Wednesday, 17 December 2014

Welfare staff opposed giving PPS numbers to Irish Water

Irish Times 13th December 2014
Photograph: Cyril Byrne/The Irish Times

Staff at the Department of Social Protection vigorously opposed the handing over of PPS numbers – particularly of children – to Irish Water, it has emerged.

Emails released under Freedom of Information legislation show Irish Water (IW) was seeking a “data dump” from the department, including information on all children for whom child benefit was paid.

Documents also show the utility failed to engage with the department on the question of accessing the data until weeks after Irish Water started posting application forms to households in September.

These forms sought PPS numbers of householders and any children who were eligible for child benefit.

It said these were necessary in order for it to apply Government allowances for water charges and it expected the department would verify them once customers had handed them over.

Implications questioned However, staff in the department questioned the data protection implications of handing over the PPS numbers and their obligations under official secrets legislation.

Secretary general of the department, Niamh O’Donoghue, told staff the utility was to “get nothing” until it wrote to her formally, which it did not do until September 18th – several weeks after it started media advertising and sending out packs to householders.

As late as October, an internal department email following a meeting with Irish Water said the utility had given the issue “little thought, so this discussion will go on for a wee while”.

It added: “We are making progress as you will see, but DSP objective is to protect its data, its reputation and minimise its commitment while being supportive to IW as directed in the Government decision (on water charges).” Email exchanges There are concerns throughout six months’ worth of email exchanges about “very limited” contact from Irish Water, with one document expressing concern the department “may be blamed for shortfalls in IW performance”.

The department documents indicate it was “pushing back strongly” on Irish Water’s request that it verify a customer was a recipient of child benefit.

Department officials ultimately conceded it seemed “likely” the utility was entitled to get the information it was seeking, but certain information could not be provided unless it was to allow some “fishing”.

The Social Welfare & Pensions Act, signed into law in July, amended the law to add Irish Water to the list of ‘specified’ bodies allowed to ask for PPS numbers.

But the requirement for customers to hand over this information to the utility was eventually dropped when Minister for the Environment Alan Kelly announced a revised package of measures on water charges in November.

Reaction expected Department official Tony Kieran of the child benefit (CB) section in Letterkenny told colleagues in emails he expected a major public reaction and had made it clear to Irish Water in a meeting in June his section would “not be dealing with phone or other queries on this”.

 “I have serious reservations about providing a wide-ranging data dump as I believe we (DSP and CB) will be dealing with a lot of fallout and get into arguments that have nothing to do with our schemes. This is without even considering the data protection implications of such an approach.”

By July, Mr Kieran was expressing concern that he was hearing radio ads from Irish Water stating correspondence would issue to the public shortly and that, as yet, it had not been back in touch with the department or drafted up any rules to apply to crediting water allowances.

Fintan Lawlor is a dedicated data protection consultant and solicitor at Lawlor Partners. For more information see our website :

Monday, 24 November 2014

Private investigator fined €5,000 for accessing Garda data

Irish Times 24th November 2014

A private investigator have been convicted on two charges of illegally obtaining information from the Garda Pulse system.

Michael J Gaynor, trading as MJG Investigations, Beatty Grove, Celbridge, Co Kildare, was before Dublin District Court facing a prosecution by the Data Protection Commissioner.

Mr Gaynor (62) faced three charges of illegally accessing personal information held by An Garda Síochána and of disclosing it without authority, under the provisions of section 22 (1) of the Data Protection Acts 1988 and 2003.

He was convicted on two of those charges and fined €2,500 for each offence.

Judge John O’Neill said that in his view Mr Gaynor had not given convincing evidence of why he was contacting a serving garda.

Mr Gaynor pleaded guilty to 69 other charges but pleads not guilty on the three related to accessing the Garda information.

Remy Farrell SC for the Data Protection Commissioner told the court Mr Gaynor had allegedly provided tracing reports to three credit unions - in Balbriggan, Lucan and Citybus Credit Union - on individuals they hoped to take action against for non-payment of debts.

He had allegedly obtained the information from Detective Garda Paul Cullen, a member of the Garda National Immigration Bureau, who had “little cause to be accessing information” on the three individuals concerned.

Assistant data protection commissioner Tony Delaney told the court that in an interview with Det Garda Cullen at the GNIB headquarters on March 18th 2014, the garda had admitted accessing all the records on the individuals concerned.

After questioning Det Garda Cullen for several minutes in the witness box, Mr Farrell made an application to have him treated as a hostile witness.

The detective contended Mr Gaynor, with whom had served as a garda for about 20 years, was in fact an “informal informant” who would telephone him from time to time with information about individuals who may be “of interest” to An Garda Síochána.

He said he may have “inadvertently” disclosed information to Mr Gaynor after the private detective contacted him in this context, but that he never provided information directly from the screen in front of him when logged into either the Pulse or GNIB databases.

Mr Cullen said that when Mr Gaynor had given him a name, an address or a car number, he would immediately check them on one of the systems available to him.

