SERIOUS WEAKNESSES in the protection of the personal data of more than 300,000 people by the Department of Social and Family Affairs have been uncovered in an audit by the Data Protection Commissioner.
The audit took place amid significant concerns about data protection practises in the department.
These concerns arose from audits of other organisations such as insurance companies, complaints to the commissioner and media reports of information leaks.
The department is the largest holder of personal data in the State and the report points out that much of the data is provided by people who have no choice but to give it.
In its inspection of the illness benefit section, the team found illness benefit claim forms were initially stored in transparent sleeves in an open-plan area. Claims were subsequently filed away in a basement area for six years for audit purposes before being destroyed.
"A substantial volume of claim files in crates were identified outside the entrance to the store . . . This presented a clear security risk to the data in question," the audit says.
"An inspection of the personal data on [ a] PC highlighted a welfare payments system extract . . . detailing all jobseeker and related schemes open on a particular date . . . The extract consists of a spreadsheet containing extensive fields of personal information including PPS numbers, address and personal bank details in relation to approximately 300,000 individuals."
The team established that the spreadsheet could be downloaded to an individual's desktop and easily e-mailed.
"There does not appear to be any clear reason why material containing such confidential data should be circulated in such form," says the report. "Such a level of detail would be deemed excessive under the Data Protection Acts 1988 and 2003 . . . It was further established during the course of the audit that the extract is circulated relatively widely within the department."
An examination was undertaken of the medical certs system which is used for storing information relating to doctors who provide medical certificates to patients to claim various benefits.
The report found: "The password mechanism in use is weak and would be straightforward to break." Security "commensurate with the data stored in the database" is needed.
Responding to the report the department said it was "fully committed to addressing the issues raised".
"The [ Data] Commissioner also recognises that there are challenges in this respect for an organisation as large and diverse as DSFA. Some improvements have already been implemented while others will be incorporated into the department's wider information security works programme.
"The department can assure the public that it treats any unauthorised access to or disclosure of personal data to be an extremely serious offence. All civil servants are subject to the Official Secrets Act as well as departmental data protection policies."
The full report is available at www.welfare.ie