STATE OF DATA
Data protection is about your fundamental right to privacy. You can access and correct data about yourself. When you give your personal details to an organisation or individual, they have a duty to keep these details private and safe. You have the right to data protection when your details are held on a computer, held on paper or other manual form as part of a filing system and where photographs or video recordings of your image or recordings of your voice are held.
More than one billion internet users rely on Ireland's Data Protection Commissioner to safeguard their data and ensure that it is not used inappropriately. It is a truly awesome responsibility. The current Data Protection Commissioner is Billy Hawkes. Prior to his appointment ten years ago as Data Protection Commissioner, Mr. Hawkes was a career civil servant who held positions in Finance, Enterprise Trade & Employment and Foreign Affairs.
The office of the Data Protection Commissioner is situated in a small building and above O'Hanlon's supermarket in Portarlington, County Laois. There is a team of 30 members of staff and it's budget was recently increased to 2 million euro. That's 0.002 euro spend per person annually by Data Protection to protect the Data of nearly half of the worlds internet users. Understandably, the Data Protection Commissioner has been the subject of international civil rights criticism - A spokesperson for European Digital Rights, Joe McNamee said that the Commissioner's Office permitted companies “do whatever they want with personal data”.
Data Protection Commissioner, Billy Hawkes, refused to investigate complaints against Apple and Facebook citing agreement Safe Harbour which he said allowed data to be exchanged.
Austrian data privacy campaigner Max Schrems, member of EvF, has challenged the refusal of the commissioner to investigate the Dublin-based Facebook subsidiary and asked him to investigate Edward Snowden’s allegations that it shared European user data with US authorities. He also asked the DPC to investigate whether companies under its jurisdiction were in breach of EU data protection regulations. His complaint was dismissed as “frivolous and vexatious”.
Edward Snowden exposed how an agreement called Safe Harbour allowed information about European users to be passed on to US authorities by Facebook and Apple. A group of Social and Democrat MEPs called for the suspension of the U.S.-EU Safe Harbor Framework and argued that the Safe Harbor Agreement is, variously, “misleading,” “vulnerable,” and “ineffective.” One MEP, Claude Moraes, the S&D rapporteur for the European Parliament in the investigation into U.S. surveillance, stated that “the European Parliament should be calling for the Commission to suspend the Safe Harbor Agreement". The Data Protection Commissioner's decision is currently the subject of legal proceedings.
On the domestic front the Data Protection Commissioner is likewise the subject of criticism for what is perceived by many as his 'Light Touch' regulation of how Irish public bodies use information.
Much of what happens in the DPC's office stays in the DPC's office. The Commissioner is quoted as saying “Most of our work is done behind closed doors without publicity but with the outcome being exactly what we want” and therein lies the problem. When the Commissioner says 'we' in domestic issues, he is 'we' as in a career civil servant conditioned to show deference to former colleagues and state institutions. As for 'behind closed doors', if we have learned anything in the past five years, it is that the worst of things happen behind closed doors.
Recently the Commissioner said that he was "Entirely unsatisfied" with the handling of personal data by the Department of Social Protection. The Department of Social Protection holds some of the most personal and private of information on all Irish citizens, wrongdoing by the Department should be of paramount concern to every person with a Personal Public Service (PPS) number. The Commissioners new found dissatisfaction rings hollow when compared to previous decisions by the office of the Data Protection Commissioner. The casual attitude of the Department toward Data Protection is a result of years of deference by Data Protection Commissioners to senior management in the Department.
The office of the Data Protection Commissioner is itself exempt from having to comply with data access requests. This ensures that decisions by the Data Protection Commissioner can never be closely scrutinised, but there there was a time. Back before Mr. Hawkes was appointed as Commissioner the position was held by Mr. Joe Meade, another career government employee. Before being appointed as Data Protection Commissioner, Mr. Meade was Secretary General of the Comptroller and Auditor General's office Ireland. In 2001, a young woman complained to the then Data Protection Commissioner that her data had been wrongly accessed by a Department of Social, Community and Family Affairs official. A haphazard and sporadic 'investigation' by the office of the Data Protection Commissioner eventually revealed that the reasons cited by the Department for the officials accessing of the young woman's data were legally unsustainable. Despite obtaining irrefutable evidence from the Department that senior management in the Department had covered up for the official's unauthorised accessing of the young woman's data, Deputy Data Protection Commissioner, Tom Maguire decided:-
It is not within the remit of the Commissioner, having regard to the powers conferred on him by the Act, to question a Department of Social, Community and Family Affairs statement that a particular officer was carrying out his official duties. Accordingly, the Commissioner considers that there has not been a contravention of the Act in this case.This was entirely untrue, the Data Protection Commissioner has widespread powers to hold companies and state agencies to account. The young woman obtained the damming and irrefutable evidence that Data Protection knew of the Social Welfare cover up following a Data Access request to the Data Protection Commissioner. The Commissioner was legally obliged to answer and in doing so exposed the innermost workings of his office. The young woman managed to do the same once more before the Data Protection Legislation was amended in 2003 and forever more the Data Protection Commissioner was exempted from the very legislation he was charged to uphold.