“He was offering me information,” the garda said.

He said he did not confirm any information to the private detective other than to tell him it was “not of interest to the gardaí”.

Mr Farrell asked at one stage why Mr Gaynor would be passing information on individuals to Mr Cullen and whether they were perhaps members of “al-Qaeda”.

Judge John O’Neill said he had “no difficulty” in having Mr Cullen treated as a hostile witness and said he agreed with prosecuting counsel that the detective was “playing with words”.

Friday, 14 November 2014

Pharmacy allowed husband watch footage of wife buying pregnancy test, court hears

Irish Times, 14th November 2014

A Co Wicklow mother, who claimed a pharmacy allowed her husband to watch CCTV footage of her buying a pregnancy test kit, has settled a €38,000 damages claim against the pharmacy for an undisclosed sum.

The woman, who cannot be named by order of the judge in the Circuit Civil Court, said her marriage had been highly dysfunctional and difficult for a number of years before the October 2010 incident. The incident, she said, worsened her relationship with her now deceased husband.

She told her barrister Martina O’Neill that she had bought the pregnancy test for a friend, but her husband found the receipt in their home and went to the pharmacy with it.

The court heard the husband was very possessive and had displayed abusive and violent behaviour towards his wife. When he arrived at the pharmacy he pretended to be very distressed and “tricked” one of the employees into showing him CCTV coverage of the actual purchase.

The husband told the pharmacy employee he had found the receipt in his teenage daughter’s bedroom and was concerned that she was sexually active. This had been why he had asked to be shown CCTV footage.

When asked by counsel for the pharmacy if her husband could have played “a low trick” on the employee, the woman said she could see him playing such a role as he would have been very good at it.

Mr English told the court the pharmacy assistant was very concerned for the wellbeing of the man’s teenage daughter and, due to his agitated state, showed him CCTV footage of a woman purchasing the test.

Circuit Court president Mr Justice Raymond Groarke was told that the father, who had identified the woman as being his daughter’s aunt, had secretly taken pictures of the CCTV footage with his mobile phone. The court heard the woman in the video was, in fact, the girl’s mother and plaintiff in the court proceedings.

The mother told the court she and her husband were not having an intimate relationship at the time and this had led to a row with her husband as he thought she had bought the test for herself.

She said her husband sent her, on her own mobile phone, a picture of her purchasing the pregnancy test. She had been scared about going home as she knew he would use it to start a row.

The woman told the judge that her husband and she had separated on and off. He had been physically and mentally abusive towards her. Gardaí­ had intervened several times after being called by the couple’s children.

The court heard the incident had not made their “traumatic marriage” any better as the husband had used the pregnancy test purchase as “a stick to beat her with” and made her life a misery.

“Every day after that he would talk about it any chance he could get. He became abusive on a daily basis,” she told the court.

She suffered acute stress and depression and had needed to obtain counselling and medication.

The woman said she had complained to the then Data Protection Commissioner, Billy Hawkes, who had found there had been a breach of the Data Protection laws.

The mother had afterwards issued the court proceedings in which she sued the pharmacy under the Data Protection Act for negligence and breach of duty in allowing the footage to be shown to the father.

Mr English told Judge Groarke that if the father had taken photographs of a computer screen, he had done so without the pharmacy’s consent and the pharmacy fully contested the mother’s claim.

Counsel said the act allowed for personal data to be given to a third party if it was required urgently to protect someone’s health. He said the father had been highly agitated and distressed.

Following a brief adjournment to allow talks between the parties, Ms O’Neill said the matter had resolved. The judge, who had earlier refused an application by Ms O’Neill for the case to be heard in camera but had made an order restraining identity of any of the parties, struck out the case


Thursday, 25 September 2014

20% of ‘right to be forgotten’ requests concern an image

French start-up, which helps consumers remove information about themselves from Google, has said almost 20 per cent of Irish requests under the “right to be forgotten ruling” concern an image.
The European Court of Justice ruled in May that individuals have the right, in certain circumstances, to ask search engines to remove links with personal information about them.
Established by online reputation agency Reputation VIP, helps users through the process of asking Google to remove information.
Since setting up in June, the start-up has received applications requesting the removal of almost 300 links from Irish people.
Three-quarters of applications were refused by Google, as they were “deliberately placed in public”, concerned another person, or were still relevant.
Some 8.5 per cent of requests were refused as the person seeking removal of information was the author of that information and could change it themselves on social media. said 18 per cent of Irish requests concerned an image, and Ireland is the ninth country in the number of requests, with 294 URL removals. In comparison, the UK ranked first with 3,700 requests for URL removals.

Requests declined
Overall, Google decli- ned 59 per cent of requests submitted by seeking the removal of information on behalf of people throughout Europe.
This is based on more than 15,000 URLs sent to Google via, from 30 countries.
Within one week of launching on June 24th, 13,000 people had registered on and submitted 1,106 “right to be forgotten” applications requesting the removal of a total of 5,218 links.
Invasions of privacy, defamation and insult represented just over 50 per cent of all Google content removal requests.

