State agencies audited over access to phone records

Data Protection Commissioner examines Revenue, Army and An Garda Síochána

Architect Graham Dwyer who murdered Elaine O’Hara. Photograph: Cyril Byrne/The Irish Times.
Architect Graham Dwyer who murdered Elaine O’Hara. Photograph: Cyril Byrne/The Irish Times.

The Data Protection Commissioner (DPC) has carried out audits on access by the Army, the Revenue Commissioners and An Garda Síochána to people's phone and internet records. The three agencies have various powers to demand records from service providers, including mobile phone companies, to investigate serious crime or to safeguard the security of the State. The powers are under the Communications (Retention of Data) Act 2011.

The bodies are obliged to complete reports for their respective ministers on their requests to data under the Act.

However, oversight of the legislation has repeatedly been criticised by privacy groups and lawyers as inadequate. Senior gardaí, senior Army officers and Revenue officials at principal officer grade may authorise requests to communications service providers for phone and internet records.

The Government does not provide statistics on the number of cases in which communications have been intercepted and has prevented communications providers from doing so.

READ SOME MORE

A designated judge is responsible for keeping the operations of the Act under review and for ascertaining whether the organisations are complying with its provisions.

The legislation is being challenged in the courts by Digital Rights Ireland (DRI). The privacy lobby group took a successful challenge to the EU data retention directive, resulting in that law being overturned by the Court of Justice of the European Union in Luxembourg in April 2014.

Domestic legislation was repealed in six member states following the DRI ruling, but remains in place here.

At least one high-profile criminal conviction which hinged on access to phone records under the 2011 Act – that of architect Graham Dwyer for the murder of Elaine O'Hara – is currently under appeal.

The office of Data Protection Commissioner Helen Dixon confirmed it had conducted a series of audits in the first half of this year of agencies covered by the Act. It said all agencies were issued with pre-audit questionnaires seeking statistics on disclosure requests made to communications service providers between 2013 and 2015.

“We have completed the audits in all cases,” the office said. “Several audit reports have been finalised and issued to the relevant organisations. We are in the process of completing the remaining audit reports.”

Publication of the findings of audit reports was a matter for the organisations concerned. The Revenue Commissioners said it did not intend to publish the audit, as to do so would be prejudicial to its work in the investigation and prosecution of criminal offences.

Defence Forces

An Garda Síochána confirmed an audit of its processing of communications data had started in the first quarter but said it had not yet received notice of when the report would be finalised by the DPC.

While the Defence Forces did not comment on the audit, it is understood they do not intend to publish the findings as its function concerns the security of the State.

In a joint submission to the United Nations Human Rights Committee last September, Privacy International and Digital Rights Ireland expressed serious concerns about oversight of surveillance and data retention law here.

The submission said systems relying on internal approval to access such personal data were “particularly open to abuse”.

It recalled that in 2010, a Garda sergeant was found to be using the data retention system to spy on her former partner. “It appears this emerged due to his suspicions and not due to any internal controls,” the submission said. “Despite this, the sergeant in question was not prosecuted, dismissed nor demoted, and she was transferred to a sensitive position in the Special Branch (anti-terrorist division).”

A 2014 audit by the DPC of access to the Pulse computer system had also found a “systematic practice of retrospectively rubber-stamping requests” where requests were made without a chief superintendent’s knowledge, the submission said.

Tánaiste and Minister for Justice Frances Fitzgerald recently announced plans to give gardaí additional powers to access communications data, including emails and social media accounts of criminal suspects.

In his High Court proceedings, Dwyer claims certain provisions of the Communications (Retention of Data) Act 2011 breach his rights to privacy under the Constitution, the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union. During his trial, his lawyers argued the mobile phone data was inadmissible as evidence but those arguments were rejected by the trial judge.

Last week, in a preliminary opinion, an advocate general of the Court of Justice of the European Union said retaining data from telephone calls and emails was legal only if law enforcement agencies used it to tackle serious crime.

The preliminary finding was in response to a legal challenge brought by David Davis, the new Brexit minister in the UK and Tom Watson, Labour’s deputy leader, over the legality of the security authorities’ bulk interception of call records and online messages.