Anyone who opens an online or telephone account with a bank, insurance company or a public utility, will be familiar with the range of security questions they may be asked, in order to operate it. Some answers require the disclosure of personal details and preferences – one’s favourite car, date of birth or mother’s maiden name? The aim is to guarantee security, ensure confidentiality for the customer, and prevent fraud and identity theft.
How surprising then that a genealogy database, under the control of a Government department – the Arts, Heritage and the Gaeltacht – was operated in breach of data protection laws. For more than a year, irishgenealogy.ie offered online access to the personal details of every citizen born, or who married, in the State. Last week a vigilant citizen, aware of how easy it was to obtain such personal details, informed The Irish Times. The newspaper contacted the Data Protection Commissioner (DPC), and the website was quickly removed. Personal data on the living enjoys far greater legal protection than data about the dead obtained from census material.
Data protection law can at times seem overprotective in securing a citizen’s personal data rights. Publication of the sale price of houses, conducted by private treaty, was until recently illegal unless both buyer and seller agreed, which few did. The result was an opaque property market without price transparency, clearly contrary to the public interest. Two years ago, following a change in the law, a national register of property prices was established, a long-overdue reform.
This latest episode reflects badly on the department, which approved a website that so clearly failed to protect the personal data of living individuals, and which could, however unwittingly, have facilitated fraud and identity theft. But it also raises the question how the DPC, a State agency whose job it is to ensure compliance with the law, failed to spot such an obvious breach of the law.