Principles
Disclosure
Prosecution of James Cowley Private Investigator
James Cowley was charged with sixty-one counts of breaches of the Data Protection Acts, 1988 & 2003. All charges related to breaches of Section 22 of the Data Protection Acts for obtaining access to personal data without the prior authority of the data controller by whom the data is kept and disclosing the data to another person. The personal data was kept by the Department of Social Protection. The personal data was disclosed to entities in the insurance sector – the State Claims Agency, Zurich Plc and Allianz Plc.
On 13 June 2016, at Dublin Metropolitan District Court, James Cowley pleaded guilty to thirteen sample charges. He was convicted on the first four charges and the Court imposed a fine of €1,000 in respect of each of these four charges. The remaining nine charges were taken into consideration in the sentence imposed.
The investigation in this case uncovered access by the defendant to social welfare records held on databases in the Department of Social Protection. To access these records, the defendant used a staff contact who was known to him. Mr. Cowley then used the information he obtained for the purposes of compiling private investigator reports for his clients. These activities continued for a number of years up to September 2015 when our investigation team first made contact with him about its concerns in relation to his processing of personal data.
Disclosure of Personal Data to a Third Party in Response to a Subject Access Request
An ex-employee of Stobart Air made a complaint in August 2015 to us regarding the unlawful disclosure of their redundancy details to another member of staff following an access request made by that person to the company. The complainant also informed us they had equally received third party personal information in response to a subject access request that they themselves had made to the company in May 2015.
Stobart Air, on commencement of our investigation, confirmed to us that a breach of the complainant’s data had occurred in November 2014. It stated that it had not initially notified the complainant of the breach when it first learned of it as it was unaware of the data protection guidelines that advise the reporting of disclosures to the data subjects involved where the disclosure involves a high risk to the individual’s rights and requesting the third party in receipt of the information to destroy or return the data involved.
The complainant in this case declined an offer of amicable resolution and requested a formal decision of the Commissioner. In her decision the Commissioner found that Stobart Air had, in including the complainant’s personal data in a letter to ex-employees, had carried out unauthorised processing and disclosure of the complainant’s personal data. This had contravened Section 2A(1) of the Data Protection Acts, 1988 and 2003, by processing the complainant’s personal information without the complainant’s consent or another legal basis under the Data Protection Acts 1988 and 2003 for doing so.
Stobart Air identified itself that it had inadequate training and safeguards around data protection in place which it has since sought to rectify.
In a separate complaint received by the DPC in September 2015, we were notified that Stobart Air had disclosed financial data of a third party to the complainant in response to a subject access request. We proceeded to remind Stobart Air of its obligations as a data controller and Stobart Air identified a number of individuals who had been affected by these issues. Stobart Air subsequently notified all affected third parties of the breach of their personal data. However, in trying to comply by notifying the affected individuals, Stobart Air disclosed the complainant’s data, by divulging the fact that the complainant was the recipient of this data, in a letter notifying the individuals whose data was originally disclosed.
Stobart Air had no legal basis to disclose the complainant’s personal data to the third parties involved nor did it have consent of the individual affected. The disclosure of the complainant’s identity to the individuals affected by the original breach was unnecessary in the circumstances and in contravention of Section 2A(1) of the Data Protection Acts 1998 and 2003.
Data Breach at Retail and Online Service Provider
In July 2016, we received a breach report from an organisation providing retail and online services.
The organisation was victim of a “brute force” attack, whereby over a two-week period, the attackers tried various username/password combinations, with some combinations successfully being used to gain access to user accounts. When these accounts were accessed, the attackers attempted to withdraw user balances. These withdrawals were enabled by the attacker having the ability to add new payment methods. It was also possible for the attacker to access the personal data associated with the account.
On assessing the breach, we identified that the organisation had deficiencies in the measures it had taken to secure users’ personal data including:
Insufficient measures on password policy and user authentication;
Insufficient control measures to validate changes to a user’s account; and
Insufficient control measures on the retention of dormant user accounts.
We considered that the organisation contravened Section 2(1)(d) of the Data Protection Acts 1988 and 2003 by failing to take appropriate security measures against unauthorised access to, or unauthorised alteration, disclosure or destruction of, its users’ personal data.
Recommendations were issued to the organisation that it take steps to mitigate the deficiencies identified or face enforcement action. The organisation subsequently informed us that it had taken the following steps based on our recommendations:
Implementation of passwords which require more than one factor
Implementation of a comprehensive data retention policy
This case highlights the need for organisations to ensure that they have appropriate technical organisational and security measures in place to prevent loss of data through “brute force” or reuse of password attacks. In this scenario, the use of appropriate access and authentication controls, such as multifactor authentication, network rate limiting and logon alerts, could have mitigated the risks. Further, poor retention policies provide an “attack vector” for hackers such as that used as a means of entry in this breach.
Defence Forces Ireland – failure to keep data safe and secure
A member of the Defence Forces made a complaint to this Office that certain personal data relating to him was not kept safe and secure by the Defence Forces.
The circumstances of the individual’s complaint to our Office arose when a Military Investigating Officer (MIO) was appointed to review an internal complaint made by him as a member of the Defence Forces. Subsequently, the Defence Forces Ombudsman was appointed to review the process of the handling of the complaint and, during the course of its review, it was ascertained that the MIO could not supply details of interview notes of an interview he had conducted with the complainant as he had stored them at an unsecure location and they were damaged or lost following flooding and a burglary at that location when the MIO was on an overseas mission. The unsecure location was in fact the MIO’s private house.
We raised the matter with the Defence Forces, who confirmed the complainant’s allegation that the notes had been stored at an unsecure location and had been damaged or lost as stated.
The Defence Forces informed us of the measures taken to keep data safe and secure, and referred us to its Administration Instruction, which provides for the prohibition of removal of records.
The Defence Forces further stated thatthe removal of records from their place of custody to a private residence would breach this instruction and that a breach of this provision may constitute an offence under S.168 of the Defence Act 1954. It advised that, as the MIO was no longer a serving member of the Defence Forces, he is not subject to military law.
The Defence Forces unequivocally acknowledged that the loss of the data in this case should not have occurred and was fully regretted. It informed us that it had recently undertaken a full review of practices and procedures in respect of both the processing and disclosure of data to mitigate the possibility of any future unauthorised or accidental disclosure of personal data.
The Commissioner’s decision on this complaint issued in June 2015, and it found that the Defence Forces contravened Section 2(1)(d) of the Data Protection Acts by failing to take appropriate security measures against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the complainant’s personal data when it allowed it to be stored at an unsecure location, namely a private house.
This Office acknowledges that the Defence Forces has procedures in place in relation to the protection of personal data as set out in its Administration Instruction. However, those procedures were not followed in this case and when an official record was removed from its place of custody, it resulted in the complainant’s personal data being lost or stolen because the appropriate security measures in place were not followed.
There are many workplace scenarios where staff and managers, in particular, may need to take files, including personal data, home with them. Extreme caution should always be exercised in such cases to ensure that there is no risk to the security of personal data either in the transit of the files or while the files are in the employee’s home. Data controllers must ensure that employees act in a responsible manner with regard to the safe custody and handling of workplace files. This demands a proper system that records the taking of and returning of files and the following of prescribed procedures for the safe keeping of personal data while the files concerned are absent from the workplace. Likewise, it is critical that employees are prohibited from emailing official files from their workplace email account to their personal email account for afterhours work or for any other reason. In such situations, data controllers lose control of personal data that they are obliged by law to protect.
Third-Level Student Data Appeared on Third-Party Website
The Office received a notification from a data controller, in accordance with the Personal Data Security Breach Code of Practice. The notification alerted the Office to the fact that data relating to a large number of students had been discovered on a website that was unrelated to the data controller. The data related to the 2010 academic year.
The Office began an investigation of the matter. The data controller advised the investigation team that the information disclosed on the website included the name, email address and password of the student. The investigation team confirmed that there was no financial or sensitive data involved.
The data controller engaged an external security company to carry out its own investigation into the security breach.
Due to the passage of time, there were no server logs showing when or by whom the data had been uploaded to the website. However, the data controller was able to identify that the data published matched a file created for testing purposes in mid-2011. This file was then sent to a third-party service provider who was engaged in developing a management system for the data controller. The file was sent via unsecured email.
The third-party service provider informed the data controller that while there was a relationship between their staff and the website on which the data was published, they had conducted a very thorough review of the matter and could find no evidence to show that the file had been posted onto the website due to an act of omission on their part.
