Inquiry into An Garda Síochána - December 2022

(IN-20-1-3)

Date of decision: 15 December 2022

This inquiry, conducted under Part 5 of the Data Protection Act 2018, concerned a report by An Garda Síochána to the DPC of a personal data breach, following a data breach at a Garda station. The inquiry sought to determine whether infringements of sections 71(1)(f), 72(1), 75 and 78 of the Data Protection Act 2018 had occurred in An Garda Síochána’s processing of personal data. These provisions require that:

  • processing is undertaken in a manner that ensures appropriate security, including the implementation of appropriate technical and organisational measures to protect against unauthorised or unlawful processing, and accidental loss, destruction or damage;
  • in determining appropriate technical or organisational measures, a controller ensures that the measures provide a level of security appropriate to the harm that might result from accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, the data concerned;
  • a controller shall implement appropriate technical and organisational measures to ensure that the processing of personal data for which it is responsible is performed in compliance with Part 5 of the Data Protection Act 2018; and
  • certain matters be had regard to in determining the appropriate technical and organisational measures to be taken by a controller, including the risks to the rights and freedoms of individuals arising from the processing concerned and the likelihood and severity of such risks; the nature of the personal data concerned; the nature, scope, context and purpose of the processing concerned; the accessibility of the data, and the state of the art and cost of implementation.

The data breach the subject of this inquiry concerned the personal data of “persons of interest” to An Garda Síochána in the context of ongoing investigations, which was processed on an Intelligence Bulletin board located in a room in a Garda station, to which any person other than a Garda should not have had unaccompanied access. This personal data, which included the names and addresses of 108 data subjects, including vulnerable data subjects, was accessed by a contractor who was undertaking repair works at the Garda station. The personal data was ultimately shared on social media.

Findings made in the decision that followed the DPC investigation of this matter include that there was:

  1. An absence of specific policies and procedures in An Garda Síochána’s processing of personal data, such that they failed to satisfy the requirements of sections 72(1), 75 and 78, and by extension 71(1)(f) of the Data Protection Act 2018. Specifically, An Garda Síochána failed to implement appropriate technical and organisational measures to protect the personal data An Garda Síochána processed at the time of the breach.
  2. An absence of specific security measures in place at the time of the breach relating to the circumstances of the breach, which resulted in the failure of An Garda Síochána to implement a level of security appropriate to the harm that might result from An Garda Síochána’s processing of personal data.
  3. A failure to undertake a risk assessment before processing commenced, in order to determine the appropriateness of security measures vis-à-vis the harm that might result from processing.
  4. A failure to demonstrate that An Garda Síochána carried out any pre-breach assessment of the matters to which a controller should have regard, under section 78(a) to (g) Data Protection Act 2018.
  5. In circumstances where the personal data processed on the Intelligence Bulletin concerned ongoing investigations and the personal data of vulnerable data subjects, a finding that the nature of that personal data was highly sensitive.

Corrective Powers Exercised:

The decision found it appropriate to exercise corrective powers in accordance with section 124(3) of the 2018 Act, and sets out the corrective powers exercised, pursuant to section 127(1) of the 2018 Act. These are:

  • A reprimand issued to An Garda Síochána, pursuant to section 127(1)(b) of the Data Protection Act 2018, in respect of the infringements. The nature of the infringements identified demonstrated a generalised failure by An Garda Síochána to implement appropriate technical and organisational measures in order to ensure that its processing of personal data was undertaken in accordance with the Data Protection Act 2018, and
  • An order issued to An Garda Síochána to bring its processing into compliance with the relevant provisions of the Data Protection Act 2018 through the implementation of appropriate technical and organisational measures with regard to the security of Intelligence Bulletins throughout its network of Garda stations in Ireland.