BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
 |
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | |
Irish Data Protection Commission Case Studies |
||
|
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> Member of staff at Q accessing and using personal data of a taxpayer [2007] IEDPC 10 URL: http://www.bailii.org/ie/cases/IEDPC/2007/10.html Cite as: [2007] IEDPC 10 |
||
[New search] [Printable RTF version] [Help]
Member of staff at Q accessing and using personal data of a taxpayer [2007] IEDPC 10 (31 December 2007)
Member of staff at Q accessing and using personal data of an individual
In January 2007, I received a complaint from a data subject who claimed to have been harassed by the receipt of a large number of anonymous text messages on her mobile phone. Among other things, the text messages referred to various details of personal information related to the data subject and personal information of some of her family members. Prior to referring the matter to my Office, the data subject informed me that she had made a complaint to An Garda Síochána about this matter. She claimed that the Gardaí traced the sender's number to a particular person to whom she had once been introduced very briefly. The data subject alleged that the sender, who was employed by the Q., had obtained her personal information and that of her family members by accessing personal files held by the Q.
My Office began an investigation of this complaint by contacting the Q.. We asked that the audit trail of the relevant files of the individuals concerned be examined to determine if they had been accessed by any staff member who did not have a legitimate business reason for doing so.
Following a prolonged examination, the Q. confirmed in June 2007 that it had been ascertained that one of its officers had accessed the records of the data subject and members of her family during the period November 2006 to February 2007, that such access was not part of the officer's official duties and that it would appear that information gained from this access was passed to third parties unknown. The Q. stated that the matter was being dealt with by its Personnel Branch under the Civil Service Disciplinary Code. It went on to state that it was seriously concerned about any instances of unauthorised access by its staff to taxpayer data held on its computer systems and that appropriate disciplinary action had been taken and would continue to be taken in individual cases.
Some time later, the Q. issued a letter to the data subject in which it acknowledged that her records and those of her family had been accessed by one of its officers and that the access was not part of the officer's official duties. The letter sincerely apologised to the data subject for the inappropriate accessing of her records and those of members of her family and it expressed deep regret that this occurred.
I regard this case as a very serious matter. A large amount of personal information is entrusted to the Office of the Q. which has a responsibility to ensure that it is kept safe and secure. A minimum standard of security for such information would include, among other things, that access was restricted to authorised staff on a 'need to know' basis. In this case, it emerged that the staff member who accessed the information had no legitimate business in doing so. That staff member abused a position of trust and proceeded to access and use personal information unlawfully. I will await with keen interest the outcome of the disciplinary proceedings which the Q. have commenced under the Civil Service Disciplinary Code in connection with this matter.