Even more worrying has been the Commissioner's infathomable attitude toward An Garda Siochana and the brave whistleblowers who have risked all to expose widespread abuses of Penalty Points and the PULSE system. Days before revelations of widespread surveillance abuse came out on Tuesday 25 March, (the same day that Martin Callinan resigned as Garda Commissioner over his "disgusting" remarks), Mr Hawkes, speaking to RTE, said there were enough instances of gardaí inappropriately accessing PULSE for an acknowledgement that there was an issue to be addressed. It had emerged that members of the force had been accessing information on the system about a number of high-profile public, media and sporting figures. The records of one person who works in the modelling industry were accessed over 80 times, while another public figure was checked over 50 times. Despite the overwhelming evidence of multiple breaches of Data Protection Legislation, the Data Protection Commissioner found the majority of areas examined demonstrated a professional police force operating in compliance with data protection legislation. Clearer guidelines had been issued, he said, and proactive audits are now being carried out under an approved code of practice.
The Garda Commissioner (now resigned) welcomed Mr. Hawke's infathomable disregard for the Data Protection rights of ordinary citizens. Mr Callinan claimed "As the holders of sensitive information about individuals, An Garda Síochána takes its obligations under Data Protection legislation very seriously". The true factual position is that the office of the Data Protection Commissioner had known for more than 10 years that Gardai at all levels had repeatedly not taken their obligations under Data Protection legislation at all seriously.
In 2000 a woman made a statement and complaint of assault to her local Garda station. Over a year later the woman made a written data access request to An Garda Siochana. An Garda Siochana replied within 3 weeks and informed the woman that they held no personal data on her. The woman contacted the Office of the Data Protection Commissioner and informed them that she had made a complaint and statement but that all records had disappeared and records of an investigation should exist. As evidence to support her position, the woman forwarded a typewritten copy of her statement which had been given to her by her local Garda station shortly after she had made her statement. For over a year Gardai from the rank of Sergeant to Assistant Commissioner flat out denied to the DPC's office that any data at all existed. Eventually, a Ms Anne Gardener from the DPC's office telephoned the local Garda Station directly and requested that a Sergeant type the woman's name into a computer. The result was very quickly the subject of a scathing letter from Ms Gardner to the future Garda Commissioner -
To D/Chief Supt. Martin Callinan, Security and Intelligence, Garda HQ
In your reply of 29th November 2001 and 5th March 2002 you indicated that the report was not held on computer in Ashbourne Garda Station in a form in which it could be processed, at the time of (Woman's) access request. Before writing to (woman) to conclude her complaint, that there was no data about her, held on computer in Ashbourne Garda station (and to speedily conclude matters) in particular point one of your letter of 5th March 2002, I phoned Ashbourne Garda station to clarify matters. During this discussion, I was informed that a copy of (woman's) statement is indeed held in Ashbourne Garda Station and in a processable form.
There is in fact personal data on a computer which is fully processable, she is entitled in law to this information.
This Office wishes to be informed as to whether or not you now propose to accede to(woman's) access request under Section 4. I would also like to be informed as to why this latest information was not furnished in your reply of 5th March 2002.
Yes folks, this was the future Garda Commissioner twice denying in writing that any data existed even though a cursory phone call was able to reveal that it did. To this day no explanation has ever been given by An Garda Siochana as to why the woman's complaint and statement were never investigated nor why all records about her complaint of serious assault against a civil servant were 'disappeared'. Soon after this letter Ms Gardner ceased to be involved with the case as did any willingness on the part of the Office of the Data Protection Commissioner to hold An Garda Siochana accountable. Over the next six months, the woman repeatedly requested in writing and phone calls that a decision be made. Eventually, grudgingly and after being forced into a corner by the woman who had obtained all the pertinent evidence through a data access request to the Data Protection Commissioner, Joe Meade decided that the then Garda Commissioner as the registered data controller for An Garda Siochana, had breached data protection legislation.
This Data Protection decision gives a real insight into the mindset of the Data Protection office and it is difficult to disagree with the young woman's assessment that "From the outset you have been in the business of State protection not Data protection, denying rights not upholding rights, accepting what is false and ignoring the true factual position".
Even the numbers of Data Access Requests acknowledged as received by An Garda Siochana are bogus. An Garda Siochana return access requests they deem 'incomplete'. Requests that are fully valid are routinely returned without justifiable explanation. No action has ever been taken by the Office of the Data Protection Commissioner to rectify this blatant disregard for data protection principles.
A fully valid access request is posted on the Data Protection Commissioner's website as follows:
I wish to make an access request under Section 4 of the Data Protection Acts 1988 and 2003 for a copy of any information you keep about me, on computer or in manual form in relation to.... (Fill in as much information as possible to assist the organisations to locate the data that you are interested in accessing)
I recommend that every person with a PPS number make a data access request to the Department of Social Protection and obtain copies of available data. This data is some of the most important data you will generate. It's too late to have it corrected when you are looking down the barrel of unemployment, retirement or sickness.
Likewise, data held by An Garda Siochana can have a serious impact on your life. Even if you have never had any dealings with An Garda Siochana they may hold data on you, a car registered to you for example. It is your right to know what data is held on you.
The second term of the current Data Protection Commissioner comes to a close in the not so distant future. In his time the role of the Data Protection office has grown from a domestic to an international concern. The role no longer requires a diplomat (if it ever did) drawn from senior civil servant stock, it is incumbent on Government to appoint a fully independent champion of individual data rights capable of holding profit driven giants to account. It is only then that we can have some confidence about the state of data in this State of data.