Helen Dixon appointed as Data Protection Commissioner

Former companies registrar and Department of Jobs official succeeds Billy Hawkes
Irish Times, 10th September 2014
The Government has announced the appointment of Helen Dixon as the new Data Protection Commissioner.
Ms Dixon, who has previously held senior management positions in the Department of Jobs, Enterprise and Innovation, succeeds Billy Hawkes, who retired last month.
He had been in the role since 2005, serving two separate terms.
In a statement, a Government spokesman said Ms Dixon brings “a wealth of experience and expertise to her new role, both in the public and private sectors”.
She was appointed registrar with the Companies Registration Office in December 2009 having previously held senior management positions in the Department of Jobs.
She served an 11-year career in two US IT multinationals with their EMEA bases in Ireland.
The new commissioner holds an honours undergraduate degree in Applied Languages (French and German), a Masters in European Economic and Public Affairs, a postgraduate diploma in Computer Science and a Masters in Governance from Queen’s University Belfast.
She was appointed an honorary fellow of the Institute of Chartered Secretaries and Administrators in 2014.
Ms Dixon is the first woman in the role. She will take up her appointment over the coming weeks.
Minister for Data Protection Dara Murphy, who was just recently appointed to the newly created Government position, welcomed the appointment.
“The role of the office of the Data Protection Commissioner as an independent body which has responsibility for safeguarding data in Ireland is of critical importance.
“As we move at an increasingly faster pace into the digital age, it is fundamental that we ensure that our data, which is becoming an increasingly valuable asset, is afforded the optimum level of protection,” he said.
“This is a function which the Data Protection Commissioner has performed since the role was established in 1988 and will become even more significant in the years ahead.”
Mr Murphy congratulated Ms Dixon on her appointment andwished her success in her “important new role”.
The appointment comes at a challenging time for the protection of individual privacy and at a major juncture in the development of European data protection law.
Ms Dixon will be responsible for the protection of the personal data of hundreds of millions of European citizens due to the fact that several US multinationals, including Facebook, Linkedin and Apple have based their EU headquarters in Ireland.
A case in which her predecessor, Billy Hawkes, refused to investigate claims of a mass transfer of personal data to US intelligence services via Facebook has been referred by the High Court to the Court of Justice of the European Union.
A decision is not expected in the case - which has implications for an agreement between the EU and the European Union on how such transfers of personal data may legally take place - before next year.

Friday, 19 September 2014

Tough challenges ahead for new Data Protection Commissioner

Never have the issues of data protection and personal privacy had such high profile
Irish Times 18th September 2014

What does Ireland need from its new Data Protection Commissioner?
We now know who has replaced former Commissioner Billy Hawkes, who retired from the role in August: civil servant Helen Dixon, who up until now has been registrar with the Companies Registration Office.
Prior to that, she was a principal officer in the Department of Enterprise, Trade and Innovation. She also worked for US technology company Citrix at its Europe, Middle East and Africa office in Ireland, as manager of Technical Support Services.
Pivotal point
She comes to the role at a pivotal and daunting point. Never have the issues of data protection and personal privacy had such high profile. Along with media coverage of repeated breaches of data in this country and internationally, the general public has had more than a year of leaks from the trove of documents obtained by former US government contractor and whistleblower Edward Snowden.
Those – revealing a shocking degree of large scale surreptitious digital data gathering on ordinary citizens by US and UK surveillance agencies – have rattled international relations.
In particular, the revelations have spurred the EU to push for more restrictions on access to its citizens’ data and greater national and international oversight.
On the US side, elected representatives, privacy organisations and the general public have demanded explanations and more transparency in how law enforcement agencies acquire and use personal data.
And, somewhere in the middle, with their exact involvement still a mystery, sit many multinational companies – especially in the technology and online sector – which handle teraflops of data from customers and service users around the world, every day.
Some are known to have passed data to US agencies, with many of these continuing to request they be given permission from the US government to reveal more about what they are asked for, and when and how they complied. Others state they had no idea US and UK agencies were siphoning off their users’ data.
In this tense atmosphere, the EU has signaled that it will bring in a more restrictive and clearly defined Data Protection Regulation next year. This must by transposed directly, not piecemeal as had been the case with the existing directive, which came out of legislation in a pre-internet era.
All indications are that the EU will require data misuse complaints against companies be referred to the Data Protection Commissioner in the EU state in which the company has its European headquarters.

