Irish DPA announces action on failed police self-regulation

By EDRi · November 7, 2012

This article is also available in:
Deutsch: [Fehlgeschlagene Selbstregulierung bei der Polizei: Irische Datenschutzbehörde kündigt Maßnahmen an | https://www.unwatched.org/EDRigram_10.21_Fehlgeschlagene_Selbstregulierung_bei_der_Polizei?pk_campaign=edri&pk_kwd=20121107]

Apparently illegal abuses of the Irish police (“An Garda Síochána”)
database show no sign of being brought to an end, despite repeated
announcements on the issue by the Irish Data Protection Commissioner (DPC).

Problems with the possible abuse of the database were identified over
five years ago, leading to a self-regulatory “code of practice” being
drawn up by the DPC and the Irish police force in 2007. In the foreword
of the Code, the DPC said that the Code was “designed to give
operational meaning to the principles of data protection set out in
European and National law,” adding that he was confident that the “Code
will make a significant contribution to improving knowledge and
understanding of data protection within An Garda Síochána.” The Code
covered the oddly named PULSE (Police Using Leading Systems
Efficiently) database.

Unfortunately, self-regulation was less successful than the Commissioner
appears to have expected. In November 2010, the annual report of the
judge tasked with overseeing the Irish data retention system described a
case where a police sergeant, working in the Garda intelligence
division, had abused her position by accessing the phone records of her
former boyfriend. Despite this, the police officer in question kept her
job and rank and was moved to a position in the Irish special branch –
where she continues to have access to sensitive data .

The apparent abuses continued, leading to the Commissioner, in his
annual report for 2011, stating that despite repeated engagements from
the police on this issue, the monitoring of access to the database
“falls short of the standards that we expect”. As a result, in March
2012, the Commissioner announced plans for an audit of the use of the
PULSE system.

The discovery of cases of apparently illegal use of the database by the
police force in 2010 did not lead to any obvious improvements. In August
2011 press reports indicated that the PULSE database was being abused by
members of the police force in order to do illegal background searches
for reasons as diverse as checking the history of men that their
daughters were dating to the accident history of cars that they were
thinking of buying. As a result of these revelations, the Data
Protection Commissioner rapidly announced… again… that he was going
to launch an audit of police use of the database.

Subsequently, in October 2012, the Irish DPC acted quickly in response
to an abuse of the Irish tax database – by announcing a plan to
undertake an audit of… the (unrelated) PULSE database.

All of which goes to show, if you have nothing to hide, you’ve nothing
to fear, because you’re probably dead.

October 2012 announcement: “Tax official used data on woman to
proposition her” (24.10.2012)
http://www.independent.ie/national-news/courts/tax-official-used-data-on-woman-to-proposition-her-3270976.html

August 2011 announcement: “Gardaí use database to check up on daughters’
boyfriends” (8.08.2011)
http://www.thejournal.ie/gardai-use-database-to-check-up-on-daughters-boyfriends-196134-Aug2011/

March 2011 announcement: Twenty-second annual report of the Data
Protection Commissioner 2010
http://www.dataprotection.ie/documents/annualreports/2010AR.pdf

2007 Code of Practice
http://www.garda.ie/Controller.aspx?Page=136&Lang=1

(Contribution by Joe McNamee – EDRi)