Our evaluation of the information showed that the data controller, when creating student accounts, used generic passwords when generating the student accounts. The password was the date of birth of the student. While students could change their passwords, they were never advised to change them.
While it could not be determined exactly how the data appeared on the website, it was evident that there had been a breach of the Data Protection Acts, in that appropriate security measures were not in place to prevent the unauthorised disclosure of personal data.
Our investigation also found that the use of live data for testing purposes was not in accordance with data-protection best practices. Where live data is being used by an organisation for testing purposes, there would have to be a strong justification for such use and we were not aware of any justification applicable in this particular case. The Office recommended that the data controller cease the use of live personal data for testing and either anonymise the data or create a fictitious data set for testing purposes.
The transmission of such student data via an unsecured channel is also inconsistent with the Data Protection Acts. It was found that, during the development of the management system, personal data, including passwords, was exchanged between the data controller and the service provider, using an unsecured channel. The data controller advised my Office of the fact that they now transmit such data via a secure mechanism. The Office recommended that this mechanism be brought to the attention of all staff.
Another issue discovered during our investigation that caused great concern was the use of a generic password. The fact that the date of birth of the student was assigned as their password meant that any individual who had access to the date of birth of another student could access the user account of that student. The Office recommended that the data controller communicate with students, advising that they change their password and that the new password be a minimum of 12 characters and include upper- and lower-case characters, numerals and special characters, such as a symbol or punctuation mark.
Data Controller Discloses Personal Data to Business Partner
The Office received notification from a data controller advising that an email had been issued to a business partner which included personal data that should not have been disclosed.
The data controller advised the Office that it had entered into a business agreement with a third-party company to provide anonymised data to allow for a feasibility assessment of a proposed business venture. An email was issued to the third-party company which included the names of individuals in addition to the agreed anonymised data. This allowed for the third-party company to identify the individuals involved.
The data controller, in notifying this Office, stated that the third-party company had provided assurances that the data had been deleted.
The Office commenced an investigation of a data-security breach, under Section 10 of the Data Protection Acts.
Given the nature of the data involved and additional information received by a third party, this Office decided to visit the premises of the third-party business partner to satisfy ourselves that the data had been deleted and not further processed.
An investigation team, using our powers under Section 24 of the Data Protection Acts, arrived unannounced at the premises of the business partner. The team obtained documents in relation to the business agreement; these showed that only anonymised data had been sought. The team also obtained reports that had been created on foot of the receipt of the personal data. It was evident from these reports that, while personal data was available to the third party, it had not been used in the preparation of the reports and had no impact on the reports.
The team then examined the computer systems of the company and discovered several instances of the email it had received which contained the personal data.
The Commissioner felt it appropriate to issue an Enforcement Notice to the third-party company, requiring them to engage an external IT security company to delete any and all copies of the personal data it had received. The IT security company was to provide my Office with a report on the completion of the work. This report was duly received and this Office was satisfied that all copies of the personal data had been securely deleted.
The investigation found that personal data had been disclosed without consent or a legal basis. The investigation also noted that non-business related email accounts had been used by members of staff of the data controller in the conduct of business matters. The data controller was advised to prevent the use of non-business email accounts as the data controller could not control any data that would be transmitted through these non-business accounts.
Employee of Financial Institution Resigns Taking Customer Personal Data
The Office received a notification from a data controller, in accordance with the Personal Data Security Breach Code of Practice. The notification stated that an employee had tendered their resignation and the data controller then discovered that the employee had emailed a spreadsheet to their personal email account prior to their resignation. The spreadsheet contained details of customers, including their employment details, salaries, contact details and medical consultant.
The data controller provided the name and home address of the employee.
The Office was also contacted by the umbrella organisation of the data controller seeking assistance on how to advise their member.
The Office verified, through the Companies Registration Office, that a business was operating from the home address of the employee. We then contacted the employee on the basis that they were now operating as a data controller in their own right. We sought clarification from the employee as to the consent they had to process any personal data they obtained from their previous employment.
The employee advised the Office that, as part of their employment, they were asked to use their own laptop and personal phone for all business dealings. The employee also advised that they had not yet started canvassing for clients. The employee also confirmed that they had deleted all the personal data they held in relation to their previous employment.
We also engaged with the data controller who had made the notification in relation to the security procedures that were in place to protect customer data in its possession. The Office noted that the employment contract contained appropriate data-protection clauses. However, of concern was the fact that employees were using their own equipment for business purposes. In such circumstances, the data controller has little or no control over that data held on personal equipment.
The data controller introduced further procedures and policies on foot of the issue to prevent a repeat of this type of incident, including the introduction of software to password protect any data records being emailed. Furthermore, all employees must sign an undertaking on termination of employment that all data has been returned and will not be further processed.
Case Study 15: Theft of Unencrypted Laptop
The Office received a data-security breach notification during the year from a medical professional relating to a stolen laptop.
The notification advised that the laptop was password protected, but not encrypted. The notification also advised that the data stored on the laptop related to a medical study that was undertaken in 2009 and included audio files of interviews carried out with the study subjects which contained limited information. It was determined that a file listing the subjects of the study contained an ID number rather than the name of the individual. However, a further file that correlated the ID number with the subject name was also stored on the laptop. This file was also password protected.
It was noted that, before the study began, approval was obtained from the relevant Ethics Committee that covered the storage of data.
This Office advised the data controller of our guidance in relation to the notification of the affected individuals. In this particular case, the data controller advised the Office that it was of the view that notification to affected individuals would cause more distress than help to the affected individuals. This view was offered by the relevant medical professional overseeing the project. This Office must note the opinion of a medical professional who has a professional relationship with the affected individuals. We assume this decision is taken weighing the potential effects of an unauthorised disclosure of this data against the potential distress of the individual being notified of the security breach.
The Office, however, noted that laptops are now being encrypted. This case highlights the fact that data-protection considerations need to be constantly monitored. What may have been an acceptable standard five years previous may not now be acceptable, and security arrangements must be periodically reviewed.
Compromise of Adobe Network
Adobe Systems Software Ireland Ltd notified this Office in October 2013, in accordance with the Personal Data Security Breach Code of Practice, of a data-security breach regarding an unauthorised access to their systems. Personal data was compromised and the attacker also took Adobe software source-code elements.
Two data controllers were affected: Adobe US and Adobe Systems Software Ireland Ltd (Adobe Irl). We engaged in a coordinated investigation with the Office of the Privacy Commissioner of Canada and we were co-joined in our investigation by the Office of the Australian Information Commissioner.
Nature of Data Compromised
Adobe Irl created three classifications of individuals affected:
• Payment-card users, i.e. those whose encrypted payment-card numbers were accessed during the breach. The data involved was encrypted payment-card data – approximately 3.65 million payment cards (1 million controlled by Adobe Irl) relating to approximately 3.1 million individuals.
• Active users, i.e. those who had logged in to Adobe systems at least once in the two years prior to the discovery of the breach. The data involved was: email address and current encrypted password – 41 million (reduces to 33 million, as 8 million email notifications were undeliverable) (20.5 million controlled by Adobe Irl).
• Non-active users, i.e. those who had not logged in to Adobe in the two years prior to the discovery of the breach. The data involved was: email address and current encrypted password – 71 million (reduces to 46.5 million due to 25 million email notifications undeliverable) (28.5 million controlled by Adobe Irl).
How the Breach Occurred
The attack was a sophisticated and sustained intrusion of Adobe’s computer systems. Attackers identified and removed data from a backup server that stored the compromised data described above. Adobe states it has no evidence to show that unencrypted card details were taken. Forensic consultants engaged by Adobe supported this conclusion.
When Adobe learned of the security breach, they began an investigation of the cause of the issue and also initiated a series of measures including the following:
· Disconnected the impacted database server from the network
· Blacklisted IP addresses from which the attacker accessed their systems
· Reset passwords for all potentially affected users (including active, non-active)
· Changed passwords for relevant administrator accounts
· Notified the banks processing customer payments for Adobe, so they could work to protect customers’ accounts
· Reported the breach to law-enforcement authorities
· Employed a third-party company to conduct an investigation of the cause of the security breach of its systems and to identify what data may have been compromised
· Took actions to reduce the risks related to the theft of certain source-code elements
· Issued notifications to affected individuals, beginning on 3 October 2013, which alerted customers to the security breach
Passwords
At risk: the attacker posted some data that was exfiltrated on a website and included the email address and encrypted password of certain Adobe users. A number of research articles have demonstrated that some passwords have been deciphered by reference to password hints and repeated passwords (i.e., the same password used by more than one user). One article highlighted an organisation that had checked the compromised usernames and deciphered passwords against its own platform and found a significant number of these credentials would have worked on its own platform. The organisation contacted some of its affected users, alerting them to the issue, and also confirmed the scenario to this office. At issue here is that while Adobe enforced a password change on its own site and advised users to change their passwords elsewhere, it is evident that not all users followed such advice.
