February 20th, 2011
Mark Tighe has an important story in today’s Sunday Times about apparent abuse by a garda of the data retention system. Unfortunately it’s behind a paywall, but I’ve taken the liberty of scanning the hardcopy and placing it here as it raises a number of fundamental questions about the safeguards which are in place against abuse and the likelihood of further abuse now that the 2011 Act has extended data retention to internet use also.
Garda accused of bugging her ex-boyfriend
A FEMALE garda suspected of obtaining the phone records of her ex-boyfriend has been reported as the first person who may have breached phone-tapping rules introduced in legislation in 1993.
The case is highlighted in a report prepared by Iarfhlaith O’Neill, a High Court judge designated to monitor the state’s phone-tapping activities.
Security sources say that the case involves a garda who was stationed in the force’s crime and security division, which carries out spying and intelligence services. The garda is accused of obtaining phone records of her former boyfriend to track his movements and activities after they separated. The man became suspicious and complained to gardai because his ex-girlfriend allegedly knew s details of calls he had made.
In a report to the Oireachtas earlier this month, O’Neill said that he investigated a number of alleged breaches of Section 64(2) of the Criminal Justice (Terrorist Offences) Act 2005. Under Section 64(2) no garda below the rank of chief superintendent can request an individual’s phone records from a service provider to aid investigations of criminal offences.
O’Neill said: “These breaches are alleged to have been committed by a member of An Garda Siochana.”
“As a result of my investigations, I was concerned that these breaches may have occurred. These alleged breaches are now the subject matter of a criminal investigation and also disciplinary proceedings under the garda disciplinary code.”
O’Neill said that the extent of the alleged non-compliance with the 2005 Act had been “rigorously investigated and fully understood”. He said all appropriate steps had been taken to ensure future compliance with the act.
The rest of O’Neill’s report states that on November 18 last year he attended garda headquarters, then army headquarters in McKee Barracks and later the Depart¬ment of Justice offices on St Stephen’s Green.
In each location he reviewed documents relating to phone tapping and phone records and spoke to people involved in the operation of the act. He said that all his queries were answered to his satisfaction.
“As a result of the forgoing, I am satisfied that there is, as of the date of this report (November 26, 2010) full compliance with the provisions of the above acts,” he said.
A spokesman for the Data Protection Commissioner (DPC) said that gardai had informed it of the apparent data breach last June.
Gardai refused to comment on the case.
Gardai and the Department of Justice have refused to release details of how many requests for phone records or how many phone taps are authorised each year. They say that such information is sensitive.
The Labour party has called for a review of the powers given to gardai to access personal records and said they should only be used in exceptional circumstances.
In 2007 the DPC said that, based on audits of phone companies, it estimated gardai were making 10,000 requests for citizens’ phone records each year. Security sources say the figure is now likely to be closer to 15,000 as gardai regularly seek phone records to aid investigations.
Despite its resistance to publishing details about requests to access the phone records of private citizens, Ireland may be forced to do so by a 2009 European Council directive.
The directive requires member countries to legislate to provide their data protection commissioners with the number of requests made for phone records and the legal justification invoked.
Some quick thoughts:
The references to bugging and phone-tapping are misleading – what is alleged here (as I understand it) is that the garda accessed the phone records of her ex rather than actually listened to the contents of telephone calls.
There are, unhelpfully, no details given in the report as to how the abuse came to light or what changes will be made in future to prevent further abuses. (Continuing a fine tradition of opacity.) But a number of questions spring to mind.
When did the alleged abuse take place, and how long did it take before it was uncovered? Was the abuse discovered purely by chance? Is there an adequate internal audit trail of requests which are made? If so, who is responsible for reviewing that trail? Does the designated judge access a sample of requests from the preceding year to ensure that the surveillance was appropriate? If the designated judge will not provide this level of detail in the annual report then the Minister for Justice must do so to the Oireachtas if the public are to have confidence in this system. While the particular details of this case cannot be discussed until any criminal trial is concluded, it is remarkable that there is absolutely no discussion of the systems-level controls which are (or are not) in place.
Finally, when data breach notification is finally introduced as a legal obligation (whether under the revised e-Privacy Directive or the Data Protection Commissioner’s Code of Practice) will it include a right to be notified of this type of breach also? Note that the Directive appears to impose a notification obligation on telcos only.
For more background on the allegations behind this story, see this Mail on Sunday piece from last year.
[Cross-posted from tjmcintyre.com]