‘No data breach’ says Irish Water, despite sending 6,329 letters to the wrong address

The Data Protection Commissioner has not said whether a breach took place.
The Journal, 10th September 2014
IRISH WATER HAS apologized for sending more than 6,000 letters with incorrect names to customers, but says it does not believe the mistake represents a data breach.
The semi-state company had been investigating the possibility of a data breach after it emerged that letters sent to 6,329 multiple home-owners this month were wrongly addressed.
Ironically, the letters had asked customers to confirm their personal details, to allow Irish Water to update their customer database before water charges come into force next month.
Responding to an enquiry from, a spokesperson from the office of the Data Protection Commissioner did not address whether or not a data breach had taken place.
In their statement this evening, Irish Water confirmed the mistake had come to their attention last Tuesday, and that they had reported it to the Data Protection Commissioner.
In line with this process, Irish Water has sent letters to owners of multiple properties asking them to confirm the details of properties they own. Irish Water is aware that incorrect names have appeared on correspondence issued to 6,329 of these individuals. This became apparent on 4th September.
Irish Water acted immediately to resolve this issue and all of the property owners affected have been advised accordingly.
On becoming aware of the issue, Irish Water also immediately informed the Office of the Data Protection Commissioner (DPC) and our understanding is that the issuing of the letters does not constitute a breach and that the Office of the DPC are satisfied with how Irish Water have dealt with the issue.
Our customer contact centre (1890 448 448) is available to respond to any customer queries or concerns.
Irish Water has apologised for any confusion and concern that this might have caused affected customers.
Despite an enquiry by, the Office of the DPC did not clarify this evening whether or not a data breach had occurred.
A spokesperson did, however, say the DPC had “concluded its investigation.”
Irish Water notified this office on 4th September of a potential data security breach…
Irish Water notified the affected individuals of the matter and sought return of the incorrectly addressed letters.
Irish Water have informed this office of the steps being taken to prevent a repeat of this type of incident.
On this basis, this office concluded its investigation into the matter.

Wednesday, 20 August 2014

Credit Unions will be pursued for data protection breach

The Irish League of Credit Unions has said that it will undertake a full review into the credit unions that used private investigators that illegally obtained personal data from the Department of Social Protection. The move follows the revelations regarding the use of so called tracing agents by four credit unions in Limerick, five in the midlands, two in Dublin and one in Meath. The branches face the prospect of being required to destroy any personal data handed over by private investigators, which are currently being probed by the Data Protection Commissioner. Prosecutions, which could result in fines for the private detective firms in question, are expected to follow.  

Have you been effected by the above breaches?

Have your data protection rights been breached by a Credit Union?

We have represented clients whose information has been disclosed by Credit Unions.

Credit unions who got stolen data may now be asked to destroy it

Irish Independent 19th August 2014 
A full review is to be undertaken into credit unions that used private investigators who illegally obtained personal data from the Department of Social Protection.
The Irish League of Credit Unions (ILCU) announced the move yesterday as the minister with responsibility for data protection said he was “deeply concerned” by revelations in this newspaper.
The credit union network has been rocked by an Irish Independent investigation into the use of so-called tracing agents. The branches at the centre of the scandal face the prospect of being told to destroy any personal data handed over by private investigators who are being probed by the Data Protection Commissioner. These credit unions include four in Limerick, five in the midlands, two in Dublin and one in Meath. Assistant Data Protection Commissioner Tony Delaney is pursuing a number of firms who used false identities and blagging tactics to illegally obtain the information from the Department of Social Protection. While the credit unions who received the stolen data insist they were not aware of the methods used by the private investigators, the ILCU last night said a review into the use of the firms will take place.
Minister for Data Protection Dara Murphy said he was "deeply concerned" at the revelations. And Fianna Fail finance spokesman Michael McGrath called for the establishment of a code of conduct for financial institutions enlisting the services of private investigators. "The issues raised by the Irish Independent are very grave. The Central Bank must devise a code of conduct that would apply to the use of Private Investigators by financial institutions. Such a code is of paramount importance to ensure the integrity of people's personal data is protected at all times," Mr McGrath said. Meanwhile, the Central Bank last night said it expected all credit unions to fully co-operate with the Office of the Data Protection Commissioner. "The Central Bank expects that each credit union fully complies with all legal and regulatory obligations including all data protection requirements," a spokesperson said. "The Central Bank will assess the need for correspondence with individual credit unions and/or the credit union sector in relation to specific issues arising from this matter. "The investigation by Assistant Commissioner Delaney was launched last July and established that state officials had been duped by private investigators hired by credit unions. In some instances, agents contacted welfare officials and obtained addresses and employment details through a single phone call. The agents struck up a rapport with the unsuspecting department officials who they continually contacted for personal data. They introduced themselves as fellow state officials, from departments north and south of the Border. At least 78 credit union customers had their information breached. However, it is believed reams of other data was obtained by agents who targeted other state agencies. Some credit unions paid out €50 per single address. The Irish Independent understands credit unions who are storing stolen data may be asked to destroy it. The Department of Social Protection has said it continuously reviews its internal controls and takes data protection responsibilities very seriously. In a statement to the Irish Independent, the ILCU confirmed that a review of the use of private investigators would take place. The umbrella body, with represents 374 credit unions nationwide, also said it would be seeking a meeting with the Office of the Data Protection Commissioner "to ensure best practice going forward for all credit unions using tracing agents or private investigators". "We take very seriously any allegation that a private investigator working for a credit union has obtained information on members illegally. The ILCU has written to our affiliated credit unions and reminded them of the guidelines issued by DPC in relation to best practice in this area," the organisation said. “Furthermore the ILCU's CU Learning & Development also provides training courses to support our credit unions in the areas of data protection and credit collection in the Republic of Ireland. These courses are available throughout the year. In addition we will commence a review of credit unions who may have enlisted the services of private investigators to pursue arrears. ‘

