Friday, February 25, 2011

Subject access requests up by 25% as employees seek to see HR files

Elaine Edwards has an interesting report from the Irish Computer Society Annual Data Protection Conference:
THE NUMBER of complaints from people seeking access to personal information held on them increased last year due to the economic downturn, with many people concerned about potential or actual dismissal from their jobs.

Data Protection Commissioner Billy Hawkes said yesterday the top item for complaints to his office in 2010 was about failure to respond adequately to requests for access to personal data.

Individuals have a right under the Data Protection Acts to be given this data. “In past years, the top spot was always occupied by unsolicited direct marketing,” Mr Hawkes said. “I think with the economic downturn we are currently suffering, we’ve seen increasing use of the right of access by people who are fearful that they are going to lose their jobs or, who sometimes may have lost them.

“They are using the right of access to see what exactly is going on in relation to them within a particular organisation, or to see was it justified that they should have been picked out for dismissal from the company.”
Daragh O'Brien has also put up a screencast of his presentation at that conference.

Update: Elaine Edwards has more from the conference here, discussing the need for reform of data breach reporting.

Sunday, February 20, 2011

Judge's report reveals allegations that Garda used phone records to spy on her ex

Mark Tighe has an important story in today's Sunday Times about apparent abuse by a garda of the data retention system. Unfortunately it's behind a paywall, but I've taken the liberty of scanning the hardcopy and placing it here as it raises a number of fundamental questions about the safeguards which are in place against abuse and the likelihood of further abuse now that the 2011 Act has extended data retention to internet use also.
Garda accused of bugging her ex-boyfriend

Mark Tighe

A FEMALE garda suspected of obtaining the phone records of her ex-boyfriend has been reported as the first person who may have breached phone-tapping rules introduced in legislation in 1993.

The case is highlighted in a report prepared by Iarfhlaith O'Neill, a High Court judge designated to monitor the state's phone-tapping activities.

Security sources say that the case involves a garda who was stationed in the force's crime and security division, which carries out spying and intelligence services. The garda is accused of obtaining phone records of her former boyfriend to track his movements and activities after they separated. The man became suspicious and complained to gardai because his ex-girlfriend allegedly knew s details of calls he had made.

In a report to the Oireachtas earlier this month, O'Neill said that he investigated a number of alleged breaches of Section 64(2) of the Criminal Justice (Terrorist Offences) Act 2005. Under Section 64(2) no garda below the rank of chief superintendent can request an individual's phone records from a service provider to aid investigations of criminal offences.

O'Neill said: "These breaches are alleged to have been committed by a member of An Garda Siochana."

"As a result of my investigations, I was concerned that these breaches may have occurred. These alleged breaches are now the subject matter of a criminal investigation and also disciplinary proceedings under the garda disciplinary code."

O'Neill said that the extent of the alleged non-compliance with the 2005 Act had been "rigorously investigated and fully understood". He said all appropriate steps had been taken to ensure future compliance with the act.

The rest of O'Neill's report states that on November 18 last year he attended garda headquarters, then army headquarters in McKee Barracks and later the Depart¬ment of Justice offices on St Stephen's Green.

In each location he reviewed documents relating to phone tapping and phone records and spoke to people involved in the operation of the act. He said that all his queries were answered to his satisfaction.

"As a result of the forgoing, I am satisfied that there is, as of the date of this report (November 26, 2010) full compliance with the provisions of the above acts," he said.

A spokesman for the Data Protection Commissioner (DPC) said that gardai had informed it of the apparent data breach last June.

Gardai refused to comment on the case.

Gardai and the Department of Justice have refused to release details of how many requests for phone records or how many phone taps are authorised each year. They say that such information is sensitive.

The Labour party has called for a review of the powers given to gardai to access personal records and said they should only be used in exceptional circumstances.

In 2007 the DPC said that, based on audits of phone companies, it estimated gardai were making 10,000 requests for citizens' phone records each year. Security sources say the figure is now likely to be closer to 15,000 as gardai regularly seek phone records to aid investigations.

Despite its resistance to publishing details about requests to access the phone records of private citizens, Ireland may be forced to do so by a 2009 European Council directive.

The directive requires member countries to legislate to provide their data protection commissioners with the number of requests made for phone records and the legal justification invoked.
Some quick thoughts:

The references to bugging and phone-tapping are misleading - what is alleged here (as I understand it) is that the garda accessed the phone records of her ex rather than actually listened to the contents of telephone calls.

