We received several complaints in late 2017 against the Central Statistics Office (the CSO), each alleging that the CSO had disclosed the respective complainants’ personal data without their consent or knowledge. The complaints related to a data breach that the CSO had previously reported to us (under the voluntary Personal Data Breach Code of Practice) and to the affected individuals.

The data breach originated from actions taken by the CSO in response to three requests over a five-day period from separate former census enumerators seeking their P45 information. Emails with PDF attachments containing their own P45 and P45s of thousands of third parties were sent to the requesting enumerators. The CSO informed us that the data breach had been identified when a member of CSO staff had reviewed the relevant CSO sent-items mailbox, as part of the CSO’s standard due-diligence practices. The CSO confirmed that the disclosed third-party P45 information contained personal data including PPSNs, dates of birth, addresses and details of earnings from employment as census enumerators.

During our investigation, the CSO informed us that upon discovering the breach it had notified the recipients of the error, who had subsequently confirmed in writing that they had deleted the files. The CSO told us that it had also notified the affected individuals of the facts of the breach as they pertained to each individual. The CSO also informed us that following the data breach it had implemented a range of new procedures for handling P45 requests, including a rule that P45 requests were to be answered only by post going forward.

This data breach had impacted on the thousands of individuals whose personal data was contained in the files that were unlawfully disclosed to the three former enumerators. The incident essentially occurred in triplicate because the erroneously disclosed files had been attached to three separate outgoing communications. This incident would have been preventable had the CSO had the appropriate processes in place for the oversight of releasing tax-related personal data.

The DPC issued a number of individual decisions in respect of complaints in relation to this breach, finding in each case that a contravention of Section 2A(1) of the Data Protection Acts 1988 and 2003 had occurred, in that personal data had been processed without a legal basis, as was clear from the breach report submitted to the DPC from the CSO. Having examined the new measures implemented by the CSO to guard against a recurrence, the DPC was satisfied that they comprehensively addressed the failings that had brought about this incident. However, from the perspective of ensuring the lawfulness of the processing and the security and confidentiality of personal data held by the CSO, those new organisational procedures only served to underline the inadequacy of the previous measures for responding to requests for tax-related information.