Tuesday, 12 August 2014

Opinion: ‘Right to be forgotten’ ruling opens a legal and ethical Pandora’s box

The Journal, 23rd July 2014

THE RULING BY the European Court of Justice just over two months ago that the citizens of Europe have a ‘right to be forgotten’ has opened a legal and ethical Pandora’s box. The original ruling, based on the case of a Spanish citizen who wished to have information about his financial woes a decade previously taken out of search results on Google, was vaguely constructed and left the door open for individuals, and maybe even organisations, to have damaging or embarrassing material about themselves no longer reachable through a Google search.

While the court said that the ruling would be applied only where it did not conflict with freedom of expression or of the press, it left the burden of proof and investigation of this up to the party running the search engine, i.e. Google, and not up to the person seeking to have his or her information “forgotten”. Google is currently receiving about 1,000 requests a day for links to particular pieces of information to be removed from its search results. Quite understandably, the company has begun simply to grant these requests on receipt of them, as there is no way the company could (or should) wade through the sheer volume of requests and check each one for compliance with both the ruling on forgetting information and with freedom of speech. The court’s insistence that it is Google’s job to do the leg-work on each request has led inevitably to the company letting through a lot of right-to-be-forgotten requests which are dubious, to say the least.

From corrupt referees in Scotland to bankers at the former financial institution Merrill Lynch who may have played a role in the financial crash, various individuals are coming forward to have unpleasant facts about their pasts erased. Then of course there are the convicted sex offenders and individuals convicted of crimes like assault who wish to have links to articles about their crimes taken down. This ruling is a godsend for anyone with a criminal past who wishes to scrub their own record clean.

Effective data protection

The ruling was based on the principle of ‘Data protection’ which was conceived as a way of protecting the data of private citizens when it is held by governments. It particularly applies to social services and other branches that keep large quantities of highly personal information about citizens. This is a crucial protection afforded to citizens against the one organisation whose processing of data needs to be closely monitored: their government. As exemplified by the ongoing activities of the NSA and other overly-powerful governmental organisations around the world, when it comes to government-held data, the citizen needs not just a right to be forgotten, but effective safeguards to ensure the government cannot get certain information in the first place. Data protection does not apply well to private companies. The information to which people are attempting to restrict access is public knowledge, shared freely over the internet. Just because information is relevant to someone does not mean they have carte blanche to restrict access to it.This is especially true with online articles and other documents which are made available in the public interest, and should not be censored, no matter how embarrassing their content. The function of the press is to spread information in the public interest. Sometimes this information may be detrimental to an individual’s reputation, but the fundamental freedom of the press to spread information should not be curtailed because of this.

Empowering governments

The wide-ranging ruling handed down by the European Court has a second danger concealed within its arguments. By empowering European governments to go after companies like Google whose servers are actually based outside European territory, the court is setting a dangerous precedent. If the European courts can prosecute Google and other search engine providers for not removing links to information stored in servers outside the continent, what is to stop the the process happening elsewhere? What if the United States government, for example, were to demand that information based on or provided by Wikileaks or Edward Snowden be deleted from European-based servers? Given that the European court said in its ruling that information could be deleted if it was “inaccurate”, “excessive” or “irrelevant” surely the US government would have grounds to demand that leaked documents be taken down from search engines or removed entirely, or even that newspaper articles relating to them be removed from Google search results.

The internet has given birth to an unprecedented free transfer of information in the modern world. It has broken down barriers and enhanced freedom across the globe. To start rowing back that freedom by way of a “Right to be forgotten” would undermine over two decades of progress. Information should be free, and not restricted by the arbitrary actions of individuals or unaccountable courts. It is time to forget about the right to be forgotten.

Private investigator to be tried over data breaches in October

Irish Times, 21st July 2014

A private investigator charged in relation to alleged breaches of data protection legislation will be tried in October. Michael J Gaynor, trading as MJG Investigations, Beatty Grove, Celbridge, Co Kildare, was before Dublin District Court this morning facing a prosecution by the Data Protection Commissioner. Mr Gaynor faced 72 criminal charges in relation to alleged breaches of data protection legislation, including illegally accessing and disclosing personal information on individuals held by An Garda Síochána and the ESB.

