INM staff-emails search broke data privacy law, says watchdog

Data regulator finds three infringements over 2014 breach that had no legal basis

INM’s former chairman Leslie Buckley stepped down from the firm in 2018. File photograph: Alan Betson/The Irish Times
INM’s former chairman Leslie Buckley stepped down from the firm in 2018. File photograph: Alan Betson/The Irish Times

Independent News & Media's searching of emails belonging to current and former journalists and company executives in 2014 breached data privacy law and had no legal basis, the State's data watchdog has found.

The Data Protection Commission (DPC) has said "a data security incident" at the media company in late 2014 "concerned the processing of personal data" held within its internal IT and backup systems that was "not in compliance with data protection law".

The regulator found three infringements over the incident: that the company had no legal basis for scouring the emails, that the individuals did not know what the firm was doing and this was unfair, and that the firm’s security around the processing of the data had allowed it to happen.

The commission said the adverse findings against the company were contained in a final investigation report that it sent to the media company on Wednesday.

READ MORE

No fine has been imposed on INM because the data regulator’s investigation was carried out prior to wide-ranging 2018 legislation that gave it powers to impose fines for the first time.

The 2014 data breach led to disclosures by two internal whistleblowers, an investigation by the State's corporate watchdog and the appointment of two High Court inspectors.

It later emerged that at least 19 individuals, including former INM journalists and company executives, had their private data removed and searched.

Many are now taking High Court litigation against the company over the incident.

Resignations

The controversy led to resignations from the board of the company following concerns raised by the Office of the Director of Corporate Enforcement (ODCE) that data was removed from the company’s offices and sent outside the State to be searched by third parties.

The company's then chairman, Leslie Buckley, who stepped down from the firm in 2018, said this was done for the purposes of a cost-cutting exercise within the business where he was seeking information about a contract relating to an external lawyer.

It has since emerged from High Court records that Mr Buckley kept businessman Denis O’Brien, then a 29 per cent shareholder in INM, informed about the searching of the data.

Mr Buckley said on Friday that he had received written confirmation from the DPC to say it had made no adverse determinations against him.

However, the data protection regulator’s investigation could, under law, not making findings against any individuals, just the company as “data controller”.

The DPC said the findings in its final report “relate solely to compliance by INM with its obligations as a data controller under the legislation”.

The investigation by the commission was carried out under the Data Protection Acts 1988 to 2003 and not under the “GDPR” European data protection directive and the Irish legislation supporting it, which gives the regulator the power to impose large fines over data breaches.

The commission’s investigation began prior to the GDPR legislation coming into force.

The DPC said the investigation, which commenced in June 2018, “has now concluded with the provision of the final investigation report to INM”.

Changes

Belgian media group Mediahuis took over INM in the wake of the controversy and has made significant changes to the company's board and senior management structure since then.

INM said in response to the DPC’s report it was satisfied that several recommendations contained in the report to improve data protection governance contained “have already been implemented in full since 2018”.

“The company will incorporate the DPC recommendations within its normal annual review of data protection processes in order to ensure it continues to observe best practice standards,” said INM.

High Court inspectors Sean Gillane SC and solicitor Robert Fleck are still investigating the data breach and other matters at the company since being appointed in 2018 by the then High Court president Mr Justice Peter Kelly following a year-long investigation by the ODCE into the company.

That investigation was sparked by protected disclosures made by the company's former chief executive Robert Pitt and former chief financial officer Ryan Preston.

Simon Carswell

Simon Carswell

Simon Carswell is News Editor of The Irish Times