Mr. Denis Kelleher:

Certainly, there would be a concern there. If, for example, where staff have taken social welfare data such as PPS numbers, one is looking at whether or not one should be able to prosecute staff for breaches is a matter, I suppose, for each Department's legislation to look at the Department's confidential information. It is the obligation of the public body to control its confidential information and have effective controls in place.

In terms of members of staff who would breach that, on a statistical basis there will always be individual members of staff who are willing to break the law where there are financial incentives. The first obligation has to be on the data controller to ensure he or she protects against that obvious risk. Then if one is looking into that, one can ask, if somebody breaches the obligations of confidentiality, is there an effective deterrent against them?

One deterrent is that they can be prosecuted for a criminal offence. The confidentiality provision in these heads is very good, because it does not actually provide for an offence. The primary mechanism that one would want to bring against somebody for something like that is an action for damages, because the burden of proof is much lower. One is then able to say that somebody can be sued for breaching a person's confidentiality. The processes are not as rigorous. There has to be a very high standard of proof to bring a prosecution against a person.

I think this sort of mechanism, whereby one can actually bring an action for damages against an individual who breaches confidentiality in that way, is potentially quite a good remedy. On whether or not people working in public bodies should be subject to prosecution for breaching confidentiality, it is up to each public body to look at how personal data is secured, where the most sensitive pools of personal data are, what sort of operational or administrative protections - such as encryption - can be brought in to ensure the confidentiality of personal data, and whether it is useful to have the possibility of prosecuting people who breach that. It is part of a suite of remedies. I do not think it is sufficient in itself to say that if somebody breached that personal data and confidentiality, that person can be prosecuted. I do not think that is sufficient. Much more than that is needed. This legislation would have to be very careful to not seem to water down the obligation on data controllers to ensure confidentiality of data that they process. The dishonest employee is just one of a range of risks which they have to guard against.