Credit unions which hired private investigator Michael Gaynor, who was convicted of unlawfully accessing information held on Garda systems, did not ask what methods he was using to trace people who owed them money, the Office of the Data Protection Commissioner (ODPC) said.
In a statement after Gaynor was convicted of two charges of breaching the Data Protection Acts, the commissioner noted “with disappointment” what it said were a number of failures on the part of credit unions.
"Firstly, the ODPC investigation found no evidence that any Credit Union established from Michael J Gaynor what methods he was using to obtain access to new address information.
“Secondly, it is particularly disturbing that the trace reports supplied by Michael J Gaynor contained, in numerous cases, substantial details concerning the electricity account of the credit union members concerned.”
The commissioner said that despite the “significant level of detail concerning electricity accounts”, no alarm bells had sounded in the recipient credit unions who “asked no questions of Mr. Gaynor in that regard”.
The office said its own investigation found “no evidence that any credit union had carried out any due diligence prior to hiring the services of Mr Gaynor”.
“This was a serious deficiency.”
For the future, credit unions across the State will be expected to undertake appropriate due diligence in advance of passing on any member’s details to private investigators or tracing agents.”
The commissioner's office will engage further with the ESB and An Garda Síochána on "the implications of the data security breaches which occurred in their organisations" and on the steps that will be required to deal with those breaches and to prevent a recurrence.
"An Garda Síochána has already been audited by the Data Protection Commissioner (details of which were published earlier this year). A data protection audit of the Electricity Supply Board will be undertaken in the near future."
The commissioner welcomed the outcome of the prosecution in the Dublin District Court.
It was “a significant investigation and prosecution on several fronts.
It was the first prosecution of a data processor for processing personal data without having an entry on the public register of the Data Protection Commissioner.
The investigation in this case also uncovered access by the defendant to customer data held on databases held by the Electricity Supply Board.
“To access the personal data, the defendant used a staff contact inthe Electricity Supply Board which he had established during his previous Garda career.”
In the case of the defendant’s access to personal data held on the Garda Pulse system and the Garda National Immigration Bureau computer database, the defendant had solicited personal data from these databases using a serving Garda who was known to him from his previous Garda career.
This was also the second completed prosecution in recent weeks related to the private investigations sector.
Last month, two owners of a private investigations company were convicted of deceptively obtaining personal information from the Department of Social Protection and the HSE and passing it on to credit unions.
Wendy Martin (45) and Margaret Stuart (56), directors of Greystones-based private investigations company MCK Rentals Ltd, pleaded guilty before Bray District Court on October 6th to breaches of the data protection laws.
The commissioner said: “These prosecutions send a strong message to private investigators and tracing agents to comply fully with data protection legislation in the conduct of their business and that if they fail to do so, they will be pursued and prosecuted for offending behaviour. A number of other investigations in this sector are ongoing and these may result in future prosecutions.”