Employer received worker's personal details over email after calling the department
The Department of Social Protection has been warned to ensure new staff are closely supervised in their work, after an employee mistakenly handed over a woman’s personal data to a third party.
The breach is one of 12 case studies highlighted in the Data Protection Commissioner’s annual report, published today.
Ireland’s privacy watchdog dealt with 2,317 valid notifications in 2015, an increase of 5.9% on the previous year.
The highest proportion of data breaches involved unauthorised electronic disclosures, which accounted for just under 20% of all notifications.
In one of the cases, the Department of Social Protection was found to have broken data protection laws by disclosing a woman’s personal data to an unauthorised third party.
The complainant told the watchdog that her employer had produced a statement about her illness benefits during an Employment Appeals Tribunal hearing.
The document contained information such as her name, address, PPSN, date of birth, bank details and number of child dependents.
She said her employer told the tribunal that he had phoned the Department of Social Protection and had subsequently been sent the statement over email.
In its apology to the woman, the department acknowledged that her information had been disclosed in error and that proper procedures had not been followed.
However, the woman told the commissioner that she was not informed about how the breach occurred and that the matter had caused her “considerable distress”.
During the course of the investigation, the department said the information was mistakenly provided to the complainant’s employer by a new member of staff.
The correct procedure would have been to issue a statement to the employee along with a note informing them that their personal data had been requested, it said.
The commissioner found that the Department of Social Protection breached the Data Protection Acts 1988 and 2003 by processing the complainant’s personal data “in a manner incompatible with the purpose for which it had been obtained”.
The watchdog concluded in its finding: “This case serves as a reminder to data controllers of the importance of ensuring that new staff are fully trained and closely supervised in all tasks, particularly in those tasks that involve the processing of personal data.
“Errors by staff present a high risk of data breaches on an ongoing basis and it is critically important that efforts are made to mitigate against those risks by driving data protection awareness throughout the organisation, with particular focus on new or re-assigned staff.”
The full report can be read here.