An audit report has found there were 350 data breaches in two years at PeoplePoint, the centre that provides HR and pensions administration services for 34,500 civil servants. The service was criticised by Data Protection Commissioner Helen Dixon in her recent annual report. PeoplePoint was selected for "close examination" and an audit last year following a large number of breaches reported to her office.
Most of the cases involved inappropriate disclosure of personal information to the wrong department or manager, and were the result of human error.
In one case, the commissioner’s office received two complaints from public servants – a husband and wife – whose personal data was disclosed by PeoplePoint.
The husband complained in November 2015 that after applying for annual leave he subsequently made an application to change this request to sick leave. A PeoplePoint staff member emailed the man’s line manager at the Government department where he worked. However, on receiving an out-of-office reply, the officer emailed the complainant’s “non-supervisory peer”.
The commissioner established that the personal data of the complainant’s wife, who was also a public servant in a different department, was also contained in the email which had been sent to three third parties.
No legal basis
On further investigation it became apparent that the PeoplePoint official had informed the complainant’s spouse and their colleagues about information in relation to the complainant when they had “no legal basis to do so”.
In that case, the commissioner made a formal finding against PeoplePoint. “This case is a stark reminder to data processors of the importance of processing data only with the prior consent of the data subject or the data controller,” the commissioner’s annual report said.
It added that actions in relation to personal data that “may appear innocuous to ill-informed staff can have serious ramifications for data subjects”.
The audit inspection team considered that there was “not an acceptable level of awareness of data-protection principles in evidence generally within PeoplePoint”.
The commissioner accepted, however, that the vast majority of data breaches occurred through the issuing in error of data belonging to one public sector body to a HR official in another public service body, with all HR officials concerned governed by the Official Secrets Act.
Completely unacceptable
Publishing her annual report, Ms Dixon told The Irish Times the level of data breaches at PeoplePoint had been “completely unacceptable”.
In total, 163 breaches were notified by PeoplePoint in 2016 compared to 155 the previous year.
A spokeswoman for the National Shared Services Office (NSSO), which oversees PeoplePoint, welcomed the findings and accepted all the recommendations in the audit report. A copy of the audit was provided to The Irish Times by the NSSO.
“We are fully committed to safeguarding the privacy and data security of all of our Civil Service clients, as outlined in the obligations conferred on us in the Data Protection Act 1988 and the Data Protection (Amendment) Act 2003,” the spokeswoman said.
She confirmed that no data had been made public or lost in the PeoplePoint breaches. “In every case PeoplePoint received confirmation that the information was destroyed immediately.”
PeoplePoint suffered a further data breach after the conclusion of the audit. It is understood that last January a file was sent to an official in the Revenue Commissioners containing details about thousands of individuals.