State's slipshod care of our personal data is unacceptable
Published 16/08/2014 | 02:30
BILLY Hawkes is not an excitable man. Global lawsuits about Facebook privacy or dramatic interventions in government ministers' handling of rivals' data have rarely caused a ripple all throughout his tenure as Ireland's Data Protection Commissioner.
But he becomes visibly annoyed when discussing the issue of government departments recklessly handing over sensitive citizen information to "blaggers" such as private investigators.
"I have always had concerns about how public services handle data," Mr Hawkes told me recently. "And I have noticed the increased scope of data handling in public bodies without, often, proper oversight measures. And I would like to say, specifically, that I am entirely unsatisfied with the arrangements in place for the oversight of personal data in the Department of Social Protection."
From the mild-mannered mouth of a man like Mr Hawkes, this is damning stuff. But it seems that he may be right to be "particularly concerned" about how personal information is "leaked" from the system into manipulative hands.
As the Irish Independent's investigation shows, those to whom we are legally required to entrust our most sensitive personal information are giving that data out to mercenaries who sell that information on to third parties.
Even if the final purchaser of the information has a legitimate reason for pursuing you - such as a credit union seeking to locate a delinquent borrower - there can be no excuse for the guardian of your most personal particulars allowing such information to slip into commercial circulation. It's not just public sector bodies, either. There is a massive problem in Ireland with the casual disregard of sensitive personal information.
The best available figures show that over half of all Irish organisations - public and private sector - suffered a 'data breach' (losing or inappropriately giving away sensitive customer information) in 2013. The overwhelming cause of this data slippage is "negligent employees", according to the Irish Computer Society research that was conducted among hundreds of large organisations.
Indeed, 80pc of incidents relating to data leaks, slippages and loss are caused by staff. Managers' response is largely to shrug their shoulders, with one-in-three Irish IT managers complaining that their organisation's staff are not sufficiently aware of data protection issues.
That the scale of individual Irish data breaches is limited - with 80pc constrained to less than 100 records per incident - is no comfort whatsoever. Irish administrators in both public and private sectors have proven themselves to be blithely lackadaisical when it comes to properly safeguarding information we entrust to them. Cumulatively, this is a far greater threat to our security and privacy than high-profile (but rare) hacking attacks. Those who take a less condemnatory view of data leaks from the Department Of Social Protection might say that its agents are human, possessing the strong Irish characteristic of empathy. Such a feature, it could be argued, can be manipulated through false stories of hardship or sick parents or bad luck.
The evidence in the cases looked at by the Irish Independent, though, seemed to involve a lack of common sense in authenticating the legitimacy of requests rather than perceived exceptional, compelling circumstances.
If this systemic failure is left unchecked, how long will it be until serious personal security is compromised? How extensive might private investigators' swelling databases on our most personal circumstances become? Such information is extremely valuable to a whole range of interested parties, from insurance firms and utility companies to specialist retailers.
The next time someone calls to your door with a flip-chart and surprises you with a nugget of information about your personal or financial circumstances, can you be sure it wasn't illicitly blagged?