Hints: Parts of the data exfiltrated by the attacker were the password hints of a small percentage of users. These hints were stored in clear text and associated with the username (email address). This information, along with an analysis of the encrypted passwords, will allow for the identification of certain simple passwords. However, as previously noted, Adobe reset the passwords for all impacted users.
Storage: The Office queried why passwords were stored in one system in an encrypted manner rather that hashed and salted. Encrypted passwords can be unencrypted, which would allow a data controller to see the passwords of users, or attackers, if they gained access. Adobe stated it was actually hashing and salting passwords within a new system for a number of years prior to the discovery of the security breach, but decided to also keep the database in the old system as a backup measure in case of issues with the new system. Passwords in the old system’s database had been encrypted.
Retention of Card Data with Customer Records
Customers who used payment cards to purchase Adobe products or services had their card details (encrypted) stored with the customer account within one particular system. Card numbers have now been replaced with a token system. This process began prior to the discovery of the security breach and was completed shortly thereafter. The token, which is encrypted, represents the payment-card number within the customer record and Adobe systems transmits the encrypted token to a third-party service provider, whose systems are located outside Adobe’s network, for payment processing.
Notifications to Affected Individuals
Adobe provided the Office with a list of when they notified each class of affected individuals and the relevant notification. In addition, Adobe publicly announced the 2013 breach in posts on its website, which included discussion of the theft of source code. The various notifications did advise individuals to monitor their credit-card statements and change their password if it was used on another site.
When we queried why notifications did not issue to those individuals where only contact details were compromised and did not include password or payment-card data, Adobe replied that it believed that notice in this scenario would lead to over-notification and notification fatigue and that there is not a significant risk of harm with respect to a compromise of this type of data element. The Code of Practice recommends that affected users are notified, so that each affected individual can consider the consequences for themselves and take appropriate measures.
This Office would expect that if a similar incident were to occur in the future, Adobe, or any other data controller, would automatically include all individuals for whom personal data had been compromised in its notification process.
Conclusion and Findings
Adobe fully cooperated with our investigation of the security breach reported to us on 2 October 2013. Adobe took appropriate action on discovery of the attack to prevent further access to their systems as required under Section 2(1)(d) of the Data Protection Acts 1988 and 2003. It also enforced a password change for its users to protect against unauthorised access to account data. Adobe’s quick reaction on learning of the security breach prevented the attacker from exfiltrating unencrypted payment-card details.
Adobe’s transitioning from the use of encrypted passwords in the old system to the use of hashed and salted passwords in the new system could have been achieved more effectively and expeditiously than was the case. Of concern to those users who provided password hints, Adobe stored these in plain text rather than in an encrypted format, some of which have been compromised.
This Office is cognisant of the fact that data controllers such as Adobe will always be a target for attackers and new attack methods are constantly being devised.
This Office found that Adobe was in breach of Section 2(1)(d) of the Acts by failing to have in place appropriate security measures to protect the data under its control, despite its documented security programme. It was also recommended that Adobe engages a third party to carry out an independent review of its systems.
Adobe has since put in place substantial improvements in its security protocols, practices and procedures, and this Office is satisfied that it now has appropriate procedures in place to minimise the possibility of a similar security breach in the future.
Client list taken by ex-employee to new employer
In January, 2013 we received a complaint from an individual in relation to receipt of unsolicited correspondence to her home address, from a company with whom she had no business relationship. The correspondence referred to the individual’s existing pension plan with another company and offered a review of the individual’s existing assets or advice concerning her future provision. The letter also indicated the sender’s intention to phone the recipient to discuss the matter further. The individual stated that she was annoyed and aggrieved that her personal and financial details were now in the hands of a company of which she had no knowledge.
The individual contacted the company with which she had set up her pension plan and they confirmed to her that the person who had sent her the unsolicited letter had left their employment in December 2011.
Section 2 of the Data Protection Acts, 1988 and 2003 (the Acts), provides that personal data shall be fairly obtained and processed and shall not be further processed without the prior consent of the individual concerned. We asked the new employer to confirm whether the employee had brought in data relating to clients that he obtained from his time working in his previous employment. We also asked the new employer to confirm what consent, in line with the Data Protection Acts, it had to process such data.
Our letter also informed the new employer that it should be aware that contacting an individual by phone, for the purposes of electronic direct marketing, without first receiving their consent, is an offence under Statutory Instrument No 336 of 2011.
The new employer confirmed that, having conducted its own internal investigation into the matter, that approximately fifty former contacts of the employee were written to. It stated that no follow up phone calls were made. The new employer confirmed that any such data that the employee possessed had been destroyed and that no further attempts would be made to contact those individuals.
The complaint was resolved on an amicable basis when the company provided this Office with a letter of apology dated 28 January, 2013 to forward, on its behalf, to the individual concerned.
However, in early April, 2013 this Office received a data security breach notification from the former employer informing us that another of their clients had informed them that she had received a letter from one of its former employees soliciting business. The nature of the letter, although addressed to a different client, was similar to the incident previously investigated by this Office in January 2013. The letter was dated 15 January, 2013 thus predating the confirmation of 28 January, from the new employer, that the client data had been destroyed.
Our investigations of such instances are twofold. We contact the company responsible for sending the unsolicited correspondence and we also deal with the company responsible for the data, to determine whether the security procedures it has in place to protect against the unauthorised access and disclosure of personal data are sufficient.
In this instance we requested the former employer to inform us of the policies it had in place regarding the security of client information in circumstances where an employee is moving to a new employment. We also requested to be provided with a copy of the data protection element of the contract of employment.
When providing this Office with a copy of the Confidentiality and Solicitation agreement signed by the former employee, the former employer also provided us with a copy of another letter sent to one of their clients by the former employee. The letter was dated 15 April, 2013 and was similar in nature to the letters sent to individuals in January 2013. However, on this occasion, the unsolicited correspondence made no reference to contacting the individual by telephone.
This information contradicted the confirmation we had received from the new employer in January 2013 that all data relating to the employee’s previous employment had been destroyed. On becoming aware of this development, this Office had no option but to have two of our Authorised Officers carry out a site inspection, as provided under Section 24 of the Acts, at the premises of the company. To assist with the site inspection, we requested the former employer to provide us with a copy of the client list of the former employee.
The purpose of the site visit by the Authorised Officers was twofold. Firstly to ascertain how it happened that a letter dated 15 April, 2013 issued to a client of the former employer, despite assurance from the new employer, in a letter dated 28 January, 2013 that all client data from their employee’s previous employment had been destroyed. Secondly to carry out a search of the company’s systems to satisfy ourselves that there was no further data in the company’s possession relating to the clients of the previous employer. Using the data provided by the original employer, the Inspection Team carried out a search on the computer systems for individuals’ names and addresses. The Inspection Team was satisfied that no further customer data remained.
We informed the new employer, on the morning of the site inspection, of our intention to visit his place of business that afternoon. We had not informed the new employer, prior to the site visit, of our knowledge of the letter dated 15 April, 2013. The new employer cooperated with the inspection.
Our investigation of the matter concluded on the basis of our receipt of written confirmation in May 2013 from the Managing Director of the new employer, stating that he fully accepted that breaches had occurred and outlining the actions his company was taking to prevent a recurrence. The Managing Director also confirmed that he personally oversaw the destruction of the data held by the employee.
This Office has noticed a significant increase in the number of data security breach notifications we are receiving in relation to this type of matter. We may first become aware of the matter via the receipt of a complaint from an individual relating to their receipt of unsolicited communications or from our receipt of a data security breach notification from the data controller. While there are obvious business related implications to such incidents, the focus of this Office’s investigation concerns the basic principles of data protection relating to security, fair obtaining and processing of personal data.
Client list taken by ex-employee to new employer
In January, 2013 we received a complaint from an individual in relation to receipt of unsolicited correspondence to her home address, from a company with whom she had no business relationship. The correspondence referred to the individual’s existing pension plan with another company and offered a review of the individual’s existing assets or advice concerning her future provision. The letter also indicated the sender’s intention to phone the recipient to discuss the matter further. The individual stated that she was annoyed and aggrieved that her personal and financial details were now in the hands of a company of which she had no knowledge.
