Officials at the Department of Social Protection have rejected claims of a “common” practise in the department of staff giving personal data to third parties including private investigators working for financial institutions.
Daniel Lannon, in High Court proceedings against the Minister for Social Protection, is seeking damages, including aggravated damages for alleged breach of his privacy and data protection rights in 2014.
Mr Lannon, represented by Jim O’Callaghan SC and Darren Lehane BL, instructed by Lawlor Partners solicitors, claims the department breached its duty of care in regards to his personal data.
The Minister, represented by Conor Power SC and Nick Reilly BL, denies liability but accepts that a former official with the department, Caitriona Bracken, had passed on Mr Lannon’s data to a private detective.
On Wednesday, the second day of the case, the court heard evidence from Ann Marie O’Connor, an official with the department who was involved in the disciplinary process against Ms Bracken.
Ms O’Connor said four people, including Ms Bracken, have been dismissed since 2014 for passing on data to third parties. Any data breach is taken “very, very seriously” and the department’s 6,500 staff have all been made aware of their data protection obligations, she said.
In reply to Mr Justice Tony O’Connor, she said certain other members of staff found to have accessed personal information for non-business reasons had also been disciplined by the department. She did not know the exact numbers of those disciplined but it was, since 2014, between 20 and 30 individuals.
Under cross-examination by Mr O’Callaghan, she rejected claims giving information to third parties was “commonplace” and said there are protocols in place for exchange of information with bodies such as the Garda, Revenue, CAB and the HSE.
Vincent Kennedy, assistant principal officer with the department’s Business Information Support Unit, said it had taken steps to prevent data breaches, including random checks to see who has accessed information on certain individuals and keeping a database of known phone numbers of private investigators.
In two instances, officials had given out information about persons to private investigators who had claimed they were officials with the HSE, he said. In another instance, a former employee has been prosecuted for giving information to a third party, he said.
In his action, Mr Lannon claims his personal data, including his address at Colpe View, Deepforde, Dublin Road, Drogheda, was accessed by Ms Bracken on August 22nd 2014 and provided by her to a private investigator, Michael Ryan, who is her brother in law.
Mr Ryan was hired by a solicitor’s firm acting on behalf of AIB.
Mr Lannon claims the information was used so AIB could serve legal proceedings on him at the Drogheda address.
Mr Lannon did not provide the bank with the Drogheda address and had instead used the address of a property owned by him at Burnell Square, Malahide Road, Dublin for correspondence with AIB.
After AIB wrote to him in Drogheda in 2015, Mr Lannon made a complaint to the Data Protection Commissioner (DPC). The DPC prosecuted Mr Ryan, and his company Glen Collection Investments Limited, which in October 2016 pleaded guilty to certain data breaches and was fined €7,500 by the district court.
In its defence, the department accepts Ms Bracken accessed Mr Lannon’s private data and provided it to Mr Ryan, but says it is not liable for her actions.
Ms Bracken of Kilkerrin, Ballinasloe, Co Galway was initially added to Mr Lannon’s proceedings by the department as a third party but, on the first day of the hearing, the department dropped its case against her. She had claimed the release of data to parties including private investigators was “commonplace”.