HSE breached rights of employee by disclosing salary to ex-wife

Annual report by Data Protection Commissioner also reveals passwords of students were published on third-party website

The Health Service Executive (HSE) broke the law by disclosing the salary details of one of its own employees to his ex wife, the Data Protection Commissioner has found.
The Health Service Executive (HSE) broke the law by disclosing the salary details of one of its own employees to his ex wife, the Data Protection Commissioner has found.

The Health Service Executive (HSE) broke the law by disclosing the salary details of one of its own employees to his ex wife, the Data Protection Commissioner has found.

In the commissioner’s annual report for 2014 published on Tuesday, it is revealed that the man’s wife was able to produce exact details from her ex-husband’s payslips when she appeared in court in relation to maintenance issues.

On another occasion, she produced a copy of his P60 tax form and several months’ worth of his salary information in court.

Data Protection Commissioner Helen Dixon has published her first annual report since she came to office in the autumn last year, succeeding Billy Hawkes, who had been in the role almost a decade.

READ MORE

The case study says the commissioner’s office told the HSE it had breached the Data Protection Acts when the personal information of an employee was disclosed to a third party without his consent.

The executive told the commissioner it wanted to pursue an “amicable resolution” to the complaint – a procedure mandated under the Data Protection Acts.

It offered a letter of apology to the complainant which he did not wish to accept, preferring instead a formal decision by the commissioner.

Her office found the health body had breached the law on two occasions.

Separately, the commissioner found that a credit union had breached the law when it disclosed details of a man’s loan and savings to his daughter, for whom he had acted as guarantor on a loan.

In another case study, the commissioner investigated after personal information, including passwords, of students of a third-level institution was published on a third party website. It emerged that information being used for test purposes had been sent to the provider, who was developing a management system for the institution.

The commissioner also received a complaint relating to An Post's requirement for bank statements from customers who wished to set up a direct debit to pay their television licence. An Post amended its policy after intervention by the office.

The commissioner said that as a general rule, individuals must be permitted to black out or mask financial transactions which were irrelevant for the purpose of verifying an address, for example.

Interviews carried out for a medical study were among information on an unencrypted computer stolen from a medical professional in another case reported to the commissioner.

Difficulties in gaining access to personal information from organisations were the main source of complaint to the commissioner’s office last year, accounting for some 54 per cent of the 960 complaints opened.

Complaints about unsolicited marketing by text and email accounted for another 18 per cent, although the number of complaints in that category fell below 200 for the first time since 2005.

A record number of notifications (2,264) about data breaches involving personal information was received last year. The increase of 681 was largely accounted for by an increase in the number of cases where the wrong personal information was sent by post or email. The financial sector accounted for a full two-thirds of those errors.

Publishing her report on Tuesday, the commissioner noted her office had seen a near-doubling of its budget in 2015 from € 1.8 million to € 3.65 million. Her office had also begun expanding its staff from 29 to 50 and was in the process of opening a new office in Dublin.

There were 32 complaints to the commissioner's office in 2014 by individuals who had sought the removal of personal information about themselves displayed by internet search engines, in light of the so-called right-to-be-forgotten ruling by the Court of Justice of the European Union last year.

Ms Dixon said the nature of the internet meant data protection was “clearly a global matter”.

“I believe that meaningful cooperation and the free exchange of ideas are essential to making data protection work for everyone.

“I firmly believe in an engaged approach, to ensure that data-protection rights are upheld, while ensuring access to digital services that many enjoy and even rely upon. The expanded resources of my office and geographic proximity to decision-makers in leading technology companies make us well-placed to regulate with the full efficacy that our stakeholders deserve.”