Irish privacy watchdog highlights concerns over public sector data sharing

Billy Hawkes, Ireland's Data Protection Commissioner, said that there had been a "disturbing failure of governance" in relation to access to a social welfare database administered by the Department of Social Protection.

In 2012 three insurance companies were each found to have breached Irish data protection laws by failing to notify the Office of the Irish Data Protection Commissioner (ODPC) that they were processing 'social welfare data'. The ODPC said that it had discovered that Zurich Insurance, FBD Insurance and Travelers Insurance Company each held social welfare data that matched information stored on the Department of Social Protection's systems, which were not publically accessible.

An investigation has been undertaken into the role of private investigators in the breach whilst an employee at the Department of Social Protection is currently subject to a criminal investigation regarding their alleged accessing of the social welfare data and their passing on of the information to private investigators.

The ODPC said that a "significant number" of the insurance firms' customers "had information such as employment histories, claims data and PPS numbers illegally obtained".

Following the case, the ODPC decided to audit a number of council authorities and health bodies in relation to their accessing of the Department of Social Protection's social welfare database, known as Infosys. Hawkes said the "failures" identified need to be addressed "on a public-service-wide basis" before further data sharing arrangements are established.

Infosys is a portal that allows government departments and external agencies access to information about the benefits and allowances members of the public are provided with from the Department of Social Protection.

An audit conducted by the ODPC uncovered that the records had been inappropriately accessed by Irish civil servants, according to the watchdog's annual report. (127-page / 644KB PDF)

"A worrying degree of inappropriate access to Infosys by state employees was detected as a result of the investigation," the report said. "Some of this misuse was uncovered through internal investigations initiated by the agencies themselves. In other cases, inappropriate access was identified during the course of our examination of the access logs and subsequent engagements with these entities including physical on-site inspections."

The ODPC said that "the actions of a number of authorised users" from across the bodies granted access to Infosys had amounted to a breach of data protection laws.

The ODPC said that agencies with access to the Infosys database should maintain a register of all data disclosure requests and that staff should face "severe disciplinary penalties" for accessing data outside of security protocols.

"Proportionality is the key," Hawkes said in his annual report. "Data sharing in the public sector should have a clear basis in law; be clear to individuals that their data may be shared and for what purpose; have a clear justification for individual data sharing arrangements, with minimum data shared to achieve the stated public service objective; strict access and security controls; and secure disposal of shared data."