Call McGarr Solicitors on: 01 6351580

Home » Blog » Freedom of Expression

After PRISM: Who can access Ireland’s Data Retention Snooper’s Gold?

Stories of Beowulf slave stealing golden cup

The PRISM leaks will come to be seen as one of the most significant stories of the year.

The response of the various branches of Government in the US is to simultaneously hold that the leaks aren’t news at all– that they don’t tell the public anything they didn’t already know- and at the same time to decry the leaker for risking the very security of the USA by revealing state secrets.

Leaving aside the question of how both these things can be true, I thought I’d think about who, in Ireland, has been given access to the trove of personal data being held by telecommunication companies under the Communications (Retention of Data) Act 2011.

Section 6 of the Act empowers certain officers of An Garda Siochana, the Defence Forces and the Revenue Commissioners to gain access to the records which show everywhere you’ve been, who you met, who you called, when and how often you call (or text), what web pages you look at and so on.

Though I consider that section to be drafted very broadly, they are subject to oversight –however cursory– by a judge.

But a careful reader will notice that the Disclosure powers granted by S6 are not stated to be the only possible conditions for disclosure. Nor does S6 of the Act state that those designated officials are the only people who may access the Snooper’s Gold. (See below for UPDATE on this point)

All through the State’s history, it has been considered a good idea to put into legislation powers to compel the disclosure of any and all records that might help an official to do their business. Of course, what was mainly being imagined when those provisions were passed was a bundle of documents in a buff-coloured file, held together with a fraying treasury-tag.

Nonetheless, the powers remain on the books. Let’s do a search for the phrase “any records” in the Irish Statute Book.

Well, that’s quite a haul. Straight away, we can see that Section (64) (2) of the Nurses and Midwifes Act 2011 gives the members of a Fitness to Practice Committee the power to enforce “the attendance of witnesses and compelling the production of records”. There is no reason why such a summons should not be issued against a phone operator or ISP if the Fitness to Practice Committee thought it relevant.

Similarly, Section 45 (1) of the Nursing Home Support Scheme Act 2009 permits officials from the Health Service Executive to gain access or a copy of any relevant records for the purposes of helping them to evaluate an application.

Section 45 (11) helpfully defines a relevant record.

“relevant record” means any record which will or may assist the Executive to determine an application for State support or a request for refundable State support.

So, if for some reason a HSE official- of no particular rank- thinks it may be helpful in assessing your application for Nursing Home Support to know where you and your family members have been for the last two years off they may go to your phone company to find out.

The members of a Medical Council Fitness to Practice Committee of inquiry may, like the Nurses and Midwifes committee compel a witness to attend with any records, per Section 64 (1) (c).

Section 30 (1) of the Marine Shipping (Investigation of Marine Casulalties) Act 2000 empowers a person (described in Section 16(1) of the act as “such consultants, advisers and investigators (including investigators nominated by the Chief Surveyor from the Marine Survey Office of the Department of the Marine and Natural Resources) as it considers necessary for the performance of its functions”) investigating a marine casualty.

If they think there’s a record

“necessary for the purpose of an investigation the investigator may require a person to deliver to a place nominated by the investigator, and within such reasonable period as the investigator specifies, any record, to enable the investigator to inspect and copy it, and the person shall comply with the requirement”

And so on. I think the point is made.

The creation of the Data Retention honey pot has allowed a wide array of people – at all levels of state machinery- to potentially gain access to the most intimate details of our lives. Who we talk to, where we go, who we meet when we get there and so on. Are you applying for financial help under the Nursing Home Scheme? Then a HSE official can see if you have been at an Airport in the last two years. If so, well, were you going on holiday?

The debate about what is an appropriate level of access- maybe it is proper that a private citizen nominated to investigate a marine casualty should gain access to other citizen’s details- can only happen when we know what is going on.

I don’t know whether a HSE official ever has compelled the production of an individal’s personal data in considering an application under the Nursing Home Support scheme. But I do know that eventually one will if empowered to do so.

Personally, given what the Data Protection Commissioner has already revealed about the propensity of Dept of Social Welfare officials to engage in inappropriate access of the -far less revealing- trove of data held in the Department’s database I would prefer if, at the very least, the same level of judicial oversight which applied to the Gardaí and the Army applied to HSE officials.

UPDATE: It has been pointed out to me in comments that Section 5 of the Act does seek to limit the circumstances when service provider may access the data retention trove.

It reads:

5.— A service provider shall not access data retained in accordance with section 3 except—
(a) at the request and with the consent of a person to whom the data relate,
(b) for the purpose of complying with a disclosure request,
(c) in accordance with a court order, or
(d) as may be authorised by the Data Protection Commissioner.

However, this does not mean that none of the above powers will apply. The investigatory committees, for example, are explicitly granted the powers to issue order equivalent to court orders by their respective acts. And section (d) seems to leave the Data Protection Commissioner as the arbiter of what is a legitimate request under all other provisions.