recent work

Gaelic Athletic Association in data breach Investigation

The ICO has released a statement regarding its position on a data breach involving members of the Gaelic Athletic Association (GAA).

On Friday December 10th, The GAA released a statement on its website, explaining that there has been unauthorised access to the GAA membership database. The database contains the names and addresses of 501,786 members; and contains medical condition information of 544 members. These members have been contacted directly by letter explaining exactly what is recorded about them. In addition to this, 167,157 of the members on the database are under 18 years of age. It is GAA policy that mobile phone or email details of persons under 18 years of age should not be stored on any database.

On 19th November, the GAA was informed that disks containing the database had been received by the Office of the Data Protection Commissioner. Servasport Ltd., a Belfast based company that develops and maintains the GAA membership database, has issued an unreserved apology to the GAA and its members. Due to investigations by the Police Service of Northern Ireland, and in order to facilitate this investigation, the GAA was unable to inform members until now.

The ICO, as a result, has released a statement, informing readers that “The Information Commissioner’s Office is working closely with the Police Service of Northern Ireland and the Data Protection Commission in the Republic of Ireland to establish the details of a data breach involving the personal data of members of the Gaelic Athletic Association (GAA).”

To read the statement in full, go to http://www.ico.gov.uk/~/media/documents/pressreleases/2010/gaa_statement_10122010.ashx now. For more information from the GAA, including helpline numbers if you think you may be affected by the breach, please go to http://www.gaa.ie/gaa-news-and-videos/daily-news/1/1012101236-important-notice-on-gaa-membership-database/1/.

Comment
Mistakes can happen, and an organisation’s current system may be found to have loop holes in, thus introducing an element of risk into the data management system. However, it is vitally important that procedures relating to the management of data are documented, adhered to and regularly reviewed so as to not allow such procedural flaws to happen at all; and above all else, get fined by the ICO for anything up to £500,000.
By having a documented procedural system for data management, the chances of getting it right first time will be increased. By reviewing such systems, organisations will continually improve data management systems. This is something that Absolute Data does and can help you with. Absolute Data also works with many organisations to reduce or eliminate the risk to the personal information that they hold about individuals. The “softer side” of privacy risk management such as staff training and having documented procedures is often overlooked and under-funded in organisations and an area where we can have a big impact for a modest investment.  For further information, please contact us now at info@absolute-data.co.uk.