Private investigators admit ‘blagging’ credit union data

Wendy Martin and Margaret Stuart got personal details from HSE, Department of Social Protection

Assistant data protection commissioner Tony Delaney: ‘very happy with the outcome’.  Photograph: Dara Mac Dónaill/The Irish Times
Assistant data protection commissioner Tony Delaney: ‘very happy with the outcome’. Photograph: Dara Mac Dónaill/The Irish Times

Two owners of a private investigations company have been convicted of deceptively obtaining personal information from the Department of Social Protection and the HSE and passing it on to credit unions.

Wendy Martin (45) and Margaret Stuart (56), directors of Greystones-based private investigations company MCK Rentals Ltd, todaypleaded guilty at Bray District Court to breaches of the data protection laws.

The two women and the company were charged with 23 counts each of breaches of the data protection legislation.

Ms Martin and Ms Stuart pleaded guilty to one sample charge each of unlawfully obtaining information and passing it to their credit union client. MCK Rentals Ltd pleaded guilty to five related charges.

READ SOME MORE

The defendants were fined a total of €10,500 - €1,500 for each charge - for the breach, which Judge David Kennedy called "a very serious breach of the data protection laws on an ongoing basis and with a certain amount of subterfuge".

This is the first conviction ever under section 22 of the Data Protection Acts 1998 and 2003, which prohibit individuals from both obtaining access to personal data without the prior authority of the data controller and disclosing that data to another person. The company was prosecuted under section 29 of the Acts.

The court heard credit unions engaged the defendants to locate debtors in arrears. Seven credit unions across the country disclosed clients’ personal information, including PPS number and dates of birth, to the private investigators as a means of accessing further details.

The defendants misrepresented themselves and used a practice known as “blagging” to trick employees of the Department of Social Protection and the HSE’s Primary Care Reimbursement Service into revealing the credit union debtors’ current addresses. The defendants then illegally conveyed this information to the credit unions. The credit unions involved include Tullamore, Portlaoise, Portarlington, Athy, Caherdavin in Limerick and St Mary’s Parish in Limerick.

Assistant Data Protection Commissioner Tony Delaney told the court he discovered the breach while investigating credit unions suspected of obtaining personal data.

Mr Delaney called the scheme a “clever manipulation that relieved the HSE of a vast amount of personal data in all cases”.

Speaking after the trial, Mr Delaney said: “[The Data Protection Commission] is very happy with the outcome that convictions were imposed by the judge both in terms of the company and the directors. It’s the first instance the Data Protection Commissioner has prosecuted directors for their part in the commission of offences by a company, so this is a very significant outcome.

“It’s the first occasion we’ve prosecuted private investigators under the Data Protection Act. And it’s the first occasion “blagging” has been the subject of Data Protection Prosecution.”

The court heard MCK Rentals Ltd still exists but is effectively dormant.

A related case will be tried before Dublin District Court next month. The Data Protection Commissioner will prosecute private investigator Michael J Gaynor, trading as MJG investigations, for illegally accessing personal information from An Garda Síochána and the ESB and disclosing it without authority, again under section 22 of the Data Protection Acts 1988 and 2003. He faces 72 charges.