The individual contacted the company with which she had set up her pension plan and they confirmed to her that the person who had sent her the unsolicited letter had left their employment in December 2011.
Section 2 of the Data Protection Acts, 1988 and 2003 (the Acts), provides that personal data shall be fairly obtained and processed and shall not be further processed without the prior consent of the individual concerned. We asked the new employer to confirm whether the employee had brought in data relating to clients that he obtained from his time working in his previous employment. We also asked the new employer to confirm what consent, in line with the Data Protection Acts, it had to process such data.
Our letter also informed the new employer that it should be aware that contacting an individual by phone, for the purposes of electronic direct marketing, without first receiving their consent, is an offence under Statutory Instrument No 336 of 2011.
The new employer confirmed that, having conducted its own internal investigation into the matter, that approximately fifty former contacts of the employee were written to. It stated that no follow up phone calls were made. The new employer confirmed that any such data that the employee possessed had been destroyed and that no further attempts would be made to contact those individuals.
The complaint was resolved on an amicable basis when the company provided this Office with a letter of apology dated 28 January, 2013 to forward, on its behalf, to the individual concerned.
However, in early April, 2013 this Office received a data security breach notification from the former employer informing us that another of their clients had informed them that she had received a letter from one of its former employees soliciting business. The nature of the letter, although addressed to a different client, was similar to the incident previously investigated by this Office in January 2013. The letter was dated 15 January, 2013 thus predating the confirmation of 28 January, from the new employer, that the client data had been destroyed.
Our investigations of such instances are twofold. We contact the company responsible for sending the unsolicited correspondence and we also deal with the company responsible for the data, to determine whether the security procedures it has in place to protect against the unauthorised access and disclosure of personal data are sufficient.
In this instance we requested the former employer to inform us of the policies it had in place regarding the security of client information in circumstances where an employee is moving to a new employment. We also requested to be provided with a copy of the data protection element of the contract of employment.
When providing this Office with a copy of the Confidentiality and Solicitation agreement signed by the former employee, the former employer also provided us with a copy of another letter sent to one of their clients by the former employee. The letter was dated 15 April, 2013 and was similar in nature to the letters sent to individuals in January 2013. However, on this occasion, the unsolicited correspondence made no reference to contacting the individual by telephone.
This information contradicted the confirmation we had received from the new employer in January 2013 that all data relating to the employee’s previous employment had been destroyed. On becoming aware of this development, this Office had no option but to have two of our Authorised Officers carry out a site inspection, as provided under Section 24 of the Acts, at the premises of the company. To assist with the site inspection, we requested the former employer to provide us with a copy of the client list of the former employee.
The purpose of the site visit by the Authorised Officers was twofold. Firstly to ascertain how it happened that a letter dated 15 April, 2013 issued to a client of the former employer, despite assurance from the new employer, in a letter dated 28 January, 2013 that all client data from their employee’s previous employment had been destroyed. Secondly to carry out a search of the company’s systems to satisfy ourselves that there was no further data in the company’s possession relating to the clients of the previous employer. Using the data provided by the original employer, the Inspection Team carried out a search on the computer systems for individuals’ names and addresses. The Inspection Team was satisfied that no further customer data remained.
We informed the new employer, on the morning of the site inspection, of our intention to visit his place of business that afternoon. We had not informed the new employer, prior to the site visit, of our knowledge of the letter dated 15 April, 2013. The new employer cooperated with the inspection.
Our investigation of the matter concluded on the basis of our receipt of written confirmation in May 2013 from the Managing Director of the new employer, stating that he fully accepted that breaches had occurred and outlining the actions his company was taking to prevent a recurrence. The Managing Director also confirmed that he personally oversaw the destruction of the data held by the employee.
This Office has noticed a significant increase in the number of data security breach notifications we are receiving in relation to this type of matter. We may first become aware of the matter via the receipt of a complaint from an individual relating to their receipt of unsolicited communications or from our receipt of a data security breach notification from the data controller. While there are obvious business related implications to such incidents, the focus of this Office’s investigation concerns the basic principles of data protection relating to security, fair obtaining and processing of personal data.
Loss of photocopies of passports
In November 2013, a voluntary organisation that is involved with young people notified us of a data security breach relating to the loss by one of its local groups of photocopies of passports. The organisation informed us that one of its local groups had reported that a file containing photocopies of individual passports for 44 young people and leaders, and 38 Parental Consent forms, was lost or mislaid on the return journey from a trip abroad the previous August. We were informed that the Volunteer in charge only became aware of the loss of the documentation in November.
The three pronged approach from this Office when dealing with personal data security breaches is that we expect that the Data Controller,
1. Informs the affected individuals (including what information was disclosed)
2. Secures the data in question and,
3. Informs this Office of steps taken to reduce the risk of a similar incident reoccurring.
As the whereabouts of the documentation was unknown this prevented the data controller from securing the data.
The organisation confirmed that it was arranging immediately to contact the parents to advise them of the loss. As per the provision of the Code of Practice, this allows the individuals to consider the consequences for each of them individually and to take appropriate measures.
This Office queried the reason why the organisation considered it necessary to hold photocopies of the passports. We informed the organisation that we did not consider the photocopying of the passports to be best practice. The organisation confirmed that it too was questioning why passports were being photocopied and was investigating the extent of this practice within the organisation. It put forward the suggestion that perhaps the purpose of photocopying the passports was done as a precaution in case the original passports were lost while abroad. We also informed the organisation that, even if it was in a position to provide a legitimate basis for the photocopying of the passports, the documents should have been destroyed once the trip abroad was over. This procedure would have alerted the Volunteer sooner to the loss of the documents.
The Personal Data Security Breach Code of Practice also provides that, in appropriate cases, data controllers should also notify organisations that may be in a position to assist in protecting data subjects. In this regard, this Office, for the benefit of our own understanding of the matter, contacted the Passport Office, Department of Foreign Affairs. The purpose of our communication with the Passport Office was to seek advice on the potential implications of the loss of a photocopy of a passport and whether this was an issue that should be reported to the Passport Office.
The Passport Office advised that there was a possibility that a photocopy of passport details, if it fell into the wrong hands, could be used to create a duplicate as a fraudulent document. The Passport Office advised that the affected passports could be put on the Department of Foreign Affairs “check list”. This Office understands that this involves the placing of a computer block that means when an individual reapplies for a passport, a double check is carried out on the application.
Our investigation of the data security breach concluded on receipt of confirmation from the organisation that it had written to all the parents advising them of what had been lost. The organisation also informed us that a parents meeting had been held. The organisation also confirmed that it had taken advice from the Department of Foreign Affairs and was preparing guidelines for its groups on the issue of the handling of passports.
This case demonstrates the basic principles of data protection in relation to data security and the requirements under the Data Protection Acts 1988 & 2003 (the Acts), for a data controller to have a clear purpose in relation to the obtaining and retention of personal data. In this instance it was not clear why the local group had photocopied the passports. The Acts provide that the data should be obtained only for one or more specified, explicit and legitimate purposes. The Acts also provide that the data shall not be kept for longer than is necessary for the purpose for which it was initially obtained.
Medical files sent to incorrect email address
The Office received a data security breach notification from a G.P. which reported that an email containing a patient file had been sent to an incorrect recipient. This was the result of a typographical error when entering the email address. The patient file was exported from the software system used by the G.P and attached to the email. The data controller became aware of the matter when the intended recipient contacted the data controller advising that they had not received the email.
The data controller advised our Office that they had notified the affected individual of the matter.
As part of our investigation into the matter, we contacted the software supplier to determine how easy it would be for a third party to access a patient file exported from their system. The software company stated that only an individual with a registered copy of their software could open or access the patient file. The file would have to be imported into the software system to be read. Our Office asked whether there was any other software that could be used to open the file. We were advised that the file could not be opened in a legible format outside of their own software.
The data controller also advised our Office that, as a means of preventing the repeat of such an incident, it proposed that, where it was sending a patient file to another G.P., that the receiving G.P. must first send it an email requesting the patient file. The data controller can then reply directly to the email, ensuring the correct address is used.
The data controller also sought our advice on raising this issue in a public forum as a means of raising awareness of the dangers. We responded by stating we had no objections to such a course of action, provided that no personal data was disclosed.
As our Office was advised by the software company that the email could not be accessed by the recipient, we recorded the matter as a non-breach.
