Credit Unions will be pursued for data protection breach

The Irish League of Credit Unions has said that it will undertake a full review into the credit unions that used private investigators that illegally obtained personal data from the Department of Social Protection. The move follows the revelations regarding the use of so called tracing agents by four credit unions in Limerick, five in the midlands, two in Dublin and one in Meath. The branches face the prospect of being required to destroy any personal data handed over by private investigators, which are currently being probed by the Data Protection Commissioner. Prosecutions, which could result in fines for the private detective firms in question, are expected to follow.  

Have you been effected by the above breaches?

Have your data protection rights been breached by a Credit Union?

We have represented clients whose information has been disclosed by Credit Unions.

Credit unions who got stolen data may now be asked to destroy it

Irish Independent 19^th August 2014 

A full review is to be undertaken into credit unions that used private investigators who illegally obtained personal data from the Department of Social Protection.

The Irish League of Credit Unions (ILCU) announced the move yesterday as the minister with responsibility for data protection said he was “deeply concerned” by revelations in this newspaper.

The credit union network has been rocked by an Irish Independent investigation into the use of so-called tracing agents. The branches at the centre of the scandal face the prospect of being told to destroy any personal data handed over by private investigators who are being probed by the Data Protection Commissioner. These credit unions include four in Limerick, five in the midlands, two in Dublin and one in Meath. Assistant Data Protection Commissioner Tony Delaney is pursuing a number of firms who used false identities and blagging tactics to illegally obtain the information from the Department of Social Protection. While the credit unions who received the stolen data insist they were not aware of the methods used by the private investigators, the ILCU last night said a review into the use of the firms will take place.

Minister for Data Protection Dara Murphy said he was "deeply concerned" at the revelations. And Fianna Fail finance spokesman Michael McGrath called for the establishment of a code of conduct for financial 
institutions enlisting the services of private investigators. "The issues raised by the Irish Independent are very grave. The Central Bank must devise a code of conduct that would apply to the use of Private Investigators by financial institutions. Such a code is of paramount importance to ensure the integrity of people's personal data is protected at all times," Mr McGrath said. Meanwhile, the Central Bank last night said it expected all credit unions to fully co-operate with the Office of the Data Protection Commissioner. "The Central Bank expects that each credit union fully complies with all legal and regulatory obligations including all data protection requirements," a spokesperson said. "The Central Bank will assess the need for correspondence with individual credit unions and/or the credit union sector in relation to specific issues arising from this matter. "The investigation by Assistant Commissioner Delaney was launched last July and established that state officials had been duped by private investigators hired by credit unions. In some instances, agents contacted welfare officials and obtained addresses and employment details through a single phone call. The agents struck up a rapport with the unsuspecting department officials who they continually contacted for personal data. They introduced themselves as fellow state officials, from departments north and south of the Border. At least 78 credit union customers had their information breached. However, it is believed reams of other data was obtained by agents who targeted other state agencies. Some credit unions paid out €50 per single address. The Irish Independent 
understands credit unions who are storing stolen data may be asked to destroy it. The Department of Social Protection has said it continuously reviews its internal controls and takes data protection responsibilities very seriously. In a statement to the Irish Independent, the ILCU confirmed that a review of the use of private investigators would take place. The umbrella body, with represents 374 credit 
unions nationwide, also said it would be seeking a meeting with the Office of the Data Protection Commissioner "to ensure best practice going forward for all credit unions using tracing agents or private investigators". "We take very seriously any allegation that a private investigator working for a credit union has obtained information on members illegally. The ILCU has written to our affiliated credit unions and reminded them of the guidelines issued by DPC in relation to best practice in this area," the organisation said. “Furthermore the ILCU's CU Learning & Development also provides training courses to support our credit unions in the areas of data protection and credit collection in the Republic of Ireland. These courses are available throughout the year. In addition we will commence a review of credit unions who may have enlisted the services of private investigators to 
pursue arrears. ‘

Opinion: ‘Right to be forgotten’ ruling opens a legal and ethical Pandora’s box

The Journal, 23rd July 2014

THE RULING BY the European Court of Justice just over two months ago that the citizens of Europe have a ‘right to be forgotten’ has opened a legal and ethical Pandora’s box. The original ruling, based on the case of a Spanish citizen who wished to have information about his financial woes a decade previously taken out of search results on Google, was vaguely constructed and left the door open for individuals, and maybe even organisations, to have damaging or embarrassing material about themselves no longer reachable through a Google search.

