THE PERSONAL DATA of a Tipperary man was stolen from the car of a Department of Social Protection employee, it has emerged.
The data files (including PPS numbers) of 51-year-old local man John Cash, together with those of three other people, were taken from a car park in Clonmel in the Munster county in late 2014.
Subsequently, the Data Protection Commissioner ruled that the department (which is now known as the Department of Employment Affairs and Social Protection – DEASP) had failed “to ensure that appropriate security measures were in place against the unauthorised access” to Cash’s data.
Cash first became aware of the data breach when informed by the department itself (which also stressed that a Garda investigation into the theft had been initiated) in December 2014. While he has received a number of apologies from DEASP, he claims he has heard nothing from the department since the Commissioner ruled against it in December 2016, apart from a note in January of this year stating that the department acknowledged that decision.
Damages
That ruling makes clear that the department may be liable for damages due to the breach, but that is entirely dependent upon the individual in question and whatever legal advice they may receive.
The department said, in responding to the DPC, that the theft occurred as the files in question were being moved from an Employment Services Office to the department’s local office in Tipperary.
“It isn’t about compensation at this stage,” Cash told TheJournal.ie. “It’s about how they’ve handled the whole thing. I can tell you I’m a lot more upset about how the department has treated me than I was by the initial breach.”
It bugs me that the likes of the banks are constantly in the headlines, but a government department ignoring the Data Protection Commissioner isn’t. What’s the point of having a commissioner if a department won’t engage after a decision has been made against it?
The news comes after a rocky week for the Irish civil service, with the Department of Justice in particular being excoriated for its role in the events leading up to the resignation of its former Minister Frances Fitzgerald.
TheJournal.ie requested comment from DEASP on this matter. In response, the department said it “cannot comment on cases concerning identified individuals”.
“However, it is important to state the department takes its responsibilities in relation to data protection very seriously. Every effort is made to ensure that personal customer data is used solely for specific and genuine business purposes,” a spokesperson said.
All members of staff of the department are regularly reminded of their data protection obligations and staff members are required to sign annual undertakings that they have read, and will act in accordance with, data protection policies and guidelines.
“The department co-operates fully with the Office of the Data Protection Commissioner and always acts in accordance with that office’s Data Security Breach Code of Practice in any case where data has been breached,” they added.
The documents stolen from the car in Clonmel comprised community employment (CE) eligibility forms. The culprit for the robbery has never been identified.
In her judgement, the DPC Helen Dixon mentions that she first wrote to the department concerning the issue on 13 February 2015. A response was received on 20 March, suggesting that the files had been taken from the “locked glove box of a staff member’s car”.
Glove box
In the DPC’s written judgement, it is subsequently mentioned that the department “failed to keep your personal data secure as it was stolen following a forcible entry to the vehicle of a DSP member who was storing the files in her case”.
Click here to view a larger image
Cash claims that as he understands the situation, the employee “had left her briefcase in the car on the back seat and the car was broken into”.
“I have yet to see a briefcase that can fit into a glove box,” he said.
However, in the aftermath of the theft, each of the four individuals whose data was taken received an anonymous letter (accompanied with the relevant employment form and a DEASP compliment slip signed by the staff member in question) informing them that their files had come into the public domain.
Following the robbery, DEASP informed all four individuals of what had transpired. Cash subsequently made his complaint to the DPC in February of 2015.
In ruling against DEASP, the commissioner acknowledged that despite attempts to amicably conclude the disagreement, “the office was ultimately unable to mediate a satisfactory outcome between the data subject and data controller”.
When asked by the DPC as to what measures it had taken both to address Cash’s concerns and to prevent a reoccurrence of the breach, DEASP responded that its area manager had met with him and issued an apology. The department also said that Cash had been issued with a Public Services Card (PSC) in the interim which “reduces the potential for forgery and fraudulent use through its stringent security features”.
Public Services Card
There was no evidence of “any inappropriate access” to Cash’s social welfare record, the department said. It also added that it had been willing to issue a new PPS number to him “as a form of amicable resolution”.
DEASP has been at the centre of multiple stories regarding how it handles the data of the citizenry in recent times, with most resulting from the department’s announced intention to expand its services to be entirely based upon the controversial Public Services Card.
The data theft was meanwhile recently the subject of a parliamentary question on the part of TD Richard Boyd Barrett on behalf of Cash.
Responding, current Minister for Employment Affairs and Social Protection Regina Doherty said that “the department takes customer privacy very seriously”.
As custodian of personal information, staff members of the department are reminded continuously about the importance of information security and to be vigilant and aware of data protection legal obligations. If there is a breach of data, the incident is investigated and corrective measures are put in place, in accordance with data protection legislation.
“The incident involving this person was fully investigated, in the course of which a number of communications issued to the person. He received a number of written apologies and a Department official met with the person and again apologised,” she added.
“The mistake the commissioner made I feel was that, in stating the findings, she said that the four people affected may be entitled to compensation,” said Cash. “This I believe is the reason why I haven’t heard from the department.”
I would have been more than happy just go over the findings with them, to have them look me in the eye and accept fault. Instead they ignored me.
“The ultimate sanction is for someone to lose their job,” he added. “I don’t want that – it was a stupid mistake, but a genuine mistake.”
I just want to see a situation where government departments are held properly accountable.
To embed this post, copy the code below on your site
have your say