The Data Protection Commissioner (DPC) Billy Hakes has launched his 2012 report summarising activities, detailing complaints and referencing audits undertaken during the period.
In 2012, the report said that the office of the DPC opened 1,349 complaints for investigation, exceeding last year’s record high number with an increase of 188, or 16.1%. The report said that complaints from individuals in gaining access to personal data held by organisations accounted for just under one-third of the overall complaints investigated during 2012. The number of complaints under the Privacy in Electronics Regulations during 2012 more than doubled from 253 in 2011 to 606 during 2012.
The report also raises concerns over the inappropriate access of personal data in the public sector. It says that while the Commissioner "accepts that data sharing can bring benefits in terms of efficient delivery of public services," it also "cautions that it should be done in a way that respects the rights of individuals to have their personal data treated with care and not accessed or used without good reason."
Appendix 4 of the report deals specifically with this, and details an audit carried out on the Department of Social Protection INFOSYS database, which "uncovered significant breaches of the data protection legislation in relation to access to and governance of personal data".
The Appendix states that during a 2008 audit of the INFOSYS database, it showed that a number of external agencies had "read-only" access to INFOSYS.
The report says that the DPC’s office decided to "examine external access to INFOSYS further in the light of a major investigation into abuse within the Department of Social Protection in terms of one employee’s access patterns."
This prompted a criminal investigation by An Garda Síochána looking at one Department of Social Protection employee who allegedly accessed social welfare records and passed the information onto private investigators. This particular investigation also led, says the report, to the successful prosecution of a number of insurance companies who processed the illegally acquired data, and ultimately led the DPC to "query whether similar abuse might occur in locations where external access to social welfare data via INFOSYS had been granted to specified bodies."
Further investigation in 2011 that continued into 2012 revealed "a worrying degree of inappropriate access to INFOSYS by state employees," though the report acknowledges that "some of this misuse was uncovered through internal investigations initiated by the agencies themselves."
"In particular, we uncovered cases of inappropriate access within the HSE that indicated an unacceptable lack of awareness within the HSE as to what actually constituted inappropriate access," said the report.
Despite the level of inappropriate access to personal data discovered, the report is not entirely damning.
"While the Office is satisfied that no entity investigated sought to deliberately breach the provisions of the Data Protection Acts regarding use of INFOSYS, it is nevertheless the case that the actions of a number of authorised users across the spectrum of specified bodies granted access to INFOSYS breached the Acts. A key purpose of this report therefore is to clarify exactly what the requirements of the Data Protection Acts are in this area. It is expected that all users of INFOSYS will move to immediately amend their procedures accordingly. Implementation of the recommendations contained in this report will be subject to close scrutiny."
Data breaches of an electronic or IT nature represented a small proportion of the overall number of breach notifications. Despite a rise to 1,666 notifications in 2012, of which 1,592 were considered valid, just 30 were as a result of the theft of IT equipment and 34 were due to web site security.
However, the report states that due to the complexity of some IT related breaches, an advisor has been appointed and additional resources have been allocated to investigating such cases.
TechCentral Reporters
Subscribers 0
Fans 0
Followers 0
Followers