Even more lessons from laptop loss
We’ve written before about laptops going missing containing confidential personal information. Then it was 31,000 Bank of Ireland customers who had to worry whether they could be the victims of fraud. This time it’s 380,000 social welfare recipients whose details might be compromised – with 106,000 of those also having had their bank account details lost. As before, and in breach of the most elementary principles of data security, it seems that this data was not encrypted.
The most worrying thing about this episode? Despite the laptop being lost in April 2007, it is only now that the victims are being told that their information has been compromised. In the 16 months between then and now they have been deprived of the right to protect themselves – for example, by taking steps to monitor their bank accounts or credit ratings. As we’ve said a few times now, it’s about time that Irish law recognised a right to be notified when your personal data is lost. Here’s how the law currently stands and what you can do about it:
At the moment, there is no general legal obligation on a body which loses your personal information to notify you. This means that individuals may be unaware that sensitive information such as medical histories or financial records has been lost. It may be, for example, that the first you learn about it is when you go to the ATM and find that your account has been emptied. We’ve said before that it’s time that this was changed. In the US, for example, many states have laws requiring that you be warned if your information is compromised. This has been successful in helping individuals to protect themselves and also in providing an incentive for companies to invest in security, knowing that they will no longer be able to sweep their failings under the carpet. In fact, the European Data Protection Supervisor has now recommended that it is time for such a law at a European level, and has suggested amendments to the forthcoming e-Privacy Directive.
If you agree that you should have a right to be warned when your data is compromised, you should start by writing to the Minister for Justice (firstname.lastname@example.org) and to your MEPs. (Contact details for MEPs.) Ask them to support the proposals of the European Data Protection Supervisor on security breach notification.
You can also write to your local TD. Most now use email, with the address: email@example.com. You can find full contact details for your local TDs here. Let them know that privacy is an important issue for you. And let them know that unless data retention is stopped, it is only a matter of time until telephone, internet and email records are similarly leaked.
If you think you may have been affected, you can contact the Department of Social and Family Affairs on a helpline at 1800 690 590 (9am – 6pm) or via e-mail at firstname.lastname@example.org.