It is the first such criminal prosecution of its kind in the State. Mr Gaynor faces three charges of illegally accessing personal information held by An Garda Síochána and of disclosing it without authority, under the provisions of section 22 (1) of the Data Protection Acts 1988 and 2003.

He faces a further nine charges of illegally accessing and disclosing personal information held by the ESB under the same section of the Acts. Some 60 charges against him relate to illegally processing the personal data of a number of individuals without an entry in the register held by the Data Protection Commissioner for data processors.

The offences are all alleged to have occurred between May and October 2013. Counsel for Mr Gaynor, Justin McQuade BL, told the court today the issues had been “considerably narrowed” and that a trial would go ahead on three of the charges. He said one day would be sufficient to hear the case. Judge John O’Neill set the trial date for October 6th.

Friday, 8 August 2014

Revealed: State gives patient records to big pharma and insurers

The Sunday Business Post, 29th June 2014 

The hospital records of every patient in the country are available on request to various pharmaceutical companies and health insurers, The Sunday Business Post can reveal. The revelation has alarmed patient groups rights campaigners and privacy advocates, as it has occurred without the informed consent of patients. This means that health insurers, marketing companies and pharma giants can access intimate personal medical records.

The Healthcare Pricing Office (HPO), which collates the national database from patient records provided by 57 acute hospitals, refused to disclose which organisations and researchers have secured access to the data. The HPO, which is part of the HSE, said the data was scrubbed of certain personal identifiers, such as a patient’s name and date of birth. However, organisations can request the age, sex year of hospital discharge, county of residence of the patient and the county in which the patient was treated. Privacy experts warned that it was possible to piece together a person’s identity using their location and age. They said there were countless international examples whereby data miners has reverse-engineered the data and used additional databases, to discover the names of patients. For example, if someone knew a high-profile personality had been admitted to hospital on a certain date for a specific treatment that person’s medical data could potentially be identified.

This has happened in other countries. Fintan Lawlor, a solicitor who specialises in data protection, said gthat6 under the Data Protection Acts the HSE, ‘should seek to have the consent or explicit consent of the data subject to the transferring of that information to a third party’. Lawlor said; “Section One of the Data Protection Acts gives a definition of personal data and is described as ‘data relating to an individual who is or can be identified either from the data or from the data in conjunction with other information that is in, (or) likely to come into, the possession of the data controller.’

Lawlor, who is a partner at the Dublin-based Lawlor Partners, said’ where sensitive data is concerned, it is important that explicit consent is obtained from the data subject and that they understand the implications of the consent.’ The ESRI managed the data since the 1990s. In January of this year the Healthcare Pricing Office took over. It is unclear how long third parties have been allowed to access the data; the HSE did not say. “I would say that they suspect that they may be in breach of the Acts and, accordingly, are not prepared to disclose the information”, said Lawlor.

The HSE said it could not disclose what organisations had received medical records as it had assured them anonymity. The Irish Council for Civil Liberties (ICCL) called on the HSE to ‘come clean’. Mark Kelly, director of ICCL, said patients had a ‘legitimate interest in knowing what external organisations are receiving their highly sensitive and personal records.’ Stephen McMahon, director for the Irish Patients Association, said; ‘if privacy is dead for Citizen U, them why should those that benefit from the harvesting of Citizen U’s life data be given privacy?’ McMahon said a ‘basic right for all patients is the right to confidentiality and a right to consent to allow others to access data about them if they so wish, including the state’.

McMahon called on the Data Protection Commissioners to publish an annual report of the requests that were made, as well as the names of the organisations that requested access to data. Advocates for sharing health data say it can be used to improve overall patient health data say it can be used to improve overall patient health outcomes, make medical advances easier and ultimately save lives. Privacy experts warn there is no way for the public to work out who will ultimately have possession of their medical records or to what use their data will be put. The HSE said it was not selling patients’ data.

Tuesday, 24 June 2014

Private investigator prosecuted for alleged data breaches

Irish Times - 23rd June 2014

A private investigator is facing 72 criminal charges in relation to alleged breaches of data protection legislation, including illegally accessing and disclosing personal information on individuals held by An Garda Síochána and the ESB. Michael J Gaynor, trading as MJG Investigations, Beatty Grove, Celbridge, Co Kildare, was before Dublin District Court this morning facing a prosecution by the Data Protection Commissioner.

It is the first such criminal prosecution of its kind in the State. Mr Gaynor faces three charges of illegally accessing personal information held by An Garda Síochána and of disclosing it without authority, under the provisions of section 22 (1) of the Data Protection Acts 1988 and 2003. He faces a further nine charges of illegally accessing and disclosing personal information held by the ESB under the same section of the Acts.

 Some 60 charges against him relate to illegally processing personal data without an entry in the register held by the Data Protection Commissioner for data processors. Counsel for Mr Gaynor, Justin McQuade BL, said he needed to assess the file on the matter and to discuss whether certain matters may or may not be admissible. He asked that the Data Protection Commissioner further distill the information in the summons and to outline what matters he would seek to rely on in the case.