This issue highlights the necessity for sending sensitive data, such as medical data, via a secure means. It shows how easy it is for emails to be issued to an incorrect recipient and without some means of securing the data contained within the email, could be disclosed to an unauthorised party.
Case Study 18: Computer affected by Ransomware
Our Office received a notification from a Medical Practitioner that their computer system had been compromised by Ransomware.
Ransomware is a malicious file which is designed to extort money from a user by disabling their computer or encrypting files stored on the computer. The user is then informed that they must pay to have the files restored. There is a risk that after paying the “ransom”, the user will not regain control of their system.
The data controller notified the Office that they were unable to access their computer system, due to the Ransomware that had been installed on their systems. This meant that they were unable to access their patient files. They also advised the Office that they had received a demand for €5,000 in return for the re-instatement of the data. The data controller stated that they had informed An Garda Síochána and had not paid the ransom.
The data controller, on discovering the issue, alerted their IT service provider. After an initial investigation, a third party IT service provider was also employed to help recover the data. During this process, the data controller discovered that backup data for the previous five months had also been compromised. The data controller had therefore lost all patient data obtained in the previous five months.
Our Office contacted the data controller and asked that we speak directly to the IT service provider to determine how the backup tapes going back over a period of five months had been compromised. The IT service provider informed us that there were two separate backup facilities in place. Firstly, there was an on-site hard drive device that was written to each night. Secondly, there was a system of backup tapes in place, which were then stored off-site.
The on-site hard drive had been affected by the Ransomware software. However, it was discovered that the backup media tape system had not actually been recording, but there were no alerts issued by the backup software to identify an issue.
We sought assurance from the IT service provider that the data had not been exported by the Ransomware. The IT service provider stated it had found no evidence to suggest that the data had been taken from the data controller.
It was noted that the data controller had a basic firewall in place and an up-to-date anti virus system. The data controller had also set aside a budget for an upgrade to their computer systems to take place later in the year.
The data controller informed this Office that it was preparing to notify all its patients. We recommended that the notification be directed to those individuals for whom records had been compromised. Any patients who had not attended the practice since the last viable backup tape was created were not affected by the security breach as their records were not compromised.
It was clear that the data controller had installed systems to protect the data under its control and was planning on upgrading the systems. However, it is imperative that, when systems are implemented, they are checked on a regular basis to ensure they are operating correctly.
Customer had on-line access to third party telephone bill details.
The Office received a breach notification from a telecommunications provider notifying us of a personal data security breach under the provisions of Commission Regulation (EU) No 611/2013 of 2013.
This Regulation imposes a legal obligation on providers of publicly available electronic communications networks or services to notify this Office of a personal data security breach, no later than 24 hours after the detection of the breach, where feasible.
The Service Provider informed us that one of its customers, who was a member of an organisation, while reviewing his telephone bill via the Provider’s on-line facility, noticed that he had access to the details of bills of over 400 other members of the same organisation. On becoming aware of the incident, the Service Provider quickly removed a shared billing code that linked a limited number of accounts related to members of the organisation on the Service Provider’s billing system.
The Service Provider informed us that it was able to confirm from the customer’s log-in details that he had access only to customers’ name, surname, mobile number and six months call records. We were informed that the customer did not have access to the individuals’ financial details or address details.
The root cause of the incident was identified as being a customer service agent applying a shared billing code via the administration systems. We were informed that the agent incorrectly set up the shared billing code resulting in the accounts being linked in error and making the individual who accessed the data the master account holder.
The Service Provider confirmed that it was informing all individuals affected by the incident. The Service Provider also informed the individuals that the matter had been rectified and had ensured that a similar incident would not occur again.
This case demonstrates how the speed at which a breach is identified and dealt with may assist in minimising the overall security risk of the breach. Informing the affected individuals of the matter permits them to consider the consequences for each of them individually and to take appropriate measures as they see fit. The reporting of the matter to us by Data Controllers as speedily as possible, as per the above legislation, also assists in our role of trying to improve compliance with Data Protection legislation.
O2 – Missing media tape
Under the requirements of S.I. 336 of 2011, O2 notified the Office of a data security breach involving a missing backup media tape in July.O2 stated that the tape had been identified as missing by its service provider, IBM, in February. IBM had conducted searches for the missing backup media tape but was unable to locate the tape and notified O2 of the matter in May.In their notification to this Office, O2 stated that the data held on the media tape could only be accessed using the same technical equipment utilised to create the tape, which would cost in excess of €600,000.
We investigated this claim and found evidence contrary to the claim of O2. We then informed O2 of our findings, requested details of the type of data held on the backup media tape, and informed O2 of the need to notify affected individuals.O2 reverted stating that the backup media tape was created in August, 2011 and it no longer held records as to what was held on the media tape. It was therefore not in a position to identify the type of data held on the tape and the affected individuals.
We also sought an explanation as to the delay in notifying our Office of the data security breach. Under the obligations imposed by S.I. 336 of 2011, Telecommunications companies & ISP’s are required to notify both this Office and affected individuals without undue delay. O2 explained that they had not been notified by their service provider of the data security breach until 3 months after the issue was identified. The service provider during this time was carrying out searches for the missing media tape and analysing the potential issues. We informed O2 that this delay was unacceptable.
O2, as part of their report to the Office, provided two separate external forensic analysis reports on the backup media. Both of these reports examined the possibility of a third party gaining access to the data held on the missing media tape. Both reports stated that the data could not be accessed by an individual without access to proper equipment and technical expertise. O2 therefore argued that the data on the media was unintelligible, given the requirements to access the data.
However, this Office pointed out that both external reports supplied by O2 did note that the data could be accessed by a third party with sufficient resources. As the data was potentially accessible, Regulation 4(6)(b) of S.I. 336 of 2011 applied, requiring notification of affected individuals. The appropriate standard to be applied is not whether a member of the public could access the data, but whether the data could be accessed at all.
Whilst O2 disagreed with the views and interpretation of this Office, they agreed, as a matter of goodwill, but without any acknowledgement of liability or failure under the Data Protection Acts or S.I.336, to make a charitable donation and notify customers of the matter. As O2 were unable to identify specifically affected individuals, it was agreed that they would make a public announcement of the matter, via their website and press release. This announcement was made in early December. O2, as a gesture of goodwill, also made a charitable donation of €50,000 to Headstrong, a non-profit organisation supporting young people’s mental health.
To ensure that this type of data security breach did not occur again, O2 had undertaken a number of steps, including improved security and controls regarding the storage of media tapes. The Office also made a number of recommendations to O2, including the encryption of its backup media and that the contract between O2 and its third party service providers be amended to include a requirement for immediate notification of any potential data security breaches.
Stolen Laptops – Phone Companies Prosecuted For Loss of Personal Data
In the first prosecution case of its kind in Ireland, two telecommunications companies, Eircom and Meteor, appeared in the Dublin District Court in September 2012 to face charges relating to the loss of customer personal data which was stored on two unencrypted laptops, which had been stolen several months previously.
Background
A data breach report was received by this Office on 2 February 2012 from Eircom and Meteor. Regulation 4(6) of SI 336 of 2011 obliges telecommunications companies to notify the Data Protection Commissioner of personal data breaches without undue delay. This Regulation also obliges telecommunications companies to notify affected individuals of a data breach where the said breach is likely to adversely affect their personal data or privacy. The breach report informed us that two unencrypted laptops had been stolen from Eircom’s offices at Parkwest in Dublin between 28 December, 2011 and 2 January, 2012.
The report confirmed that the stolen laptops contained information relating to customers, including personal data. It indicated that the number of affected customers were 454 in the case of Meteor and 6,597 in the case of eMobile. The theft of the laptops was discovered on 3 January, 2012 and the matter was reported to the Gardai (national police force) on 4 January, 2012. The breach report was made thirty days after the laptops were reported as stolen. An updated breach report was submitted on 15 March, 2012. This followed intensive contact between ourselves and eircom/Meteor including two meetings on site. The report indicated that, following a second phase of internal investigation, it was found that the number of affected customers was greater than previously reported. The revised figures were 3,944 Meteor customers and 6,295 eMobile customers.
Eircom (trading as eMobile)
6,295 eMobile customers were affected by the data breach. In relation to 142 of these cases, the personal data in question was in the form of customer application forms including proof of identity (e.g. copy of passport, driving licence, national identification, bank account/credit card details, financial statements and utility bills).
