BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!

 

In February 2012 three insurances companies, Zurich Insurance Plc, FBD Insurance Plc and Travelers Insurance Company Limited appeared in the Dublin District Court on charges relating to the processing of personal data by them in contravention of Section 19 of the Data Protection Acts.

 

 

A formal data breach report was received by the Office in December 2010 from the Department of Social Protection concerning the alleged leaking to third parties by one of its officials of personal data held on the Department’s computer systems. We immediately launched an investigation which identified two suspect entities engaged in ongoing contact with the official in question.

 

Having established the identity of these entities we carried out an unannounced inspection at a firm of private investigators, Reliance Investigation Services Ltd, in Co. Kildare. During the course of that inspection, we obtained a copy of that firm's active client list for 2010. Having examined the client list, we identified that Zurich Insurance Plc, FBD Insurance Plc and Travelers Insurance Company Ltd were active clients of the private investigator. To progress the investigation of the data breach, the Commissioner requested Authorised Officers to conduct inspections at all three insurance companies. These inspections took place in December 2010.

 

Using the information which had been obtained at the premises of the private investigator, a number of claim files were identified in each insurance company as cases in respect of which the private investigator had provided services to insurance companies concerned. The email systems and a number of files were examined in both manual and computer form during the course of those inspections.

 

Over the course of the following months, we continued our investigations by examining this information and during this time also received from the Department of Social Protection a list of all of the computer accesses made in 2010 on the Department’s computer systems by the official suspected of committing the data breach. This led to the identification of further cases which required examination in the context of the investigation of the data breach. Further inspections took place at all three insurance companies in 2011. During these inspections, our Authorised Officers identified a number of cases which were of interest in the context of the data breach investigation. Amongst some of those cases were reports submitted by the private investigator which contained information of a social welfare nature.

 

The Authorised Officers sought and were provided with copies of private investigator reports in respect of several cases of the five individuals. The information which appeared to us to contain social welfare data of the individuals concerned was presented by us to the Department of Social Protection in August 2011 for examination. We subsequently received written confirmation from the Department of Social Protection in respect of each of the individuals concerned that the Department's computer system contained a data set of information relating to the individuals, that the data was used by the Department for the performance of its functions, that the data was "social welfare data," that the information on the sheets matched the social welfare data stored on the Department's computer system and that the social welfare data concerned was stored securely on the Department's computer systems and was not publicly accessible.

 

 

Under Section 16 of the Data Protection Acts, the Data Protection Commissioner has established, as is required, a public register of data controllers and data processors who are obliged to apply to be registered and to give certain details about their processing of personal information. Insurance undertakings fall into the category of data controllers which are required to be registered. All three insurance companies had current entries on the register at the time of this investigation.

 

We examined all the register entries for each company. We noted that a description of personal data in the form of social welfare data was not recorded on the register entry. We also noted that the purpose for which personal data in the form of social welfare data was processed by the insurance companies was not recorded on the register entry. Having examined the data breach investigation file and the register entries for each of the three insurance companies, the Commissioner decided to initiate prosecution proceedings for breaches of section 19 of the Data Protection Acts. This section sets out the effect of registration. It provides, among other things, that a registered data controller shall not keep personal data of any description other than that specified in the register entry and that the data controller shall not keep or use personal data for a purpose other than the purpose described in the entry.

 

 

On 13 February, 2012 the Dublin District Court accepted jurisdiction in the matter. Each of the defendant insurance companies pleaded guilty to ten charges in respect of breaches of Sections 19(2)(a) and 19(2)(b) of the Data Protection Acts. Having heard the prosecution evidence, the Court was satisfied that the prosecution case had been proven. Section 1(1) of the Probation of Offenders Act was applied in the case of each defendant company. Each of the defendant companies made an offer of a charitable donation of €20,000 to be paid to a charity of the Court’s choosing. In each case, the Court accepted the offer and it directed that all three payments be made to the Capuchin Day Centre within two weeks. The Office also recovered from the defendants the legal costs arising from the prosecution.

 

 

The Department of Social Protection also notified An Garda Síochána of the data breach and separate Garda investigations have taken place focussing on the source of the leakage and the role of private investigators in the breach.