The Data Protection Commission has described the sale of information by a Donegal-based civil servant as “one of the most serious data breaches ever
uncovered in this State.”
It follows the jailing of Letterkenny-based civil servant Rory Lenihan today.
Mr Lenihan was jailed for 12 months after pleading guilty to 12 sample charges of selling information relating to the personal details held at the Department of Social Protection.
Welcoming today’s court outcome, Assistant Commissioner Tony Delaney
said today’s sentencing hearing brings to an end lengthy court
proceedings which followed separate investigations by An Garda
Síochána and the Data Protection Commissioner (DPC) which began in
December 2010.
He revealed “The DPC conducted a detailed investigation in 2010 – 2011 of three
companies in the insurance sector. That investigation culminated in
the successful prosecution under the Data Protection Acts of those
companies, Zurich Insurance Plc, FBD Insurance Plc and Travelers
Insurance Company Limited at the Dublin Metropolitan District Court in
February 2012.
“The investigation followed the receipt of a formal breach report from
the Department of Employment Affairs and Social Protection of
suspected leaking to third parties by one of its officials of personal
data held on the Department’s computer systems. Our investigation
found evidence on claims files in the insurance companies concerned of
social welfare information concerning a number of insurance claimants.
“We established that the social welfare information had been supplied
to the insurance companies by a firm of private investigators, having
been disclosed to them by the defendant in today’s proceedings, Mr.
Rory Lenihan.”
He added that the “form and scale of the offending behaviour which
came to light in the investigation of this case was shocking.”
“This case stands out as one of the most serious data breaches ever
uncovered in this State. That a civil servant, who had ready access
for the performance of his official duties to the social welfare
records of every customer of the Department, abused his position and
trawled through those records and passed on personal information from
them to private investigators in exchange for corrupt payments is
scandalous and appalling.
“In the intervening years since this case first came to light in late
2010, the DPC has devoted significant resources to the detection of
leakage of personal data from State databases to private
investigators. Our work in that area, which is ongoing, has yielded
positive results with the detection and subsequent prosecution of five
private investigation entities since 2014 on charges of having
obtained personal data from State databases without authority and
passing it on to third parties in the insurance or financial sectors.”
He said today’s Court outcome should serve as a very clear warning to
employees in all sectors against snooping through, or disclosing to,
unauthorised third parties personal data that may be at their disposal
in their workplace for the performance of their duties.
“Employees are given access to records of personal data for
work-related purposes. Any deviation by employees from those official
purposes, such as accessing records to obtain information on behalf of
family, friends or others, constitutes a breach of data protection
legislation which could result in serious consequences for the
employees concerned.”