In house theft of personal data a real risk for data security and, of course, privacy

August 16, 2014 |

One aspect of data protection that defies an easy, if any, technological response is the role staff play in the leakage of data from an organisation.  Staff can be responsible for a data leakage for a range of reasons; storing personal information on BYODs which are lost or stolen, being caught by a sophisticated phishing attack, accidentally or, out of ignorance, providing personal information in breach of the Privacy Act.  And then there is the problem of data theft by staff, for revenge or profit.  Two recent articles highlight the problem, Restaurant staff ‘stole bank card details’, Medical worker stole patient identities, committed credit card fraud, Bergen prosecutor saysand Former Georgia deputy sentenced in identity theft plot. Under the Australian Privacy Principles it is necessary to take reasonable steps to protect personal information.  That includes having processes to minimise the opportunity of unlawful access or theft of private information by staff. Some organisations and agencies have quite effective programs and processes in place, especially in the financial services sector.  But many have poor systems and either have no idea or do not care about such basic security steps.  In a sense they are placing their entire faith on their staff doing the right thing.  Put another way they are hoping that the law of averages does not apply to them.  Good staff can go bad for a whole range of reasons which are not easy to spot, except with the hindsight goggles.

Of even greater concern is the use of stolen personal information by other parties. In Ireland the Data Protection Commissioner is investigating allegations that some credit unions hired private investigators to obtain confidential personal information relating to customers, information that has been unlawfully accessed.  The report is covered in Data Protection Commissioner investigates claims credit unions used stolen data. In Australia this conduct would be a clear breach of Part IV of the Privacy Act 1988.

It provides:

The Office of the Data Protection Commissioner has said it investigating claims some credit unions may have hired private investigators to obtain confidential details on customers.

A report in today’s Irish Independent said a number of credit unions have used private investigators to access information on people who owe them money.

The Data Protection Commissioner said it had been investigating for some time whether investigators are unlawfully accessing personal data from State bodies and passing it on to third parties.

It said the Department of Social Protection had been the target of “suspected unlawful activity” and that it had been cooperating with the investigation.

“It is a criminal offence under data protection legislation for a person to obtain access to personal data without the prior authority of the data controller by whom the data is kept and to disclose it to another person,” it said.

“The Data Protection Commissioner has commenced prosecution proceedings in the District Court against some private investigators who are suspected of breaches of the Data Protection Acts.”

A spokesperson for the Irish League of Credit Unions said it was not aware that “illegal means of data collection were being used”.

They said: “If this was being done, it was without the credit unions’ permission or knowledge.

“Credit unions would not knowingly employ any company who use illegal tactics and we certainly do not in any way condone the use of securing information by illicit means.

“We are aware that the Data Commissioner is not pursuing the credit unions in this matter but rather the private investigators directly.”

The Department of Social Protection has said it treats the data of clients with “utmost seriousness”.

It said: “The department has extremely rigorous data protection and information security policies, standards, procedures and guidelines in place, and every effort is made to ensure that personal customer data is used solely for business purposes and that it is not compromised in any way.  

“The department ensures oversight in relation to data protection by keeping records of data accesses which are then subject to audit. All cases of suspected data breaches are investigated.”

One Response to “In house theft of personal data a real risk for data security and, of course, privacy”

  1. In house theft of personal data a real risk for data security and, of course, privacy | Australian Law Blogs

    […] In house theft of personal data a real risk for data security and, of course, privacy […]

Leave a Reply