BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!

The Office received a complaint in May 2012 against the Department of Social Protection. The complainant alleged that there had been unauthorised access within the Department to his records by a departmental employee.

 

We commenced an investigation of the matter by writing to the Department of Social Protection outlining the details of the complaint. In response, the Department of Social Protection confirmed that the complainant had previously requested from the Department of Social Protection, by way of an access request, a 'log of accesses' made to his social welfare records. It stated that, during follow-up contact with the complainant, it became clear that the complainant was concerned that a particular individual employed by the Department, his ex-wife, may have inappropriately accessed his details.

 

The Department of Social Protection subsequently informed us that a full investigation of the matter had been undertaken. The Department indicated that, during the course of this investigation, a member of staff admitted to accessing the complainant's records without having a legitimate business reason for doing so. It said that, as a consequence, the matter had been referred to the HR Division for possible action under the Civil Service Disciplinary Code. The Department apologised to the complainant for any distress that the breach may have caused him. It said that the Department takes its responsibility as a data controller very seriously and that it makes every effort to ensure that personal data is safeguarded at all times.

 

We sought specific details from the Department regarding when and how often the unauthorised accesses had occurred so that the extent of the breach could be determined. In response the Department gave us details of the dates and times of each unauthorised access. There were twelve instances of unauthorised access of the complainant's records between February 2004 and July 2009 by a member of staff who did not have a legitimate business reason to do so. 

 

A formal decision on the complaint was requested by the solicitor acting for the complainant.

 

The Commissioner’s decision, which issued in February 2013, found that the complainant’s personal data was further processed by the Department of Social Protection in contravention of Section 2(1)(c)(ii) of the Data Protection Acts, 1988 & 2003 on twelve separate occasions. These contraventions occurred when the complainant's records, which were held on the Department's customer information database, were accessed by an employee of the Department for a purpose unrelated to that for which the data was obtained.

 

Once again this case highlights the unacceptable practice by some individuals of snooping through official records for personal reasons unconnected with their official duties. Varying degrees of personal information relating to every citizen in the State is held on databases within Government Departments and officials who have access to this information to conduct their official duties are entrusted to access and use that information in accordance with the requirements of their functions. Straying beyond the boundaries of their official duties in terms of accessing personal records amounts to unlawful activity by the individuals concerned. For that reason, it is critical that data controllers, such as a Government Department in this case, have  robust disciplinary policies in place to deal with any breaches. Taking no action against individuals caught engaging in such activity is not acceptable. Instead, it should be clear to all users that there are serious negative consequences for unauthorised access to personal information for unofficial purposes. Furthermore, as this case demonstrates, it is vital that data controllers have an audit trail in place on computer systems to capture both 'read-only' and 'edit' accesses to official records. Obviously the monitoring of such audit trails and follow-up action are crucial elements in ensuring the effective protection of records which are stored on a data controller's computer systems.