Data Protection Commissioner
Data Protection Commissioner

Case Study 3

Visa application details accidentally put on website of Department of Justice, Equality and Law Reform

A journalist contacted my office with urgent concerns regarding the publication on a website of personal details of visa applicants. I investigated the matter and found that the personal data of visa applicants had been displayed by the Immigration & Citizenship Division of the Department of Justice, Equality & Law Reform on the Department's website on 6 February, 2003. It appeared that through an unfortunate and accidental breach in operating procedures visa decisions for 506 applicants were posted live on the website with the inadvertent inclusion of the applicants' name and nationality. The data had been accidentally on the website for about two hours but as soon as the error was noticed the details were deleted.

This situation arose as a result of a decision to revise and improve the visa process. It was considered of benefit to place non-personal visa decision information on the website as it would be of merit to staff and visa applicants to have 24 hour easily accessible information available on the website which would reduce the need for applicants to contact the section. It had been agreed that no personal details would be shown; the only information to be posted would be the visa application number, the decision and, where an application was refused, the reason for the refusal.

Due to an operational oversight, the personal details were included contrary to the Department's intention. Accordingly, this was a contravention of Section 2(1) (c) of the Acts, being an incompatible disclosure of personal data. Appropriate security measures were inadequate and constituted a contravention of section 2(1) (d) of the Acts.

I note and appreciate that this accidental and unfortunate action was a once off which was swiftly resolved by the immediate action taken by Immigration & Citizenship Division. Nevertheless inappropriate disclosure took place for a short period. I was assured that new procedures were put in place for any future postings on the website which would avoid a recurrence of this incident. I commend the Division for its response.

On a more general level I would strongly advise all data controllers to take special care when it is proposed to place personal data on a website. Even where there is legislation providing that information must be made available to the public, this need not always mean that it is appropriate to place such information on a web site. Consideration must be given to the balance required of the right of the public to certain information and the right of the individual to privacy. Sometimes it may be appropriate to inform the public by means of information on a web site, without disclosing personal details. These rights have to be balanced, and I would encourage data controllers to have procedures in place to ensure that adequate consideration is given to these matters. Furthermore security procedures must be adequate and staff must be aware of and implement them so as to avoid the occurrence of a situation as described in this case study.