Data Protection Commissioner, Billy Hawkes has slammed certain State bodies for their attitude towards the protection of vital data. His annual report for 2009 tells how an area of “some disappointment” for his office has been the reluctance of “some State bodies to take sufficient account of data protection issues” when framing new legislation or applying existing law.

'The development of appropriate controls governing access to patient databases, including directory services, should be a priority for the HSE.'

“In some such cases, I have, reluctantly, felt it necessary to bring concerns directly to the attention of the legislature,” he added. The Health Service Executive, rather unsurprisingly, figures heavily in Hawkes’ criticism during the report, with the Commissioner saying, amongst other things, that “the existing controls on patient database development within the HSE are insufficient to prevent the development of ad-hoc databases”.

Other notes on his investigation into the HSE revealed the Executive must introduce policies to prevent situations arising in which they do not own or control devices storing HSE patient data. That it should prioritise the development of secure networks and devices for the transfer of patient data. The development of appropriate controls governing access to patient databases, including directory services, should be a priority for the HSE, while the report also mentioned that staff training to ensure everyone up to management level understands the need to report serious data security breaches is also recommended.

“The HSE,” added the report “should develop a comprehensive breach management policy to cover all forms of data security breach including those involving manual data.” Hawkes talked to The Irish Times this morning and it’s interesting to note how he feels that organs of the State may be using “draconian powers” inappropriately to access personal information and to clamp down on welfare fraud.

Hawkes told the Times there had been cases where information was being sought by the Department of Social and Family Affairs from other departments to which it had been provided for a “totally different reason”.

The HSE weren’t the only targets of the report of course, and during 2009, Hawkes’ office received 119 data security breach notifications, a “significant increase on the 81 breach notifications received in the preceding 12 months”. Says Hawkes in the document, “I successfully prosecuted four companies operating in the premium rate text messaging sector in 2009 for offences under S.I. 535 of 2003, namely Opera Telecom (Ireland) Ltd, Zamano Solutions Limited, Mountwilson Ltd and Púca Technologies Ltd (in its capacity as a provider of the SMS technology and network used for the sending of messages by a client).

“I also prosecuted Map Dance Ltd (trading as Jackie Skelly’s Gyms) and Home RBVR Ltd (trading as Brasserie 66 restaurant) in 2009 for offences relating to the sending of unsolicited marketing text messages.”

A total of 86 organisations (some organisations reported more than once) notified his of data security breaches in 2009. Sixty of these organisations were in the private sector and twenty-six organisations were in the public sector.