Willie O'Dea (Limerick City, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

81. To ask the Minister for Social Protection the responsibility her Department accepts in the circumstances where private investigators accessed social protection information in breach of data protection; and if she will make a statement on the matter. [40055/14]

Willie O'Dea (Limerick City, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

This question arises from recent legal proceedings in which private investigators were convicted of breach of the data protection legislation by using confidential information which they got from the Department of Social Protection.

Joan Burton (Dublin West, Labour)
Link to this: Individually | In context | Oireachtas source

I take it the Deputy is referring to the Data Protection Commissioner’s successful prosecution of a firm of private investigators, MCK Rentals Limited, which recently resulted in convictions against the firm and both of its directors. I congratulate the Office of the Data Protection Commissioner on this successful and important prosecution. The firm illegally obtained customers’ personal data from a staff member of the Department and it is my understanding that information relating to customer addresses solicited by the private investigations firm was passed on to credit unions. I am very concerned at the behaviour of credit unions in these cases.

I have been informed that the private investigators were extremely adept at duping officials in the Department. They displayed a high degree of professionalism and training in duping techniques. They already had customers' personal information, such as dates of birth and PPS numbers. Departmental staff members require such personal information to ascertain whether telephone inquiries are from genuine sources.

The Department and I regret the understandable concern caused to the Department's customers by the illegal activities of these private investigators. We fully assisted the Office of the Data Protection Commissioner. I stress that the Department treats data protection with complete and total seriousness. As Deputies are aware, the Department deals with a substantial number of legitimate data requests every working day. In 2013, it dealt with well over 1.8 million telephone calls involving queries across the range of schemes provided by the Department. That equates to almost 35,000 telephone calls per week. The particular people involved in this case seem to have been extraordinarily adept at pretending. They had access to the basic information that is always used when checking whether an inquirer is a legitimate inquirer. Obviously, they gained access through that. I was deeply disappointed to hear it is apparent that the clients on behalf of which they were doing this were credit unions. I understand from some media comment that not all of the credit unions may have been aware that they were giving, or were able to supply, some of this information.

Willie O'Dea (Limerick City, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I share the Tánaiste's concern about the conduct of those credit unions. I congratulate the Office of the Data Protection Commissioner on this successful prosecution. I was interested to hear the Tánaiste's reply. Essentially, credit unions that had access to PPS numbers rang the Department, pretended to be representing another State body and sought the addresses of people they were chasing for alleged bad debts. Does the Tánaiste agree that this perfectly illustrates the danger of making people's PPS numbers available to third parties like Irish Water? As soon as a PPS number is given to a third party, the potential exists for anybody and everybody ultimately to access it. People who have no business accessing PPS numbers should not be able to access them. What steps have been taken to avoid a recurrence of this in the future? Somebody who is equally adept at duping social welfare officials might make a telephone call in the morning claiming to be from the southern area health board and looking for information like this. What has been done to prevent that from happening?

Joan Burton (Dublin West, Labour)
Link to this: Individually | In context | Oireachtas source

When a public representative or some other third party rings the Department on behalf of somebody, staff in the Department have to follow a standard procedure to ascertain that the person in question has the authority to act in that manner. Given that 1.8 million phone calls are received each year, or 35,000 a week, it is clear that a significant proportion of the Department's public services is conducted over the telephone. Standard checks are requested. In this case, one staff member of the Department was duped by people who were able to supply the PPS numbers of individuals and perhaps other information relating to those individuals. That allowed them to be extremely convincing. The Deputy referred to Irish Water. Social welfare legislation specifies that PPS numbers can be used by certain specified bodies, such as Irish Water, only for the purposes of public service transactions. Irish Water cannot use PPS numbers for any other purposes. That is set down in law.

The Social Welfare Consolidation Act provides that it is an offence to use PPS numbers in a manner not provided for under that Act. A person convicted of same can receive a significant fine or a term of imprisonment.

Willie O'Dea (Limerick City, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I accept the Tánaiste's remarks about the legislation, but credit unions are prohibited by legislation from using PPS numbers in the way they were used in this case. Once PPS numbers are given out to a third party, there is the potential for other people to acquire them.

It would not be easy, but has anything been done as a result of this case? Private investigators posing as public officials rang the Department, gave people's PPS numbers, which they should not have had in the first place, and consequently were given the people's addresses, which they passed on to the credit union. Can any action be taken to ensure this does not recur?

Joan Burton (Dublin West, Labour)
Link to this: Individually | In context | Oireachtas source

There is a protocol, as well as regular information and training programmes, in the Department in respect of people's personal data not being utilised in any way that falls outside the law and the Department's regulations. In addition, the Data Protection Commissioner closely oversees the Department's work in that respect, as the commissioner's primary function is to protect people's data. I am glad to report that, in this case, the commissioner was zealous in doing so.

If the person making the call claims to be the subject of the data request, he or she is first asked for identifying details such as his or her PPS number, which the people in question had, date of birth, mother's maiden name and other personal information that would help to verify that the person making the inquiry is who he or she is claiming to be. Since the people in this case already seemed to have an amount of data about the individual, they were able to answer the standard queries. If there is any doubt, people are asked to telephone back or further inquiries are made about the caller's identity or authority to ring on behalf of the particular customer. For example, public representatives make contact with the Department. It must be established that they are public representatives and that they have people's permission to approach the Department on their behalf regarding queries.