Company tells ‘INM19’ data watchdog made ‘no specific findings’

INM writes to individuals whose emails allegedly searched in 2014 data breach

INM’s former director of corporate affairs Karl Brophy:  among those who have issued legal proceedings against INM over a data breach and searching of  emails. Photograph: Courts Collins
INM’s former director of corporate affairs Karl Brophy: among those who have issued legal proceedings against INM over a data breach and searching of emails. Photograph: Courts Collins

Independent News & Media has told individuals whose emails were allegedly searched in an illegal 2014 data breach that a State watchdog’s investigation report into the incident made no “specific findings” on their personal data.

The company wrote to the group of current and former journalists, executives and advisers to the group, known as the INM19, last week after receiving the Data Protection Commission’s report to provide them with an update on the data breach involving the unauthorised access to their emails.

The regulator concluded that the removal and processing of personal data from INM’s IT systems in late 2014 did breach data privacy law because it had no legal basis, the individuals were not aware of it and this was unfair, and because INM’s security allowed it to happen.

The commission sent its final investigation report, containing the adverse findings against the company, to INM at the start of this month.

READ SOME MORE

INM told the individuals whose personal data was allegedly “interrogated” in the “2014 data security incident” that the report “did not make findings in a number of points that remain unconfirmed and which were considered by the DPC to be beyond the scope of its investigation”.

Personal data

The company did not elaborate in the letter as to what these points were.

"While the DPC's final investigation report made a number of specific findings in relation to INM, it did not include findings or reach any conclusions in relation to your personal data," Mary Gallagher, company secretary at INM, said in the letter to the INM19.

While the DPC is understood not to have make any specific findings about the individuals affected and their data, the regulator found that the data security incident concerned the processing of personal data that was not in compliance with data protection law.

Both INM and the DPC have declined to release a full copy of the commission’s final report, which concluded an investigation begun in June 2018.

The State’s corporate law watchdog, the Office of the Director of Corporate Enforcement, identified 19 people whom it believed had their data searched in the incident.

Legal proceedings

One of those people, INM's former director of corporate affairs Karl Brophy, tweeted on Sunday that INM was refusing to allow the affected individuals to see the DPC report.

The controversy dates back to 2018 when the ODCE found that data was removed from the company’s IT systems and taken outside the State to be searched.

Former INM chairman Leslie Buckley said it was done as part of a cost-cutting exercise. It has since emerged from records filed in the High Court that Mr Buckley kept businessman Denis O'Brien, then a 29 per cent shareholder in INM, informed about the searching of the data.

Many of the individuals in the INM19 group, including Mr Brophy, have issued legal proceedings against the company over the data breach and the searching of their emails.

A year-long investigation by the ODCE, triggered by two detailed protected disclosures by former INM chief executive Robert Pitt and former chief financial officer Ryan Preston, led to High Court proceedings and the court's appointment of two inspectors who are still investigating the media group.

Simon Carswell

Simon Carswell

Simon Carswell is News Editor of The Irish Times