Irish Privacy Expert – “Big Brother philosophy threatens public’s privacy”
Big Brother Philosophy Threatens Public’s Privacy
Do the Irish Government and state agencies — health, prison, law enforcement, semi-state bodies for example — have a legal obligation to keep your personal information private? The answer is a resounding “yes”.
But this does not mean that the law will necessarily be observed — bad things happen. Experience shows that human errors will greatly facilitate personal information misuse. Failure to keep computer passwords confidential, for instance, are estimated to be a major source of data security lapses.
Threats are often internal, rather than external. Examples that come to mind include a case in Belfast some years ago when an unmarried mother-to-be applied at her dole office for maternity benefit.
She was dreading telling her mother of the pregnancy but a nosey neighbour who worked in the office found out about the inquiry and told the entire neighbourhood. The welfare agency was held in breach of its duty to keep information in confidence.
A similar event occurred in Kerry last year when the gardai had to pay damages when information about a suspect found its way into the public domain by way of a garda leak.
The fact is that the State is likely to have access to personal information of the most sensitive kind — medical and health data, criminal records, religion, etc — and it is through data protection law that citizens draw the most protection.
While the Office of the Data Protection Commissioner is better resourced now, the complexity of finding meaningful solutions that face the commissioner in the internet age cannot be overestimated.
Privacy and data protection all too often lose out when confronted by pressure for more police powers or greater administrative convenience. The level of scrutiny by the Oireachtas was negligible. Successive Data Protection Commissioners have complained about this Big Brother philosophy but to little effect.
The practical point is this: the more public servants who can access the data, the more likely it is that something will go wrong.
The lesson to be taken from the UK child benefit disk debacle, in which two disks holding personal data about millions of people went missing, is that too many junior staff were able to access and copy too much information about too many citizens, in breach of internal rules.
The rules and legal position are clear — it is human error that accounts for most data breaches. Threats from hackers are often regarded as external threats but often the person who alters websites and files is a disgruntled employee or ex-employee who is out for revenge or wants to access information about others. Case law in relation to employee hackers shows that the employer is entitled to sack someone straying into personnel files of co-workers.
Where the threat is external, as in cases of identity theft, denial of service attacks, phishing, for example, our legislation appears to be less satisfactory.
Hacking was criminalised as a very minor offence back in 1991 but we have yet to see a review of the law relating to computer and technology misuse in the light of these more damaging developments.
To the extent that our lawmakers are not keeping information misuse laws up to date, it can be said that Sean and Maura Public are not being protected by the State.
A cynic might say that internet crimes and information theft are difficult to detect and investigate but this, while true, is not an excuse for legislative complacency.
Prof Robert Clark is a member of the Internet Advisory Board and is the author of ‘Data Protection Law in Ireland’