Sophie More O’Ferrall of Philip Lee Solicitors, for the commissioner, said that while there may be “arguments to be had” over certain of the matters, it was the prosecution’s intention to rely on all of the matters that had been outlined in the file. Judge John O’Neill adjourned the matter for mention to July 21st next.

Thursday, 19 June 2014

Facebook privacy case sent to Europe

Irish Examiner June 19, 2014 

The European Court of Justice (ECJ) is to be asked to examine the law governing data protection following a student’s legal challenge over the rejection of his complaint about interference with personal privacy by the mass transfer of data by Facebook to the US intelligence services.

Max Schrems, an Austrian post-graduate law student behind a data privacy campaign group called ‘Europe v Facebook’, brought a High Court challenge claiming Ireland’s Data Protection Commissioner Billy Hawkes wrongly interpreted and applied the law governing the mass transfer of personal data of Facebook users to the US National Security Agency (NSA). Mr Hawkes found Mr Schrems’ complaint did not meet the threshold required to merit investigation. Mr Schrems had asked Mr Justice Gerard Hogan to quash that decision and refer it back to Mr Hawkes for re-consideration. He said the Commissioner’s decision was irrational and asked that a preliminary reference be made to the ECJ. Mr Hawkes, who found Facebook had acted within the terms of an EU-US data-sharing agreement in July 2000 called ‘Safe Harbour’, opposed the action. He found Facebook had no case to answer and was in compliance with relevant regulations.

The court heard Mr Hawkes rejected suggestions that he was not prepared to take on big companies, arguing that he was already investigating 22 other similar complaints from Mr Schrems, but this particular one did not warrant an investigation. Yesterday, Mr Justice Hogan said he was referring the matter to the ECJ for re-evaluation given that “much has happened” since the Safe Harbour agreement. This included the enhanced threat to national and international security, disclosures regarding mass and undifferentiated surveillance of personal data by US security forces, and the advent of social media.

 The main development, from a legal perspective, was the introduction, after July 2000, of Article 8 of the Charter of Fundamental Rights of the EU governing personal data, he said. While Mr Schrems maintained Mr Hawkes had not adhered to the requirements of EU law by rejecting his (Schrems’) complaint, the opposite was the truth, the judge said. Mr Hawkes had demonstrated “scrupulous steadfastness” to the letter of a 1995 EU directive... which gave rise to the Safe Harbour agreement. Mr Schrems’ objection was, in reality, to the terms of the Safe Harbour regime itself rather that to the manner in which Mr Hawkes had actually applied that regime, he said. 

There was perhaps much to be said for the argument that Safe Harbour had been overtaken by events, including the revelations by former NSA computer systems administrator Edward Snowden, which may be thought to have exposed “gaping holes” in contemporary US data protection practice, the judge said. The judge also noted the Snowden revelations demonstrated “a massive overreach” on the part of the security authorities “with an almost studied indifference to the privacy interests of ordinary citizens”. The judge said Mr Schrems contended the Snowden revelations about Prism showed there was no meaningful protection in US law or in practice regarding data transfer as far as surveillance was concerned and in particular there was no requirement by those services to obtain a court order for their activities.

 In this specific complaint, Mr Schrems had not challenged the validity of either the Safe Harbour decision or of the original 1995 EU directive. In those circumstances, Mr Hawkes is bound by the 2000 Safe Harbour decision and until the issue of re-evaluating that decision is dealt with, Mr Schrems’ application for judicial review and the complaint to Mr Hawkes must fail, he said. Given the general novelty and practical importance of the issues raised, which have considerable practical implications for all 28 EU member states, it was appropriate this question should be determined by the ECJ. The case was adjourned until next month for papers of the referral to be prepared.

Wednesday, 11 June 2014

Journalist who ran Edward Snowden revelations warns of privacy risk

Irish Times Sat, Jun 7, 2014

Pulitzer Prize-winning journalist Glenn Greenwald has said Europeans should defend their online privacy themselves rather than wait for Ireland to adopt a more robust approach to regulating Facebook. A year after he began publishing material provided by Edward Snowden, exposing widespread US surveillance of global telecommunications, Greenwald said Irish politicians had little chance against large corporations such as Facebook, which he said were effectively operating outside democratic control. “These companies have become so incredibly powerful . . . that we have a situation where even elected governments are almost no match and that poses a very serious problem,” said Greenwald, speaking in Berlin, where he was promoting his book No Place to Hide. “It is inconceivable to think of the Irish Government, the EU or US government imposing meaningful constraints on companies like Facebook and Google. ”

 Instead the most effective way of limiting digital surveillance, he said, was for people to think twice about using services “with a track record of supplying information to US intelligence”. Another approach, he said, was for people to “build bricks” around their online activity by encrypting their digital communication. Encrypting email and boycotting Facebook was, he said, “a more promising way of limiting their behaviour than hoping that some politicians in a capital somewhere will issue a regulation that does that”. Greenwald’s call comes ahead of a High Court ruling due on June 18th on whether Ireland’s Data Protection Commissioner (DPC) was correct not to investigate Snowden’s claims that Facebook International, based in Dublin and thus under Irish jurisdiction, supplied the NSA with European user data. Greenwald said he met Snowden recently in Moscow and that he found the computer specialist essentially unchanged from the man he met for the first time a year ago in Hong Kong. “The fact he is not in a penal cage is a pretty good thing.

