You are here

Data thieves should pay much higher price

Dublin, 23 November 2007 - After Britain's data protection scandal, John Devitt argues the alleged misuse of personal data by civil servants here must be investigated by the Garda as well as the Data Protection Commissioner

When the winner of a €115 million EuroMillions jackpot was announced in 2005, it wasn't just the media that jumped on the story. For reasons best known to themselves, 72 civil servants trawled the records of the Department of Social and Family Affairs to find out as much they could about Dolores McNamara, a housewife from Limerick and Ireland's newest multimillionaire.

The investigation by the Data Protection Commissioner into what became a minor scandal found that insufficient controls were in place to prevent civil servants from accessing personal information on citizens for their own entertainment. The department gave assurances that the necessary steps had been taken to prevent it from happening again.

Just two years later and more stories have broken about how staff at the same department have passed on such information to outside vested interests, including criminals. In April, private investigators were alleged to have "bought" information on citizens from officials at the same department and from An Garda Síochána.

This data would be passed on to insurance companies to investigate claims made by the same citizens. The information would normally contain bank account details, Personal Public Service (PPS) number, employment history, and other family details - not just enough to mount a defence against an insurance claim but also to steal a person's identity. The Data Commissioner said the illicit collection of personal data by the insurance industry was "systematic".

This time, however, the data commissioner was assured again that an internal investigation would be pursued by the department into the allegations and that it had sufficiently tightened up its data security procedures since 2006. The commissioner also stated that he was encouraged to see the Garda launch its own internal investigation.

All of this has happened at a time when digital technology has presented us with opportunities to access information and knowledge that would have been unimaginable even 20 years ago. As we move towards total computerisation of personal information, business data, government records and even election results, the technology revolution also poses some seemingly underestimated risks.

Like most crimes, corruption is a function of both motive and opportunity. The motive sometimes arises in the form of a competitive edge over a rival or access to scarce resources such as public contracts. Likewise data can be a valuable commodity, and personal information a scarce resource when controlled and protected by the authorities. With enough at stake, personal data can present just the kind of incentive for officials to abuse their positions to sell and for vested interests to bribe.

In an age where colossal amounts of data are gathered and disseminated, information technology provides ample opportunity for corrupt officials to collate, copy and sell volumes of personal data. The risk is particularly acute where laws and codes are not clearly and regularly communicated to staff, where employees have excessive access to data, and where security measures are weak or absent.

Since 1988, the Data Protection Commission has been responsible for promoting and enforcing the law in this area. The commission is empowered to handle complaints from the public, undertake mandatory audits on companies and government departments, and impose fines of up to €3,000 on non-compliant bodies. Under commissioner Billy Hawkes and his predecessor Joe Meade, the office and the importance of data protection have been well publicised.

In spite of the commission's good work, it is not capable of or responsible for investigating allegations of bribery. Moreover, a €3,000 fine and disciplinary action against officials for the corrupt trade in personal data serves as little deterrent to officials, private investigators and insurance companies who stand to make or lose a lot more than four-figure sums. The deterrent should be proportionate and alleged criminal offences should be met with criminal investigation.

If the authorities are serious about stemming the unauthorised sale of information to insurance companies or any other third party by public officials then they should recognise that this trade isn't just a material breach of the Data Protection Acts but a serious and indictable criminal offence.

Anyone found guilty of paying or accepting a bribe can be sentenced to up to 10 years in prison and an unlimited fine - enough to focus anyone's mind.

There are moral as well as practical consequences for individuals and the national interest arising from our inability to enforce the law in this area.

Firstly, the sale of personal information by civil servants or gardaí is a betrayal of the trust invested by citizens in their government, whose primary role is as a steward of State and personal security.

Secondly, if citizens cannot trust their own government then it is unlikely domestic or even foreign businesses will either - the resulting reputational cost for the State can be measured in lower inward investment, capital flight and long-term socioeconomic damage.

Our laws on data protection and corruption are designed to build trust and protect citizens. Both should be enforced by the relevant authority and as the evidence demands.

John Devitt is chief executive of Transparency International Ireland

© 2007 The Irish Times