Is data misuse finally becoming a criminal matter?

There's a long and ignominious history in Ireland of personal data abuse by employees in the public sector and insurance industry. Sometimes it's a garda using phone records to spy on her ex, sometimes it's nosiness on the part of Revenue staff, and in still other cases it's systematic abuse of social welfare records by the insurance industry. Sadly, the full list is too long for this post. What these cases have in common is that historically no one has been prosecuted. In some cases staff have been dismissed - but more commonly an internal slap on the wrist was the most that could be feared.

Against this background, it's significant that two prosecutions have recently been taken over data misuse. The first, reported in December, involved a staff member in Revenue who leaked information on a number of individuals to contacts including a private investigator. That case was somewhat outside the data protection mainstream - it was detected to a large extent by accident and dealt with primarily by Gardai rather than the Data Protection Commissioner - but still held out hope for the greater use of criminal sanctions in appropriate cases. That hope has now been realised by a second successful prosecution - this time of three large insurance companies found to be receiving information unlawfully accessed by private investigators from the Department of Social Protection. While the case against the companies is now concluded, a related investigation is continuing into the insider in the Department who was responsible for passing on the information.

What should we make of these cases? In one way the prosecutions still represent only small steps towards more effective enforcement. The penalties are still derisory - in each case the Probation Act was applied so that the defendants escaped conviction on the basis that they made charitable donations. The substantive offences are also lacking - in the Social Protection case the prosecution was based on processing of data other than in accordance with registration rather than any more serious offence. (Sections 19(2)(a) and 19(2)(b) of the 1988 Act.)

From a wider perspective, however, the prosecutions represent an important step forward. The Revenue case seems to have been the very first prosecution under sections 21 and 22 of the Data Protection Acts 1988 and 2003, and certainly the first such prosecution on indictment. Similarly the Social Protection case is important in its own right in that it came out of ongoing work by the Data Protection Commissioner - dating back to 2007 and including a 2008 Code of Practice - and represents the first time that the insurance industry has been effectively held to account for systematic wrongdoing. Combined with recent amendments which create specific offences of leaking Revenue information these cases may finally begin to dislodge the culture of snooping within much of the public sector.