The other 6,153 cases contained details such as name, address, telephone and account number. The process of Eircom notifying its affected customers by letter began on 10 February 2012 (38 days after the laptops were reported stolen). A large number of affected customers were notified for the first time on 20 March, 2012 (77 days after the laptops were reported stolen). Letters included an apology to customers for the loss of their personal data. At our request, Eircom notified the banks of the breach via the Irish Banking Federation on 9 February, 2012.
Meteor
3,944 Meteor customers were affected by the data breach. In relation to approx 1,244 of these cases the personal data in question was in the form of proof of identity documents (e.g. copy of passport, driving licence, national identification, Bank Account/Credit Card details, financial statements and utility bills). The other 2,700 cases approx contained details such as name, address and telephone and account number. The process of Meteor notifying its affected customers by letter began on 10 February 2012 (38 days after the laptops were reported stolen). An update of the 10 February, 2012 letter was issued on 20 March, 2012. A large number of affected customers were notified for the first time on 16 March, 2012 (73 days after the laptops were reported stolen). Letters included an apology to customers for the loss of their personal data. At our request, Meteor notified the banks of the breach via the Irish Banking Federation on 9 February, 2012.
Data Security
In relation to the electronic communications services sector, Regulation 4(1) of SI 336 of 2011 places an obligation on providers to take appropriate technical and organisational measures to safeguard the security of their services. Regulation 4(2) details some requirements specific to the electronic communications services sector. It provides that the measures to ensure the level of security shall at least ensure that personal data can be accessed only by authorised personnel for legally authorised purposes, protect personal data stored or transmitted from access or disclosure and ensure the implementation of a security policy with respect to the processing of personal data. We published a comprehensive guidance note on data security on our website in August, 2010.
This included guidance to the effect that encryption is considered an essential security measure where personal data is stored on a portable device or transmitted over a public network. Encryption is the method of converting data from a readable format to an unreadable or unintelligible format so that unauthorised persons are unable to access the data. On a portable device such as a laptop, encrypting data is a method of securing the data to protect it from access by unauthorised persons in the event that the device on which the data is stored comes into the possession of unauthorised persons.
Following this breach, the Eircom Group identified approximately 160 laptops which were not encrypted. All unencrypted laptops were encrypted by 24 February, 2012.
Breach Notification
This Office considers that data breaches of this nature should normally be reported to us within two working days of the data controller becoming aware of the incident. This has been our stated position since a data security breach Code of Practice was published in July 2010. Once we are notified of a breach we can quickly advise the data controller of what steps to take, what areas to focus on, how best to notify affected parties quickly, whether other bodies such as banks need to be informed of the breach, etc. Notification of a data breach to affected individuals quickly is also critical and essential as it allows them to take remedial action to protect themselves and their identities – particularly in cases where financial and identification documentation is stolen.
Court Hearing
At the Dublin District Court on 10 September, 2012 guilty pleas were entered on behalf of each defendant, Eircom and Meteor, in relation to three charges each in respect of offences under Regulation 4(1), Regulation 4(6)(a) and Regulation 4(6)(b) of SI 336 of 2011. These charges related to the failure to protect the personal data on the laptops by means of encryption, the failure to notify the Data Protection Commissioner of the data breach without undue delay and the failure to notify the affected customers of the data breach without undue delay.
After hearing the prosecution evidence, the Court was satisfied that the prosecution case was proven. The Court applied Section 1(1) of the Probation of Offenders Act, conditional upon a charitable donation of €15,000 being made by each Defendant to charities nominated by the Court – the Laura Lynn Foundation in the case of Eircom and Pieta House in the case of Meteor. This Office also recovered from the defendants the legal costs arising from the prosecution.
Credit unions transmitting personal data via unsecured e-mails
I received complaints from two individuals concerning e-mails they had received from two credit unions confirming details about online access to their accounts.
My Office contacted both credit unions for their views on the matter. It transpired that both credit unions were using the same third party vendor to supply their online account facilities.
When a customer registered to use the online facility, they received a confirmation e-mail that contained details about their account, including username, account number and password. A separate letter was sent to their home giving them a PIN number which would allow them to get online access to their credit union account.
Section 2 (1) (d) of the Acts requires that adequate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network. My Office entered into discussions with the third party vendor to address this issue.
The vendor’s initial concern was that when people registered, they would not remember their account details when they went to log on to the system at a future date and for this reason they were e-mailing the account details to the customers. As a solution, my Office proposed that when a customer was registering they should be encouraged to print off or otherwise record the details. This would eliminate the need to have confidential information transmitted to them via an unsecured e-mail.
The third party vendor agreed to change its systems to reflect this and to inform all of its clients that it was changing its systems for security reasons.
My Office was also concerned that one of the credit unions was using a free web-based e-mail service as a method of communicating with its customers. My Office took the view that this mode of communication was not adequately secure because the data controller could not adequately control access to the contents of such an e-mail account. The data controller had no record of access to the e-mails, even within their own organisation. My Office instructed the credit union concerned to stop using the free web-based e-mail account as a method of contacting customers. The credit union responded promptly and it changed its email to a more secure system.
This case highlights the need for all data controllers to be aware of the need for appropriate security when processing personal data. If there is a weakness in security, the matter needs to be addressed and a more secure method of providing the service must be established. Although I understand that the purpose of credit unions is to provide services to the community in a cost effective manner, this does not in any way exempt them from ensuring that appropriate steps
Failure to properly safeguard a staff member’s medical certificate
My Office received a complaint from a solicitor on behalf of a data subject whose personal information, contained in a medical certificate, had been accessed in an unauthorised manner while in the possession of her employer.
The data subject was employed by a catering company that had a contract to provide services to the Defence Forces. It was brought to her attention by a member of the Defence Forces that her medical certificate was displayed on a notice board in the office of a Unit Manager in the catering company. This office was shared with a member of the Defence Forces.
Upon receipt of the complaint, my Office contacted the catering company and requested that the medical certificate be removed from the notice board immediately. We also advised the company that a medical certificate, which reveals the health status of a person, is sensitive personal data under the Data Protection Acts. We informed them that, from the information supplied by the data subject, it appeared likely that appropriate security measures were not in place to prevent unauthorised access to the medical certificate.
My Office received a response from the catering company outlining the findings of its investigation into the alleged breach. It explained that the Unit Manager placed the certificate on her personal notice board which hangs directly behind her desk. It was not on view at any time. It was placed behind a number of other documents on the notice board. It alleged that the third party who had accessed the certificate had entered the office without permission and would have had to deliberately seek the certificate. The company informed my Office that it takes its obligations under the Data Protection Acts very seriously and that all personal data relating to employees at any unit is the responsibility of the Unit Manager. Such data is to be held securely in locked cabinets unless required by another department within the business. The company also informed my Office that steps had been taken to remind all managers of their duties when dealing with confidential data.
The main concern for my Office was that the certificate was placed on a notice board in an unlocked office and it was clear that the Unit Manager did not adhere to the company’s security procedures when handling the data subject’s medical certificate. Under Section 10 of the Acts I am mandated to seek an amicable resolution of complaints. To this end my Office requested that the company submit proposals to help achieve an amicable resolution. The company subsequently proposed to make a donation to a charity of the data subject’s choice and it agreed to send a letter of apology to the data subject. The data subject, through her solicitor, accepted this proposal as an amicable resolution of her complaint.
This case demonstrates well the care which data controllers must exercise in the processing of all personal data in its possession, especially sensitive personal data.
Member of staff at Revenue accessing and using personal data of a taxpayer
In January 2007, I received a complaint from a data subject who claimed to have been harassed by the receipt of a large number of anonymous text messages on her mobile phone. Among other things, the text messages referred to various details of personal information related to the data subject and personal information of some of her family members. Prior to referring the matter to my Office, the data subject informed me that she had made a complaint to An Garda Síochána about this matter. She claimed that the Gardaí traced the sender’s number to a particular person to whom she had once been introduced very briefly. The data subject alleged that the sender, who was employed by the Revenue Commissioners, had obtained her personal information and that of her family members by accessing personal files held by the Revenue Commissioners.
My Office began an investigation of this complaint by contacting the Revenue Commissioners. We asked that the audit trail of the relevant files of the individuals concerned be examined to determine if they had been accessed by any staff member who did not have a legitimate business reason for doing so.
