To: Each Branch Secretary – Attention All Members
Date: 14th April 2016
News Update: 007/16
RE: Data Breach
The Union will continue discussions with Peoplepoint and the Department of Public Expenditure and Reform following the latest data protection breach which members were advised of yesterday. The Union are very concerned over this latest development, particularly given commitments received after the last major data breach in 2015.
Following communication from Management we are aware that this breach is likely due to human error rather than systems or process issues. However we are exploring this further today.
As we understand it the breach affects 1914 data subjects and the personal data disclosed included;
- Personal Details: Name, Gender, PPSN
- Employment Details: Business Unit Code, Grade, Work Pattern
- Details of Special Leave Taken: Nature of Special Leave, Reason for Leave Applied For, Dates, Duration
To quote directly from Peoplepoint, the breach occurred when;
“the above mentioned data contained in an Excel report relating to multiple departments (34) was shared in error with the Local HR office of one of the departments only. This happened because the Officer, who was issuing the report to the recipient of the data, did not filter the report as was required in the process. This was also not noted in a subsequent check of the report by another advisor on the same team. The report was uploaded to a “report distribution site” on our electronic Document Management System (DMS) that is only accessible by HR officials of that department.
On being informed of the error by the relevant HR department, the report was immediately removed from the DMS. We have confirmed that only two individuals had access to the report as the only members of staff in the relevant Local HR office. We have consequently received written confirmation from this office that the report was not downloaded or forwarded to any other party and that the report is no longer accessible by the Local HR office. “
Clearly this is not an acceptable situation and despite commitments in 2015 we now face similar circumstances today. We will make every effort in discussions with Management at Peoplepoint and DPER to deal with this matter and avoid any more reoccurrences and get as much information as we can on the situation.
The Data Protection Commissioner has also been advised of this situation by Peoplepoint, in which they have stated as follows;
“We would like to assure the Data Protection Commissioner that we are continuing to eliminate the risk of this occurring again within PeoplePoint by emphasizing the importance of taking particular care with regard to the creation and distribution of reports. As a result of this incident we have commenced an investigation into these processes and reviewing procedures for this team. This investigation will allow us to identify enhancements and controls that can be introduced to the process in order to address the risk of future similar breaches occurring.”
We will communicate further on this matter later on following further discussions.
We will also set out our concerns on the matter to the Data Protection Commissioner on behalf of all members.
Deputy General Secretary