While the court said that the ruling would be applied only where it did not conflict with freedom of expression or of the press, it left the burden of proof and investigation of this up to the party running the search engine, i.e. Google, and not up to the person seeking to have his or her information “forgotten”. Google is currently receiving about 1,000 requests a day for links to particular pieces of information to be removed from its search results. Quite understandably, the company has begun simply to grant these requests on receipt of them, as there is no way the company could (or should) wade through the sheer volume of requests and check each one for compliance with both the ruling on forgetting information and with freedom of speech. The court’s insistence that it is Google’s job to do the leg-work on each request has led inevitably to the company letting through a lot of right-to-be-forgotten requests which are dubious, to say the least.

From corrupt referees in Scotland to bankers at the former financial institution Merrill Lynch who may have played a role in the financial crash, various individuals are coming forward to have unpleasant facts about their pasts erased. Then of course there are the convicted sex offenders and individuals convicted of crimes like assault who wish to have links to articles about their crimes taken down. This ruling is a godsend for anyone with a criminal past who wishes to scrub their own record clean.

Effective data protection

The ruling was based on the principle of ‘Data protection’ which was conceived as a way of protecting the data of private citizens when it is held by governments. It particularly applies to social services and other branches that keep large quantities of highly personal information about citizens. This is a crucial protection afforded to citizens against the one organisation whose processing of data needs to be closely monitored: their government. As exemplified by the ongoing activities of the NSA and other overly-powerful governmental organisations around the world, when it comes to government-held data, the citizen needs not just a right to be forgotten, but effective safeguards to ensure the government cannot get certain information in the first place. Data protection does not apply well to private companies. The information to which people are attempting to restrict access is public knowledge, shared freely over the internet. Just because information is relevant to someone does not mean they have carte blanche to restrict access to it.This is especially true with online articles and other documents which are made available in the public interest, and should not be censored, no matter how embarrassing their content. The function of the press is to spread information in the public interest. Sometimes this information may be detrimental to an individual’s reputation, but the fundamental freedom of the press to spread information should not be curtailed because of this.

Empowering governments

The wide-ranging ruling handed down by the European Court has a second danger concealed within its arguments. By empowering European governments to go after companies like Google whose servers are actually based outside European territory, the court is setting a dangerous precedent. If the European courts can prosecute Google and other search engine providers for not removing links to information stored in servers outside the continent, what is to stop the the process happening elsewhere? What if the United States government, for example, were to demand that information based on or provided by Wikileaks or Edward Snowden be deleted from European-based servers? Given that the European court said in its ruling that information could be deleted if it was “inaccurate”, “excessive” or “irrelevant” surely the US government would have grounds to demand that leaked documents be taken down from search engines or removed entirely, or even that newspaper articles relating to them be removed from Google search results.

The internet has given birth to an unprecedented free transfer of information in the modern world. It has broken down barriers and enhanced freedom across the globe. To start rowing back that freedom by way of a “Right to be forgotten” would undermine over two decades of progress. Information should be free, and not restricted by the arbitrary actions of individuals or unaccountable courts. It is time to forget about the right to be forgotten.

Private investigator to be tried over data breaches in October

Irish Times, 21st July 2014

A private investigator charged in relation to alleged breaches of data protection legislation will be tried in October. Michael J Gaynor, trading as MJG Investigations, Beatty Grove, Celbridge, Co Kildare, was before Dublin District Court this morning facing a prosecution by the Data Protection Commissioner. Mr Gaynor faced 72 criminal charges in relation to alleged breaches of data protection legislation, including illegally accessing and disclosing personal information on individuals held by An Garda Síochána and the ESB.

It is the first such criminal prosecution of its kind in the State. Mr Gaynor faces three charges of illegally accessing personal information held by An Garda Síochána and of disclosing it without authority, under the provisions of section 22 (1) of the Data Protection Acts 1988 and 2003.

