Scanning twitter over my post-breakfast intra-planning pre-work coffee this morning I noticed tweets that were agog at a Minister for Health who is a medical doctor asking non-medical doctor political colleagues for lists of people who should have been given a medical card. The agogness was triggered by this news story on the RTE website.
Yes. It is a cause for agogness.
However my gog was a’d by one line in the middle of that story that actually links into a story covered (briefly) by Irish media yesterday. Minister Reilly has also asked for a list of names of people who have given information to the Primary Care Reimbursement Service who have had their information “misplaced”.
Only yesterday the Data Protection Commissioner was scathing in his comments about the level of “sloppiness” around the handling of personal and sensitive personal data in the Public Sector.
Today, buried in a story that was likely sourced from the Office of the Minister for Health himself, we find a disclosure that sensitive personal data and potentially personal financial data have been “misplaced” by a unit of the HSE.
However, the Minister is asking his colleagues for the names of people who might be affected. So that’s OK then.
No. It’s not.
If the PCRS has “misplaced” information that was provided to them in either electronic or hard copy form this constitutes a breach of Section 2(d) of the Data Protection Acts 1988 and 2003. Under the Voluntary Code of Practice for Data Security Breach Notification, the HSE is required to notify the Data Protection Commissioner where there is a risk that Personal Data, Sensitive Personal Data, or Personal Financial Data have been lost, or accessed or disclosed without authorization. The affected Data Subjects are supposed to be notified (unless it affects less than 100 people and doesn’t relate to Sensitive Personal Data or Personal Financial Data). The HSE, as Data Controller, is required to maintain a Data Breach Register for any reported incidents where the security of personal data has been put at risk. If the Minister is having to effectively do a ring around his mates in the Dáil to find out what the scale of the problem is, that should be a bit of a worry.
So. Riddle me this…
- Why is the Minister asking for a list of names of people whose data has been “misplaced”?
- Why is he asking for this list if the HSE PCRS has been maintaining a Register of incidents of reported loss of data?
- Why has the Minister not referred the issue to the Data Protection Commissioner?
The answer is, as ever, the Tone at the Top in the Public Service in Ireland. Unerringly it is a discordant “BLAAARRRRRRPPPPP” when it comes to matters of Data Protection. Organisation restructurings are undertaken without consideration for effective Data Governance, Information Quality, or Data Protection controls. Training in these things is seen as an overhead not an investment. Kludged manual processes are put in place without documentation and standardization (sure documentation takes AGES), and Ministers give undertakings to do things RIGHT NOW (immediately) rather than doing them RIGHT NOW (error proofed, proper controls, designed for efficiency, consistently executed).
This problem is not confined to the Public Sector. However the Public Sector is, as Billy Hawkes has pointed out many times, the one actor that processes our personal data who can REQUIRE us to provide information by law and which requires us to provide information to avail of key Public Services and functions.
“BLLLAAAAARRRRRPPPPP” is an insufficient response from the leadership.