STATE OF DATA
Data protection is about your fundamental right to privacy. You can access and correct data about yourself. When you give your personal details to an organisation or individual, they have a duty to keep these details private and safe. You have the right to data protection when your details are held on a computer, held on paper or other manual form as part of a filing system and where photographs or video recordings of your image or recordings of your voice are held.
More than one billion internet users rely on Ireland's Data Protection Commissioner to safeguard their data and ensure that it is not used inappropriately. It is a truly awesome responsibility. The current Data Protection Commissioner is Billy Hawkes. Prior to his appointment ten years ago as Data Protection Commissioner, Mr. Hawkes was a career civil servant who held positions in Finance, Enterprise Trade & Employment and Foreign Affairs.
The office of the Data Protection Commissioner is situated in a small building and above O'Hanlon's supermarket in Portarlington, County Laois. There is a team of 30 members of staff and it's budget was recently increased to 2 million euro. That's 0.002 euro spend per person annually by Data Protection to protect the Data of nearly half of the worlds internet users. Understandably, the Data Protection Commissioner has been the subject of international civil rights criticism - A spokesperson for European Digital Rights, Joe McNamee said that the Commissioner's Office permitted companies “do whatever they want with personal data”.
Austrian data privacy campaigner Max Schrems, member of EvF, has challenged the refusal of the commissioner to investigate the Dublin-based Facebook subsidiary and asked him to investigate Edward Snowden’s allegations that it shared European user data with US authorities. He also asked the DPC to investigate whether companies under its jurisdiction were in breach of EU data protection regulations. His complaint was dismissed as “frivolous and vexatious”.
Edward Snowden exposed how an agreement called Safe Harbour allowed information about European users to be passed on to US authorities by Facebook and Apple. A group of Social and Democrat MEPs called for the suspension of the U.S.-EU Safe Harbor Framework and argued that the Safe Harbor Agreement is, variously, “misleading,” “vulnerable,” and “ineffective.” One MEP, Claude Moraes, the S&D rapporteur for the European Parliament in the investigation into U.S. surveillance, stated that “the European Parliament should be calling for the Commission to suspend the Safe Harbor Agreement". The Data Protection Commissioner's decision is currently the subject of legal proceedings.
On the domestic front the Data Protection Commissioner is likewise the subject of criticism for what is perceived by many as his 'Light Touch' regulation of how Irish public bodies use information.
Much of what happens in the DPC's office stays in the DPC's office. The Commissioner is quoted as saying “Most of our work is done behind closed doors without publicity but with the outcome being exactly what we want” and therein lies the problem. When the Commissioner says 'we' in domestic issues, he is 'we' as in a career civil servant conditioned to show deference to former colleagues and state institutions. As for 'behind closed doors', if we have learned anything in the past five years, it is that the worst of things happen behind closed doors.
Recently the Commissioner said that he was "Entirely unsatisfied" with the handling of personal data by the Department of Social Protection. The Department of Social Protection holds some of the most personal and private of information on all Irish citizens, wrongdoing by the Department should be of paramount concern to every person with a Personal Public Service (PPS) number. The Commissioners new found dissatisfaction rings hollow when compared to previous decisions by the office of the Data Protection Commissioner. The casual attitude of the Department toward Data Protection is a result of years of deference by Data Protection Commissioners to senior management in the Department.
The office of the Data Protection Commissioner is itself exempt from having to comply with data access requests. This ensures that decisions by the Data Protection Commissioner can never be closely scrutinised, but there there was a time. Back before Mr. Hawkes was appointed as Commissioner the position was held by Mr. Joe Meade, another career government employee. Before being appointed as Data Protection Commissioner, Mr. Meade was Secretary General of the Comptroller and Auditor General's office Ireland. In 2001, a young woman complained to the then Data Protection Commissioner that her data had been wrongly accessed by a Department of Social, Community and Family Affairs official. A haphazard and sporadic 'investigation' by the office of the Data Protection Commissioner eventually revealed that the reasons cited by the Department for the officials accessing of the young woman's data were legally unsustainable. Despite obtaining irrefutable evidence from the Department that senior management in the Department had covered up for the official's unauthorised accessing of the young woman's data, Deputy Data Protection Commissioner, Tom Maguire decided:-
It is not within the remit of the Commissioner, having regard to the powers conferred on him by the Act, to question a Department of Social, Community and Family Affairs statement that a particular officer was carrying out his official duties. Accordingly, the Commissioner considers that there has not been a contravention of the Act in this case.