He faces a further nine charges of illegally accessing and disclosing personal information held by the ESB under the same section of the Acts. Some 60 charges against him relate to illegally processing the personal data of a number of individuals without an entry in the register held by the Data Protection Commissioner for data processors.

The offences are all alleged to have occurred between May and October 2013. Counsel for Mr Gaynor, Justin McQuade BL, told the court today the issues had been “considerably narrowed” and that a trial would go ahead on three of the charges. He said one day would be sufficient to hear the case. Judge John O’Neill set the trial date for October 6th.

Revealed: State gives patient records to big pharma and insurers

The Sunday Business Post, 29th June 2014 

The hospital records of every patient in the country are available on request to various pharmaceutical companies and health insurers, The Sunday Business Post can reveal. The revelation has alarmed patient groups rights campaigners and privacy advocates, as it has occurred without the informed consent of patients. This means that health insurers, marketing companies and pharma giants can access intimate personal medical records.

The Healthcare Pricing Office (HPO), which collates the national database from patient records provided by 57 acute hospitals, refused to disclose which organisations and researchers have secured access to the data. The HPO, which is part of the HSE, said the data was scrubbed of certain personal identifiers, such as a patient’s name and date of birth. However, organisations can request the age, sex year of hospital discharge, county of residence of the patient and the county in which the patient was treated. Privacy experts warned that it was possible to piece together a person’s identity using their location and age. They said there were countless international examples whereby data miners has reverse-engineered the data and used additional databases, to discover the names of patients. For example, if someone knew a high-profile personality had been admitted to hospital on a certain date for a specific treatment that person’s medical data could potentially be identified.

This has happened in other countries. Fintan Lawlor, a solicitor who specialises in data protection, said gthat6 under the Data Protection Acts the HSE, ‘should seek to have the consent or explicit consent of the data subject to the transferring of that information to a third party’. Lawlor said; “Section One of the Data Protection Acts gives a definition of personal data and is described as ‘data relating to an individual who is or can be identified either from the data or from the data in conjunction with other information that is in, (or) likely to come into, the possession of the data controller.’

Lawlor, who is a partner at the Dublin-based Lawlor Partners, said’ where sensitive data is concerned, it is important that explicit consent is obtained from the data subject and that they understand the implications of the consent.’ The ESRI managed the data since the 1990s. In January of this year the Healthcare Pricing Office took over. It is unclear how long third parties have been allowed to access the data; the HSE did not say. “I would say that they suspect that they may be in breach of the Acts and, accordingly, are not prepared to disclose the information”, said Lawlor.

The HSE said it could not disclose what organisations had received medical records as it had assured them anonymity. The Irish Council for Civil Liberties (ICCL) called on the HSE to ‘come clean’. Mark Kelly, director of ICCL, said patients had a ‘legitimate interest in knowing what external organisations are receiving their highly sensitive and personal records.’ Stephen McMahon, director for the Irish Patients Association, said; ‘if privacy is dead for Citizen U, them why should those that benefit from the harvesting of Citizen U’s life data be given privacy?’ McMahon said a ‘basic right for all patients is the right to confidentiality and a right to consent to allow others to access data about them if they so wish, including the state’.

McMahon called on the Data Protection Commissioners to publish an annual report of the requests that were made, as well as the names of the organisations that requested access to data. Advocates for sharing health data say it can be used to improve overall patient health data say it can be used to improve overall patient health outcomes, make medical advances easier and ultimately save lives. Privacy experts warn there is no way for the public to work out who will ultimately have possession of their medical records or to what use their data will be put. The HSE said it was not selling patients’ data.

Private investigator prosecuted for alleged data breaches

Irish Times - 23rd June 2014

A private investigator is facing 72 criminal charges in relation to alleged breaches of data protection legislation, including illegally accessing and disclosing personal information on individuals held by An Garda Síochána and the ESB. Michael J Gaynor, trading as MJG Investigations, Beatty Grove, Celbridge, Co Kildare, was before Dublin District Court this morning facing a prosecution by the Data Protection Commissioner.

It is the first such criminal prosecution of its kind in the State. Mr Gaynor faces three charges of illegally accessing personal information held by An Garda Síochána and of disclosing it without authority, under the provisions of section 22 (1) of the Data Protection Acts 1988 and 2003. He faces a further nine charges of illegally accessing and disclosing personal information held by the ESB under the same section of the Acts.

