Opinion

Sunday 26 May 2019

The State must be more mindful of your private data

The outgoing Data Protection Commissioner, Billy Hawkes, has described the current abuse of personal data as a 'crisis' waiting to happen.
The outgoing Data Protection Commissioner, Billy Hawkes, has described the current abuse of personal data as a 'crisis' waiting to happen.

TJ McIntyre

Last week the Irish Independent revealed further abuses of private files in the Department of Social Protection. The abuses ranged from private investigators illegally accessing personal information, to one male employee who spent up to two hours per day looking up information on women and their partners.

This is particularly worrying, given the department is the largest holder of personal data on us all in the State, with records on every citizen from birth to death, from child benefit to widowers' pensions.

The response of the department - that it constantly reviews its internal controls - is reminiscent of Father Dougal McGuire's promise: "As I said last time, it won't happen again".

Problems in the department have been evident since 2005, when over 70 staff were found to have accessed the file of Limerick Euromillions winner Dolores McNamara. That case was soon followed by the discovery of illegal leaks of information to private investigators hired by insurance companies. This prompted a 2008 audit by the Office of the Data Protection Commissioner which found "significant concerns" in the way in which it handled personal data. Although technical controls have been significantly tightened since that audit, abuses have continued, including deliberate snooping by staff on friends, neighbours and celebrities.

Unfortunately, the Department of Social Protection is not unique. The issues within that department are symptomatic of much wider problems around the protection of personal information in state bodies and allegations of a culture of snooping.

The Data Protection Commissioner's 2014 audit of the Garda, for example, revealed a "particularly disturbing" level of abuse of the PULSE system, where a random sample of PULSE files relating to public figures showed that a number of gardai had "inappropriately accessed" records relating to every one of those individuals.

The Revenue has also had to respond to staff snooping by establishing what is in effect a VIP unit.

This gives special protection to the personal information of individuals who are "prominent and in the public eye" and limits access to specific officials.

Though this is intended as a privacy-friendly measure, it is still worrying that it was necessary to set up a two-tier system which might insulate the influential from abuse, while still leaving the rest of us at risk.

The scale of this problem reflects the minimal sanctions imposed on those who abuse personal data.

In those cases which are detected, the most common penalty has been a reprimand and in a minority of cases a suspension, pay cut or a temporary bar from promotion.

In general, Irish law does not make it a crime to abuse personal data and even where it does, the courts have yet to take these cases seriously. In one of the very few prosecutions, three large insurance firms (FBD Insurance, Zurich Insurance and Travelers Insurance Company) were given the benefit of the Probation Act in return for making a donation to charity, despite pleading guilty to serious offences of receiving information from a private investigator which had been illegally obtained from 
the Department of Social Protection.

One must question whether this is enough to deter further crime.

This situation has been described by outgoing Data Protection Commissioner Billy Hawkes as a "crisis" waiting to happen.

His conclusion, following nearly a decade of dealing with public bodies, is that "the state system in general is not paying sufficient attention to its responsibilities" and in too many cases senior management has given "scant regard" to its duty to safeguard personal data.

Remarkably, however, rather than set out to remedy these problems the Government is currently proposing changes which 
could make them significantly worse. The Department of Public Expenditure and Reform has put forward proposals to allow for greater data-sharing between public bodies.

These proposals would make it routine for information collected by one state agency to be shared with others, potentially opening it up for wider abuse.

While data-sharing might result in some efficiencies, it also puts personal data at even greater risk by enabling many more individuals to access files, whether to snoop or to sell the information on.

Despite this, the proposals for data-sharing do not discuss or respond to the systematic problems which have been identified by the Data Protection Commissioner.

At a minimum, these must be addressed before our personal information becomes even more widely accessible.

Dr TJ McIntyre is a lecturer in the UCD Sutherland School of Law and chairman of Digital Rights Ireland

Irish Independent

Today's news headlines, directly to your inbox every morning.

Don't Miss

Editor's Choice