USB key sent by Gsoc to garda internal affairs ‘went missing after being sent in the post’
A USB KEY containing CCTV footage from a patrol car following a suspect that was sent by the Garda Ombudsman (GSOC) to garda internal affairs went missing after being sent in the post.© Sam Boal Photocall Ireland
The memory stick, a letter, and a report had been sent by GSOC in envelopes but on receipt, gardaí reported “both envelopes were damaged, and the USB key is missing”.
The data breach was one of 29 reported by the Garda Ombudsman over the past two years, of which six were reported to the Data Protection Commissioner.
Other incidents included letters sent to the wrong gardaí, the wrong garda being linked to an investigation because they had the same name as another member, and the theft of an iPhone from a parked car.
Figures released by GSOC show that there were fifteen breaches notified last year, of which one – the case involving the lost USB key – was brought to the attention of the Data Protection Commissioner.
Other cases last year included the theft of a staff phone when they were parked in the Phoenix Park.
A note of the incident said: “iPhone not activated and password protected. If/when phone is turned on by a third party, data will be automatically wiped. The matter has been reported to the gardaí and Corporate Services.”
In another case, notification of a case was sent to the wrong garda station in Connacht while another was sent to Anglesea Street station in Cork when it was supposed to go to a Garda Assistant Commissioner.
Of the fourteen breaches reported in 2019, five of them were escalated to the Data Protection Commissioner according to information released under FOI.
The most serious incidents included one where letters intended for two gardaí were forwarded to the other officer by mistake.
In that case, one of the gardaí had quickly returned the letter; however, the other one remained outstanding well over a month later.
Another case notified to the Data Protection Commissioner involved an “unauthorised disclosure to [a] third party following potential misdirection of post”.
GSOC said the person who had received a letter and an email with an attachment was asked to return the mail and destroy the email.
One case saw a letter of consent sent to the wrong address while in another three letters issued to the wrong address because it was recorded incorrectly on a database.
A breach was also notified in a case where a letter was sent to a garda station but the officer involved had since retired.
It was opened by a serving member and subsequently returned. A note said: “Letter appears to have been issued in contravention of GSOC directive on checking of Garda Nominal Roll.
“Decision not to notify data subject as GSOC does not have private address/email address. May compound breach by requesting details from An Garda Síochána, or request correspondence be forwarded by [them].”
GSOC said there were no data breaches relating to letters in 2020, likely reflecting the fact that many staff were working remotely during the Covid-19 pandemic.
They said 13 of the 15 breaches last year related to incorrect email addresses, and also attributed that to increased work-from-home arrangements.
A spokeswoman said: “GSOC takes its duties as a data controller very seriously and regrets all data breaches.
“Training has been provided for all staff on their obligations regarding confidentiality and data protection, and in how they are to discharge their responsibilities.”
Breaches must be reported to the GSOC data protection officer (DPO) so that “adequate containment, recovery and notification procedures are undertaken”.
She added: “In the event of a high or several level data breach, the DPO will escalate the matter to the breach management team and contact the Data Protection Commission.”