The Garda Commissioner (now resigned) welcomed Mr. Hawke's infathomable disregard for the Data Protection rights of ordinary citizens. Mr Callinan claimed "As the holders of sensitive information about individuals, An Garda Síochána takes its obligations under Data Protection legislation very seriously". The true factual position is that the office of the Data Protection Commissioner had known for more than 10 years that Gardai at all levels had repeatedly not taken their obligations under Data Protection legislation at all seriously.
In 2000 a woman made a statement and complaint of assault to her local Garda station. Over a year later the woman made a written data access request to An Garda Siochana. An Garda Siochana replied within 3 weeks and informed the woman that they held no personal data on her. The woman contacted the Office of the Data Protection Commissioner and informed them that she had made a complaint and statement but that all records had disappeared and records of an investigation should exist. As evidence to support her position, the woman forwarded a typewritten copy of her statement which had been given to her by her local Garda station shortly after she had made her statement. For over a year Gardai from the rank of Sergeant to Assistant Commissioner flat out denied to the DPC's office that any data at all existed. Eventually, a Ms Anne Gardener from the DPC's office telephoned the local Garda Station directly and requested that a Sergeant type the woman's name into a computer. The result was very quickly the subject of a scathing letter from Ms Gardner to the future Garda Commissioner -
To D/Chief Supt. Martin Callinan, Security and Intelligence, Garda HQ
In your reply of 29th November 2001 and 5th March 2002 you indicated that the report was not held on computer in Ashbourne Garda Station in a form in which it could be processed, at the time of (Woman's) access request. Before writing to (woman) to conclude her complaint, that there was no data about her, held on computer in Ashbourne Garda station (and to speedily conclude matters) in particular point one of your letter of 5th March 2002, I phoned Ashbourne Garda station to clarify matters. During this discussion, I was informed that a copy of (woman's) statement is indeed held in Ashbourne Garda Station and in a processable form.
There is in fact personal data on a computer which is fully processable, she is entitled in law to this information.
This Office wishes to be informed as to whether or not you now propose to accede to (woman's) access request under Section 4. I would also like to be informed as to why this latest information was not furnished in your reply of 5th March 2002.
Even the numbers of Data Access Requests acknowledged as received by An Garda Siochana are bogus. An Garda Siochana return access requests they deem 'incomplete'. Requests that are fully valid are routinely returned without justifiable explanation. No action has ever been taken by the Office of the Data Protection Commissioner to rectify this blatant disregard for data protection principles.
A fully valid access request is posted on the Data Protection Commissioner's website as follows:
I wish to make an access request under Section 4 of the Data Protection Acts 1988 and 2003 for a copy of any information you keep about me, on computer or in manual form in relation to.... (Fill in as much information as possible to assist the organisations to locate the data that you are interested in accessing)
I recommend that every person with a PPS number make a data access request to the Department of Social Protection and obtain copies of available data. This data is some of the most important data you will generate. It's too late to have it corrected when you are looking down the barrel of unemployment, retirement or sickness.
Likewise, data held by An Garda Siochana can have a serious impact on your life. Even if you have never had any dealings with An Garda Siochana they may hold data on you, a car registered to you for example. It is your right to know what data is held on you.
The second term of the current Data Protection Commissioner comes to a close in the not so distant future. In his time the role of the Data Protection office has grown from a domestic to an international concern. The role no longer requires a diplomat (if it ever did) drawn from senior civil servant stock, it is incumbent on Government to appoint a fully independent champion of individual data rights capable of holding profit driven giants to account. It is only then that we can have some confidence about the state of data in this State of data.