Irish credit unions have come under fire after allegations that they hired private investigators to illegally obtain government-held data on their customers.
The PIs used false identities to dupe staff at the Department of Social Protection and other government bodies into handing over the information, according to an investigation by the Irish Independent.
They then handed the stolen data, which apparently included addresses and social welfare information, back to the unions in return for a fee.
At least 78 customers are said to have been affected but the final number could be in the hundreds as the Office of the Data Protection Commissioner is now investigating.
The private investigators, also known as 'tracing agents', were likely employed by the unions to track down the details of customers who’d fallen into arrears and couldn’t be contacted.
Around a fifth of loans paid out by these unions in Ireland isn’t repayed, according to Charlie Weston, personal finance editor at the Irish Independent.
However, the unions are apparently claiming that they had no knowledge these agents were using illegal tactics to obtain key data from the government.
The Data Protection Commissioner is also focusing his investigation on the detectives, rather than the credit unions.
"It is a criminal offence under data protection legislation for a person to obtain access to personal data without the prior authority of the data controller by whom the data is kept and to disclose it to another person," noted a statement from the commissioner.
"The Data Protection Commissioner has commenced prosecution proceedings in the District Court against some private investigators who are suspected of breaches of the Data Protection Acts."
Meanwhile, the Department of Social Protection claimed it treats data security with the “utmost seriousness”.
“The department has extremely rigorous data protection and information security policies, standards, procedures and guidelines in place, and every effort is made to ensure that personal customer data is used solely for business purposes and that it is not compromised in any way,” it said in a statement sent to RTE.
"The department ensures oversight in relation to data protection by keeping records of data accesses which are then subject to audit. All cases of suspected data breaches are investigated."
Dublin-based security consultant Brian Honan argued that all organizations need to train frontline staff better to ensure they know how to “securely divulge information to individuals”.
He told Infosecurity that companies hiring third parties to conduct investigations on their behalf must also be rigorous in making sure this is done “in an ethical and legal manner”.
“Simply engaging a company does not abdicate you of your responsibilities to gather data legally in line with the Data Protection Act and other laws,” he added.
Simply engaging a company does not abdicate you of your responsibilities to gather data legally in line with the Data Protection Act and other lawsBrian Honan