had prepared for the bank. He said that initially he got reports on six people prepared by Cowley for the bank. He checked with the Department of Social Protection to see if anyone there had accessed the people's data during the time Cowley was carrying out his investigation.
All six had their data accessed by one person, named in court as Susan Lillis, an official in the Department of Social Protection, the court was told. Continuing his investigation, Mr Delaney went back to Permanent TSB to get a wider sample, 27 people. Four of them had their private details accessed by the same individual in the department.
Cowley was able to get information on people whether or not he had their PPS number. Mr Delaney wrote to the private investigator and carried out an inspection at his office last October.
Mr Delaney said insurance companies Zurich and Alliance as well the States Claim Agency had employed Cowley to carry out surveillance work. He said there was nothing unusual about them using a private detective but the issue was the methodology used by the PI.
In December 2014 the States Claim Agency asked him to check a plaintiff to see if the injuries they complained of were genuine. Cowley filed a report to the agency in February 2015 to say he had no success in tracing the person whose data had been accessed in the same government department.
On June 12 last year, the States Claim Agency asked him to locate another plaintiff. During the time between him receiving the request and submitting his report on July 9 last, two men and two women had their data accessed, while Cowley was carrying out his investigation. One of them had theirs accessed twice.
Cowley was also able to say in his report that one woman used a different surname for official purposes from that of a married couple who had raised her. The couple's data was also accessed.
The report stated also stated previous addresses and stated when one of them was getting married and Cowley “turned up at the wedding in June”. All that information had been on the Department of Social Protection's computer system.
The next four charges related to investigations carried out by Cowley for Zurich Insurance Plc who had asked him to find out if there a connection between an insured motorist and claimants. Between May 27 and June 22, when he submitted his report, four people had their data in the department's computer system accessed. He was able to include details such as their addresses, maiden names, their mothers' maiden names, whether they were in employment and where they had worked before.
In the last five charges another five people had their information accessed between May 22 and June 17 last year when Cowley was asked by insurance firm Alliance Plc to investigate them.
The same woman in the Department of Social Protection had accessed their records and Mr Delaney believed she did so the behest of Cowley, the court was told. The PI was able again able to include detailed private information about the five people, the court was told.
Mr Delaney agreed with defence counsel Lisa Daly that Cowley had no prior criminal convictions and the guilty plea was useful in that it had not necessitated having to bring witnesses to give evidence. He had also paid €1,000 in the prosecution's legal costs.
Mr Delaney also agreed that the defendant had also used lawful and traditional surveillance methods and was not solely relying on his civil service contact.
Ms Daly asked for leniency and said her client acted stupidly and had not realised the ramifications or seriousness of the actions. He had been employed to “weed out” excessive or fraudulent claims. He is now looking for other work and had brought €2,000 to court and was offering to donate it to charity.
However, Judge O'Neill said he could not go down that route and imposed four fines totalling €1,000 each, which must be paid within four months.. The remaining nine charges were marked taken into consideration.
Following the case, Assistant Data Protection Commissioner Tony Delaney issued a statement and told reporters: “The era of private investigators being able to unlawfully access data from State databases and get away with it are over.”
“One by one, they will be brought before the courts to face the consequences of their actions,” He warned.
“In 2014, after successfully prosecuting two separate investigators we issued a very clear warning to those who operate in the private investigator sector that if any of them continued to commit offences under data protection law, we would pursue them and prosecute them.
“Clearly today's defendant did not heed that warning. I believe there are others who have continued to break the law in the meantime. They are currently being pursued by the Office of the Data Protection Commissioners. We have the resources, we have the skill-set, we have the tools and above all we have the determination to identify any remaining offenders and to bring them to justice,” Mr Delaney said.