There are, unhelpfully, no details given in the report as to how the abuse came to light or what changes will be made in future to prevent further abuses. (Continuing a fine tradition of opacity.) But a number of questions spring to mind.

When did the alleged abuse take place, and how long did it take before it was uncovered? Was the abuse discovered purely by chance? Is there an adequate internal audit trail of requests which are made? If so, who is responsible for reviewing that trail? Does the designated judge access a sample of requests from the preceding year to ensure that the surveillance was appropriate? If the designated judge will not provide this level of detail in the annual report then the Minister for Justice must do so to the Oireachtas if the public are to have confidence in this system. While the particular details of this case cannot be discussed until any criminal trial is concluded, it is remarkable that there is absolutely no discussion of the systems-level controls which are (or are not) in place.

Finally, when data breach notification is finally introduced as a legal obligation (whether under the revised e-Privacy Directive or the Data Protection Commissioner's Code of Practice) will it include a right to be notified of this type of breach also? Note that the Directive appears to impose a notification obligation on telcos only.

For more background on the allegations behind this story, see this Mail on Sunday piece from last year.

Friday, February 18, 2011

Irish local government says open source software not just for "sandal-wearers"

According to today's Irish Times, the Local Government Computer Services Board is moving towards open source software:
THE LOCAL Government Computer Service Board, a flagship Microsoft client, is moving to open-source software after nearly 10 years of allegiance.

The public sector body provides shared ICT services to local government and was a pioneering exponent of SharePoint, the Microsoft web-based product that is used as an intranet by many of the country’s 33 councils.

In 2001, the board signed a landmark €10 million contract with Microsoft, licensing end-to-end software from desktop to database for use across local government. It was renewed in 2005, but only after assistant director Tim Willoughby looked at the open-source alternatives.

At the time he expressed a reluctance to entrust local government IT platforms to a “sandal-wearing” community, preferring the level of support offered by Microsoft.

A number of factors have convinced Willoughby that the time is right to make the move, not least the fact that the computer service board has seen a 15-20 per cent cut in its IT spend and must make funds go further.
Interestingly, Willoughby also states that data portability was a factor in the decision - "we don’t want our data to be stuck in old infrastructure where we have to pay somebody to get it out".

The relevant request for information is available on eTenders.

The Local Government Computer Services also has a blog on open source software, which includes presentations from a recent local authority forum discussing issues associated with a move to open source.

For background on the relatively slow takeup of open source within the Irish government see this 2008 article from Pearse Ryan and Andy Harbison (PDF).

Monday, February 14, 2011

Importation and sale of mobile phone jammers now an offence

Comreg watchers will be interested to learn that it has today issued the catchily-titled Prohibition of Sale, Letting on Hire, Manufacture, and Importation of Wireless Telegraphy Interference Apparatus Order 2011. The statutory instrument does what it says on the tin, and makes it a criminal offence to import, sell, etc. jamming devices - in particular mobile phone jammers.

I'm not sure what prompted this action now (growing numbers of cheap jammers being imported via Hong Kong sites?) though it does plug a gap which was recognised as far back as 2004 when a Comreg consultation on mobile phone interceptors pointed out that the use but not the sale, etc. of jammers was illegal (Consultation Document | Response to Consultation).

Incidentally, there is an overlap here with offences under the European Communities (Electromagnetic Compatibility) Regulations also, as by their nature jammers cause excessive electromagnetic interference and so could not be lawfully put on the market.

(h/t Ronan Lupton)

Want to know how much your neighbour owes on his credit card? Try the Companies Registration Office

Edited 21/2/11: The story behind this post has since been removed from the Sunday Business Post from its site and a clarification printed:
In an article published on February 13 under the headline "Debtors’ personal details posted online by debt collection firm", we said that Cash Flow Services (CFS) had made personal details of almost 1,100 credit card holders available on the internet, through the Companies Registration Office.

We have been asked to point out, and are happy to clarify, that neither CFS nor any party acting on its behalf listed the names or outstanding debts of MBNA customers in any documents filed in the Companies Registration Office, nor did CFS post any debtors’ personal details online.

The Sunday Business Post apologises to CFS and its directors for any misunderstanding or confusion caused.