Data protection Commissioner's Office welcomes Court outcome in case concerning sale of Personal Data
26th January 2018
DATA PROTECTION COMMISSIONER’S OFFICE WELCOMES COURT OUTCOME IN CASE CONCERNING SALE OF PERSONAL DATA
Assistant Data Protection Commissioner, Tony Delaney, today welcomed the outcome of prosecution proceedings which concluded at Letterkenny Circuit Court and which were taken by An Garda Síochána against a former civil servant. The defendant was accused of a number of charges of receiving corrupt payments between 2008 and 2010 from two private investigators in exchange for supplying them with personal information held on the computer databases of his then employer, the Department of Employment Affairs and Social Protection.
Letterkenny Circuit Court was told on Tuesday of this week that Mr. Rory Lenihan, with an address in Letterkenny, Co. Donegal, was pleading guilty to twelve sample charges out of a total of forty one charges. The charges relate to breaches of section 1(1) and (4) of the Prevention of Corruption Act, 1906 as inserted by section 2 of the Prevention of Corruption Act, 2001. Today the Court sentenced Mr. Lenihan to two years imprisonment on each of the twelve counts to run concurrently with the final year suspended.
Welcoming today’s court outcome, Assistant Commissioner Tony Delaney stated:
“Today’s sentencing hearing brings to an end lengthy court proceedings which followed separate investigations by An Garda Síochána and the Data Protection Commissioner (DPC) which began in December 2010. The DPC conducted a detailed investigation in 2010 - 2011 of three companies in the insurance sector. That investigation culminated in the successful prosecution under the Data Protection Acts of those companies, Zurich Insurance Plc, FBD Insurance Plc and Travelers Insurance Company Limited at the Dublin Metropolitan District Court in February 2012. The investigation followed the receipt of a formal breach report from the Department of Employment Affairs and Social Protection of suspected leaking to third parties by one of its officials of personal data held on the Department’s computer systems. Our investigation found evidence on claims files in the insurance companies concerned of social welfare information concerning a number of insurance claimants. We established that the social welfare information had been supplied to the insurance companies by a firm of private investigators, having been disclosed to them by the defendant in today’s proceedings, Mr. Rory Lenihan.
The form and scale of the offending behaviour which came to light in the investigation of this case was shocking. This case stands out as one of the most serious data breaches ever uncovered in this State. That a civil servant, who had ready access for the performance of his official duties to the social welfare records of every customer of the Department, abused his position and trawled through those records and passed on personal information from them to private investigators in exchange for corrupt payments is scandalous and appalling.
In the intervening years since this case first came to light in late 2010, the DPC has devoted significant resources to the detection of leakage of personal data from State databases to private investigators. Our work in that area, which is ongoing, has yielded positive results with the detection and subsequent prosecution of five private investigation entities since 2014 on charges of having obtained personal data from State databases without authority and passing it on to third parties in the insurance or financial sectors.
Today’s Court outcome should serve as a very clear warning to employees in all sectors against snooping through, or disclosing to, unauthorised third parties personal data that may be at their disposal in their workplace for the performance of their duties. Employees are given access to records of personal data for work-related purposes. Any deviation by employees from those official purposes, such as accessing records to obtain information on behalf of family, friends or others, constitutes a breach of data protection legislation which could result in serious consequences for the employees concerned.”
For media related queries, please contact Graham Doyle, Head of Communications, Data Protection Commissioner