 |
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | |
Irish Data Protection Commission Case Studies |
||
|
You are here: BAILII >> Databases >> Irish Data Protection Commission Case Studies >> Credit unions transmitting personal data via unsecured e-mails [2008] IEDPC 12 URL: http://www.bailii.org/ie/cases/IEDPC/2008/12.html Cite as: [2008] IEDPC 12 |
||
[New search] [Printable RTF version] [Help]
Credit unions transmitting personal data via unsecured e-mails [2008] IEDPC 12 (31 December 2008)
I received complaints from two individuals concerning e-mails they had received from two credit unions confirming details about online access to their accounts.
My Office contacted both credit unions for their views on the matter. It transpired that both credit unions were using the same third party vendor to supply their online account facilities.
When a customer registered to use the online facility, they received a confirmation e-mail that contained details about their account, including username, account number and password. A separate letter was sent to their home giving them a PIN number which would allow them to get online access to their credit union account.
Section 2 (1) (d) of the Acts requires that adequate security measures shall be taken against unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network. My Office entered into discussions with the third party vendor to address this issue.
The vendor's initial concern was that when people registered, they would not remember their account details when they went to log on to the system at a future date and for this reason they were e-mailing the account details to the customers. As a solution, my Office proposed that when a customer was registering they should be encouraged to print off or otherwise record the details. This would eliminate the need to have confidential information transmitted to them via an unsecured e-mail.
The third party vendor agreed to change its systems to reflect this and to inform all of its clients that it was changing its systems for security reasons.
My Office was also concerned that one of the credit unions was using a free web-based e-mail service as a method of communicating with its customers. My Office took the view that this mode of communication was not adequately secure because the data controller could not adequately control access to the contents of such an e-mail account. The data controller had no record of access to the e-mails, even within their own organisation. My Office instructed the credit union concerned to stop using the free web-based e-mail account as a method of contacting customers. The credit union responded promptly and it changed its email to a more secure system.
This case highlights the need for all data controllers to be aware of the need for appropriate security when processing personal data. If there is a weakness in security, the matter needs to be addressed and a more secure method of providing the service must be established. Although I understand that the purpose of credit unions is to provide services to the community in a cost effective manner, this does not in any way exempt them from ensuring that appropriate steps are taken to protect customer data.