Thursday, February 23, 2012

Checking the PULSE

We've known for some time now that there's been significant abuse of the Garda PULSE database - whether this takes the form of gardaí checking up on daughters' boyfriends or more seriously information being sold to armed robbers. This abuse was one of the factors which led the Data Protection Commissioner in 2007 to adopt a Garda Code of Practice on Data Protection. While quite far-reaching, that document also dealt specifically with the PULSE database and provides:
The standard of security expected of all employees of An Garda Síochána includes the following:
* access to the information restricted to authorised staff on a "need-to- know" basis in accordance with a defined policy,
* computer systems password protected,
* information on computer screens and manual files kept hidden from callers to offices,
* back-up procedures in operation for computer held data, including off-site back-up,
* all waste papers, printouts, etc. disposed of carefully by shredding,
* all employees must log off from PULSE and other computers on each occasion when they leave the workstation,
* personal security passwords must not be disclosed to any other employee of An Garda Síochána,
* all Garda premises to be secure when unoccupied,
* a designated person will be responsible for all the above within An Garda Síochána with periodic reviews of the measures and practices in place.

Every contact on PULSE leaves a trace and every employee should be acutely aware that all activity under their registered number and password on PULSE is recorded. During an Audit or Investigation procedure they may be asked to account for the reasons they accessed a particular individual's data at any given time and what they did with it afterwards. An Garda Síochána will ensure that appropriate data protection and confidentiality clauses are in place with any processors of personal information on its behalf...


To ensure the quality of data retained by An Garda Síochána, and that access to and usage of such data is appropriate within the terms of this Code, each District Officer will, as part of his/her quarterly inspection and audits in line with the Garda Commissioner's policy, examine data under the headings of Quality Control; Data Accuracy; Access to Data; and Usage of Data.

In addition to this, the Garda Professional Standards Unit will conduct examinations and reviews of Data Protection procedures as part of their ongoing examination and review process.
Unfortunately, it seems that the 2007 Code of Practice has been neglected. In particular, there has been a failure to implement the agreed monitoring of the use of the PULSE system and in his 2010 Annual Report the Data Protection Commissioner stated that:
It is disappointing to report that, despite our repeated engagements on this issue, the monitoring of access by members of An Garda Síochána to Pulse falls short of the standards we expect. We wish to see significant progress by the Gardaí in pro-actively monitoring Pulse access in 2011 and will be carrying out an audit to satisfy ourselves of this progress.
Today's Irish Times brings the story up to date, and reveals that a Garda system to monitor access to PULSE has now been put in place (four years after it was first promised) while the Data Protection Commissioner's audit will proceed in the next three months. I look forward with interest to the results - particularly if the audit goes beyond PULSE to also examine the weak controls over Garda surveillance powers which have led to at least one serious case of abuse.

No comments:

Post a Comment