Following a prolonged examination, the Revenue Commissioners confirmed in June 2007 that it had been ascertained that one of its officers had accessed the records of the data subject and members of her family during the period November 2006 to February 2007, that such access was not part of the officer’s official duties and that it would appear that information gained from this access was passed to third parties unknown. The Revenue Commissioners stated that the matter was being dealt with by its Personnel Branch under the Civil Service Disciplinary Code. It went on to state that it was seriously concerned about any instances of unauthorised access by its staff to taxpayer data held on its computer systems and that appropriate disciplinary action had been taken and would continue to be taken in individual cases.
Some time later, the Revenue Commissioners issued a letter to the data subject in which it acknowledged that her records and those of her family had been accessed by one of its officers and that the access was not part of the officer’s official duties. The letter sincerely apologised to the data subject for the inappropriate accessing of her records and those of members of her family and it expressed deep regret that this occurred.
I regard this case as a very serious matter. A large amount of personal information is entrusted to the Office of the Revenue Commissioners which has a responsibility to ensure that it is kept safe and secure. A minimum standard of security for such information would include, among other things, that access was restricted to authorised staff on a ‘need to know’ basis. In this case, it emerged that the staff member who accessed the information had no legitimate business in doing so. That staff member abused a position of trust and proceeded to access and use personal information unlawfully. I will await with keen interest the outcome of the disciplinary proceedings which the Revenue Commissioners have commenced under the Civil Service Disciplinary Code in connection with this matter.
Visa application details accidentally put on website of Department of Justice, Equality and Law Reform
A journalist contacted my office with urgent concerns regarding the publication on a website of personal details of visa applicants. I investigated the matter and found that the personal data of visa applicants had been displayed by the Immigration & Citizenship Division of the Department of Justice, Equality & Law Reform on the Department’s website on 6 February, 2003. It appeared that through an unfortunate and accidental breach in operating procedures visa decisions for 506 applicants were posted live on the website with the inadvertent inclusion of the applicants’ name and nationality. The data had been accidentally on the website for about two hours but as soon as the error was noticed the details were deleted.
This situation arose as a result of a decision to revise and improve the visa process. It was considered of benefit to place non-personal visa decision information on the website as it would be of merit to staff and visa applicants to have 24 hour easily accessible information available on the website which would reduce the need for applicants to contact the section. It had been agreed that no personal details would be shown; the only information to be posted would be the visa application number, the decision and, where an application was refused, the reason for the refusal.
Due to an operational oversight, the personal details were included contrary to the Department’s intention. Accordingly, this was a contravention of Section 2(1) (c) of the Acts, being an incompatible disclosure of personal data. Appropriate security measures were inadequate and constituted a contravention of section 2(1) (d) of the Acts.
I note and appreciate that this accidental and unfortunate action was a once off which was swiftly resolved by the immediate action taken by Immigration & Citizenship Division. Nevertheless inappropriate disclosure took place for a short period. I was assured that new procedures were put in place for any future postings on the website which would avoid a recurrence of this incident. I commend the Division for its response.
On a more general level I would strongly advise all data controllers to take special care when it is proposed to place personal data on a website. Even where there is legislation providing that information must be made available to the public, this need not always mean that it is appropriate to place such information on a web site. Consideration must be given to the balance required of the right of the public to certain information and the right of the individual to privacy. Sometimes it may be appropriate to inform the public by means of information on a web site, without disclosing personal details. These rights have to be balanced, and I would encourage data controllers to have procedures in place to ensure that adequate consideration is given to these matters. Furthermore security procedures must be adequate and staff must be aware of and implement them so as to avoid the occurrence of a situation as described in this case study.
Details of other bank account holders of the same name,
supplied in response to access request-inadequate response to customer-security procedures-lack of awareness at branch level of data protection
An individual complained to my Office in relation to her bank account as she was concerned about the accuracy and security of the information held and the potential disclosure of her details to other account holders, as there appeared to be confusion regarding her account and that of another account holder of the same name. She informed me that though she had complained to the institution concerned she had encountered difficulty in having the matter resolved. She was advised by my Office to make an access request, under section 4 of the Act, to this major banking group in order to establish what personal data was held about her on computer.
The bank’s initial response to her access request comprised a copy of her data from the particular branch to which she had sent the request, and advised that if she wished to obtain personal details from other areas of the bank, she should write to the offices concerned, enclosing a separate fee with each request. It included a listing of the Bank’s registrations relating to the Public Register of data controllers that is held in my Office.
It then transpired that her personal details as supplied by the Bank, contained a number of inaccuracies, viz. accounts at two other locations, neither of which related to her personally; the date of opening of the account, her marital status, her occupation and credit card details were incorrect; details showed her as having a mortgage which was not the case. She had obtained this information by supplying to her branch in Dublin her name, address and ATM card number only. She was justifiably concerned that her data and that of other customers was being inappropriately disclosed and not kept in a secure manner.
My Office contacted the bank but the investigation encountered considerable difficulty in obtaining an adequate response, as there did not appear to be anybody designated with responsibility to co-ordinate the provision of information in response to the access request. There also appeared to be then a distinct lack of awareness and appreciation of data protection requirements amongst management and staff. Eventually, my Office contacted the Group Compliance Officer. Later my Office was informed that
“Our processing system endeavours to match customers across branches to highlight their entire relationship with the Bank. An error occurred in our system, either human or technical, whereby the customer’s account number was matched to an account in the name of (same customer name) in two other (named) branches, even though they did not meet the required matching criteria. The accounts in both these branches had different account numbers. This was an unfortunate error that should not have happened. We have amended the process with regard to matching customers’ accounts whereby the criteria for matching has been expanded considerably”.
I concluded that important bank account details were not maintained in an accurate and up-to-date fashion and this was highly unsatisfactory from a data protection perspective. It also raised questions about the security of customer’s accounts and improper disclosure of data. I noted the bank’s commitment to expand considerably the criteria for matching, which should ensure that a recurrence of this incident is avoided. I also noted that the Bank was now very much aware of its responsibilities regarding the protection of personal data.
I informed the bank also that many data subjects making access requests might not necessarily be familiar with the requirements of the Act.
Accordingly, I suggested that data subjects be advised in plain language of the procedures in operation for accessing their data in other branches of the organisation as I considered that improvements were necessary in the letter that issued to the complainant.
In general I receive great co-operation from the main financial institutions. While this was a very serious case I trust it was an isolated incident.
Employee performance ratings disclosed to other staff – inadequate security
I received a letter of complaint from a number of employees within a particular company. It appeared that the company had created a computer file setting out performance assessment reports for individual members of staff. The file – of which staff members had been unaware – was accessible throughout the company to a wide range of line managers, including managers who had no role in relation to the staff members in question. The employees were concerned that their data protection rights had been infringed by the unnecessarily widespread dissemination of confidential personnel details, and they asked me to investigate the matter.
On raising the issue with the company, it was explained that the line manager of a particular unit had created a file, setting out performance ratings for staff under his supervision. However, the “access permissions” on this file had inadvertently been set to allow numerous people outside of his management team to read it. A staff member who noticed this problem had brought it to the attention of management, and the file in question was destroyed. The company had also arranged for a formal investigation into the matter, which had concluded that there had been –
a failure to adequately protect and secure sensitive information held on the staff within the particular business unit
insufficient detailed knowledge by managers of the security environment in which the data were held
a failure by the staff member who initially discovered the file to alert the appropriate manager to its existence, as required under various HQ policies and the unit’s own confidentiality statement
subsequent failures by some staff members to prevent ongoing disclosure of the contents of the file.
The company accepted these findings and that a breach of the Data Protection Act, 1988 had occurred in this incident. They acknowledged the need to address these issues, and had put in place the following measures –
an immediate training programme in IT security for all managers and staff, together with regular refresher programmes
all remaining hard- and soft-copies of the file in question to be destroyed as a matter of the utmost urgency, with all company systems swept to confirm this
HQ policies on security should be reissued to all managers and staff
standards for holding sensitive data, both personal and commercial, to be reviewed and published.
As regards my own findings, I accepted that, in an employment context, staff members may not automatically have the option of objecting to their data being used for appraisal purposes – this would naturally depend on conditions of employment and industrial relations norms. However, I concluded that staff should be made fully aware of new appraisal initiatives which involve the use of their personal data, if the ‘fair obtaining’ requirements of section 2(1)(a) of the Act were to be respected. The performance appraisal file in this case had not met these standards, and so its creation entailed a contravention of the Act.
I also confirmed that the failure to implement appropriate access restrictions contravened the security requirements of the Act (section 2(1)(d)), and that the resulting dissemination of the file to other unauthorised staff members amounted to an incompatible disclosure of the personal data (contrary to section 2(1)(c)(ii) of the Act).