He is free to participate in the debate he helped galvanise around the world,” said Greenwald. He is free to move around in Moscow and is able to keep a low profile, the journalist said, because he looks “like an 18-year-old kid from Iowa ... on an exchange programme” rather than a world-famous whistleblower. After months of revelations about high-level US spying in Germany, a Bundestag parliamentary inquiry has agreed to hear testimony from the ex-NSA contractor and has asked to meet him in Moscow for an “informal conversation” before deciding how to proceed.

While opposition parties and civil rights groups are demanding asylum for Snowden to allow him to testify in Berlin, the German government and their deputies sitting on the inquiry are opposed to this. Greenwald has described their stance as “shameful”, arguing that German politicians had “not just a moral but a legal duty” to their voters to conduct a thorough investigation of the NSA claims by questioning Snowden in person.

The wrangling over testimony, Greenwald said, suggested German politicians remained “fearful of doing anything that might offend Washington”. For his part, Snowden told Stern magazine that Berlin’s hesitation might be because “German intelligence services are in bed with the Americans”. “Clearly facts continue to be kept secret which would cause outrage in public,” he said. This week Germany’s attorney general opened a formal investigation into claims that the NSA tapped Chancellor Angela Merkel’s mobile phone, but said there was, so far, insufficient evidence for an investigation into claims of widespread data collection.

In Berlin, Greenwald promised to increase the pace of revelations from the Snowden files, a move he hopes will help boost awareness of the need for privacy in the digital age. “Even though privacy is a difficult value to express and defend, the need for it is intuitive to all human beings,” he said. On the first anniversary of his revelations, Snowden’s German lawyer confirmed this week that his client would apply to renew his asylum in Russia for another year. The whistleblower, meanwhile, warned that unchecked collection and cross-referencing of digital data, from email messages to mobile phone mast signals, had made it easier than ever before to analyse, predict and influence human behaviour. “By linking data and analysing it,” he told Stern magazine, “I don’t just know when you went to bed, I also know with whom.”

Monday, 9 June 2014

Europe to force Google, Facebook to abide by EU privacy rules

Irish Times 6th June 2014

A deal to force Internet companies such as Google and Facebook to abide by EU rules is a first step in a wider reform package to tighten privacy laws

Companies based outside the European Union must meet Europe’s data protection rules, ministers agreed on Friday, although governments remain divided over how to enforce them on companies.

The agreement to force Internet companies such as Google and Facebook to abide by EU rules is a first step in a wider reform package to tighten privacy laws - an issue that gained prominence following revelations of US spying in Europe.

Vodafone’s disclosure on Friday of the extent of telephone call surveillance in European countries showed the practice was not limited to the United States. The world’s second-largest mobile phone company, Vodafone is headquartered in the United Kingdom.

“All companies operating on European soil have to apply the rules,” EU Justice Commissioner Viviane Reding told reporters at a meeting in Luxembourg where ministers agreed on a position that has also been backed by the Court of Justice of the European Union (ECJ).

Germany and the European Commission, the EU executive, have been highly critical of the way the United States accesses data since former US National Security Agency contractor Edward Snowden last year revealed US surveillance programmes.

Disclosures that the United States carried out large-scale electronic espionage in Germany, including bugging chancellor Angela Merkel’s mobile phone, provoked indignation in Europe.

“Now is the day for European ministers to give a positive answer to Edward Snowden’s wake-up call,” Ms Reding said.

Commenting on Vodafone’s disclosure, she said: “All these kind of things show how important it is to have data protection clearly established.”

The reform package, which was approved by the European Parliament in March, has divided EU governments and still needs work to become law despite Friday’s progress.

While ministers also agreed on provisions allowing companies to transfer data to countries outside the European Union, there was no decision on how to help companies avoid having to deal separately with the EU’s 28 different data protection authorities.

That issue was thrown into stark relief by a ruling from Europe’s top court requiring Google to remove links to a 16-year-old newspaper article about a Spanish man’s bankruptcy.

The search engine has since received tens of thousands of requests across Europe, and under current rules has to deal with each national authority.

A ‘one-stop-shop’ arrangement would allow companies to deal exclusively with the data protection authority in the country where it has its main establishment. But governments are concerned about a foreign data protection authority making binding decisions that they would then have to enforce.

For example, if a complaint originated in Denmark against a company based in Ireland, the Danish authorities would have to implement a decision by the Irish data protection body, something that is both legally and politically difficult