 Some 60 charges against him relate to illegally processing personal data without an entry in the register held by the Data Protection Commissioner for data processors. Counsel for Mr Gaynor, Justin McQuade BL, said he needed to assess the file on the matter and to discuss whether certain matters may or may not be admissible. He asked that the Data Protection Commissioner further distill the information in the summons and to outline what matters he would seek to rely on in the case.

Sophie More O’Ferrall of Philip Lee Solicitors, for the commissioner, said that while there may be “arguments to be had” over certain of the matters, it was the prosecution’s intention to rely on all of the matters that had been outlined in the file. Judge John O’Neill adjourned the matter for mention to July 21st next.

Facebook privacy case sent to Europe

Irish Examiner June 19, 2014 

The European Court of Justice (ECJ) is to be asked to examine the law governing data protection following a student’s legal challenge over the rejection of his complaint about interference with personal privacy by the mass transfer of data by Facebook to the US intelligence services.

Max Schrems, an Austrian post-graduate law student behind a data privacy campaign group called ‘Europe v Facebook’, brought a High Court challenge claiming Ireland’s Data Protection Commissioner Billy Hawkes wrongly interpreted and applied the law governing the mass transfer of personal data of Facebook users to the US National Security Agency (NSA). Mr Hawkes found Mr Schrems’ complaint did not meet the threshold required to merit investigation. Mr Schrems had asked Mr Justice Gerard Hogan to quash that decision and refer it back to Mr Hawkes for re-consideration. He said the Commissioner’s decision was irrational and asked that a preliminary reference be made to the ECJ. Mr Hawkes, who found Facebook had acted within the terms of an EU-US data-sharing agreement in July 2000 called ‘Safe Harbour’, opposed the action. He found Facebook had no case to answer and was in compliance with relevant regulations.

The court heard Mr Hawkes rejected suggestions that he was not prepared to take on big companies, arguing that he was already investigating 22 other similar complaints from Mr Schrems, but this particular one did not warrant an investigation. Yesterday, Mr Justice Hogan said he was referring the matter to the ECJ for re-evaluation given that “much has happened” since the Safe Harbour agreement. This included the enhanced threat to national and international security, disclosures regarding mass and undifferentiated surveillance of personal data by US security forces, and the advent of social media.

 The main development, from a legal perspective, was the introduction, after July 2000, of Article 8 of the Charter of Fundamental Rights of the EU governing personal data, he said. While Mr Schrems maintained Mr Hawkes had not adhered to the requirements of EU law by rejecting his (Schrems’) complaint, the opposite was the truth, the judge said. Mr Hawkes had demonstrated “scrupulous steadfastness” to the letter of a 1995 EU directive... which gave rise to the Safe Harbour agreement. Mr Schrems’ objection was, in reality, to the terms of the Safe Harbour regime itself rather that to the manner in which Mr Hawkes had actually applied that regime, he said. 

There was perhaps much to be said for the argument that Safe Harbour had been overtaken by events, including the revelations by former NSA computer systems administrator Edward Snowden, which may be thought to have exposed “gaping holes” in contemporary US data protection practice, the judge said. The judge also noted the Snowden revelations demonstrated “a massive overreach” on the part of the security authorities “with an almost studied indifference to the privacy interests of ordinary citizens”. The judge said Mr Schrems contended the Snowden revelations about Prism showed there was no meaningful protection in US law or in practice regarding data transfer as far as surveillance was concerned and in particular there was no requirement by those services to obtain a court order for their activities.

 In this specific complaint, Mr Schrems had not challenged the validity of either the Safe Harbour decision or of the original 1995 EU directive. In those circumstances, Mr Hawkes is bound by the 2000 Safe Harbour decision and until the issue of re-evaluating that decision is dealt with, Mr Schrems’ application for judicial review and the complaint to Mr Hawkes must fail, he said. Given the general novelty and practical importance of the issues raised, which have considerable practical implications for all 28 EU member states, it was appropriate this question should be determined by the ECJ. The case was adjourned until next month for papers of the referral to be prepared.