However I was pleased to note that the Company had taken immediate and appropriate steps to address the issues involved in this case, particularly in terms of ensuring that appropriate security measures are in place and improving awareness of staff and management regarding the importance of adhering to correct procedures. I believe that this case is a useful reminder of the need for appropriate internal security measures – both as regards the pitfalls, and as regards the correct way to address any deficiencies that are identified. This issue now takes on an added importance with the implementation in Ireland, from 1 April 2002, of the revised security provisions introduced in the European Communities (Data Protection) Regulations, 2001, which have transposed certain provisions of the European Data Protection Directive into Irish law.
Financial institution – Laser card – printing of home address on receipts – incompatible disclosure – adequate security
An individual wrote to me expressing his concern that when using his Laser card – a type of debit card that can be used in shops for cashless transactions – his home address was printed on the receipt slip. Since retailers keep a copy of the receipt slip, the individual felt that his private details were being disclosed unnecessarily by his financial institution, which was responsible for the Laser card.
My Office raised this matter with the financial institution, which responded promptly to the matter. The institution indicated that it had itself received a small number of complaints from customers about this matter. The institution explained that Laser cards issued after October 1999 included the customer’s home address details in the magnetic stripe. However, these details were only supposed to be read by automated lodgement machines, arising from a legal requirement that a receipt – including the address – could be issued to customers using this service. The address details were not supposed to be readable by ordinary point-of-sale (POS) terminals found in shops.
Investigation by the institution revealed that some POS terminals had had their software upgraded to a new version, with the unintended result that the address details were read by the terminal and printed on the receipt. Having established the cause of the matter, the financial institution took the following steps:
Address details were omitted from new Laser cards, in cases where the cardholder did not need to avail of the lodgement facility. In other cases, technical steps were taken to ensure that the address details on new Laser cards could not be printed by POS terminals.
The Laser cardholders affected by this problem were identified, and a roll-out of replacement Laser cards was initiated.
The institution took steps to ensure that, whenever the POS terminal software was upgraded in future, it was made aware of this, so that any possible impact on existing Laser cards could be considered.
I considered these steps to be an appropriate response by the financial institution. The important point to emerge from this case is that personal data, stored in debit cards, credit cards, and indeed in any type of card using a magnetic strip or similar storage mechanism, should be kept secure from inappropriate disclosure, in accordance with the requirements of section 2(1)(d) of the Data Protection Act.
Life insurance company – retention by ex-employee of customer data – unauthorised access – obligation to take appropriate security measures
The complainant was a long-standing customer of a particular life insurance company. One of the company’s representatives, who had in the past been dealing with the customer’s affairs, left the company to join a different company in the same line of business. He subsequently called to the complainant and asked her if she would like to transfer her policies to the company he now represented, or take out new policies with this company. The complainant said that she did not have documents relating to her existing policies to hand. At this, the representative opened his laptop computer and accessed details of her existing policy, notwithstanding the fact that he now represented an entirely different insurance company.
The customer was very unhappy that confidential personal data relating to her insurance were still available to an ex-employee of her insurer who now worked for a competitor. She took the matter up with her insurer but was not satisfied that the breach of confidentiality was treated with the seriousness it deserved. She then wrote to me to complain about the matter.
Section 2(1)(d) of the Data Protection Act, 1988, provides that –
Appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of [personal data] and against their accidental loss or destruction.
I wrote to the complainant’s insurer and asked them to comment on the case in the light of this provision. I also asked the company to provide further details on the background to the case and to outline its security arrangements.
The company responded by explaining that the nature of its business (with a direct sales force operating at locations nation-wide) required that the company’s field representatives should have access to client information on laptop computers. Representatives were under clear instructions that, if they left the company’s employment, they should return all company records and documents to their immediate supervisor. Supervisors were under instruction to ensure that this happened. The company said that in the case of the former employee involved in this case, these procedures had not been complied with. Numerous attempts had been made to recover the laptop and the client data from the former employee. However he did not return phone calls or meet with company officials. Attempts to recover the client data were ongoing, according to the company, at the time of the events giving rise to the complaint.
With regard to the requirement to keep personal data secure, the company said that it had put new procedures in place, so that client data would automatically be erased from laptop computers every six weeks, unless a representative’s authorisation was renewed. When these matters were explained by my Office to the complainant, she was reassured that the company was now taking its data protection obligations as regards security seriously and that, accordingly, breaches of confidentiality of the kind she had encountered were unlikely to recur.
In my view, this case illustrates the need for data controllers to have firm and enforceable procedures in place to ensure that they do not lose control of personal data, for which they are legally responsible, on the departure of any of their employees. Provision for the automatic deletion of records, of the kind now put in place by the company, may have a useful part to play in such arrangements.
Employee data – appropriate security measures – disclosure
A large organisation, whose staff are employed at several locations throughout the country, used a central database to record information relating to its employees and their work. The complainant questioned the security arrangements in respect of his personal data, and the extent of access to such data throughout the organisation.
The organisation’s computer system comprised about a hundred personal computers nationwide connected to a central computer in the Dublin head office. Some sixty laptop computers were also provided for use by employees when away from their offices. These laptops contained a version of the organisation’s main database which was downloaded from the main computer and updated periodically. Accordingly, data kept by the organisation on its main database was available to staff in the head office, in the local offices, and at off-site locations.
The complainant, an employee, made his complaint while the computer system was still being developed and implemented by the organisation. He made the following points. First, he alleged there had been a breach of security because the laptops were without any password protection for a period during the development of the system. Second, the complainant objected to certain of his personnel data and details of his work activity being generally available to staff, and argued that such data should only be available to those who needed them to perform their managerial functions.
Section 2(1)(d) of the Data Protection Act provides that “appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.” The question of the security of access to the laptop computers was considered in the light of this provision.
My investigation established that each laptop required use of a password for access to the local version of the database. Where a laptop was establishing a connection to the main computer, another password was needed, and access to the main database itself required the use of a third password. In principle this approach appeared to conform well with the requirements of section 2(1)(d) above. However, the apparent effectiveness of this approach had been compromised. In the interests of simplicity of operation the organisation issued a unique centrally-generated password to each member of staff (so that each staff member would only need to remember one password) thus reducing the effectiveness of the password system as a whole. Furthermore, in the course of training staff on an upgraded version of the software, the password security system was modified to allow trainees ease of access to the system. This modification gave open access to the main database from a number of laptops.
As soon as this fact was discovered, the data controller took steps to rectify the matter. It is not appropriate for a data controller to allow his standards of security to slip, so that personal data becomes more widely accessible than is necessary. However, I noted the prompt action taken by the data controller to put matters right, and – given that my investigation did not discover any evidence of unauthorised access or use of the data during the period when the passwords were not in operation – I did not uphold this part of the complaint.
The second ground for complaint put forward was the alleged wide availability throughout the organisation of details relating to the complainant’s work activities including particulars of annual and sick leave. This raised two separate but related issues: first, whether this wide availability constituted “disclosure” for the purposes of the Data Protection Act; and second, whether the wide availability of data was consistent with the organisation’s duty to take “appropriate security measures … against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.”
On the first question, I noted that the only people with access to the main database were the staff of the data controller. The definition of “disclosure” given in section 1(1) of the Act, specifically states that disclosure “does not include a disclosure made … to an employee … for the purpose of enabling the employee … to carry out his duties”. In my opinion, these words require a data controller to make an assessment, in respect of particular employees, as to whether such employees need to have access to particular holdings of personal data, and to provide accordingly. Thus, one would expect a Human Resources Manager to have access to personal data not necessarily available to the manager of a client database, and vice versa. Data controllers should, in my view, take reasonable steps to prevent personal data from being made available to employees who may have no work-related interest in the data.
On the second question, I consider that sensible restriction of the availability of personal data is one of the “appropriate security measures” that data controllers must consider. The more people who have access to personal data, the greater is the risk of unauthorised access or disclosure. These issues were discussed with the data controller in detail. The organisation explained that the wide availability of personnel information and staff operational details was due in part to business requirements, and in part to the culture and tradition of the organisation. Following discussions, the data controller made a number of significant changes to the computer system, at some expense, in order to restrict access to the personal data of employees. It is my view that, in a case such as this, an appropriate balance must be struck between the concerns of the employee as data subject, the real operational requirements of the organisation and the costs to the organisation. I took the view that, following the changes referred to above, the data controller was compliant with the Act.