Crates of documents filled with personal details were discovered next to a lift during an audit at the Department of Social and Family Affairs, it was revealed today.
An audit of the security of data at the department uncovered a number of weaknesses in systems and practices and noted seven alleged breaches of data security.
In its report the Office of the Data Protection Commissioner raised concerns about a number of issues surrounding laptop security, the use of generic passwords, and failings in the logging and auditing of employees use of some systems.
It said the storage of a large amount of sensitive personal data relating to illness were discovered in crates immediately adjacent to a lift area during the planned visit in January.
Auditors said this was a strong reminder of the need to ensure the risks of allowing unauthorised access to personal data are fully understood throughout the organisation.
The team found that while there was a strong awareness at senior management level of data protection principles, there was little desire to follow this through at an operational level due to the size and diversity of the department.
It said these challenges were evident from the issues uncovered during the course of the audit.
“Instances of practice viewed revealed some inconsistencies, contradictions, gaps in knowledge, security hazards and an apparent question as to the availability of resources to actively monitor the usage by specified bodies of the Personal Public Service Number,” it reported.
The main aim of the audit, carried out over two days in January, was to identify improvements that may be needed to ensure that the requirements of the Data Protection Acts are fully observed at all times.
It raised concerns over the large number of external agencies who have access to information held by the Department, the extent of information shared with these bodies, and revealed information being exchanged between some of these agencies was not secure.
It highlighted the moving of data between the Department and the Garda National Immigration Bureau, which was held on a CD with no encryption.
The Department of Social and Family Affairs said the 37-page report listed a series of recommendations which it has responded to in detail covering access management, security, data sharing and data protection policies.
“The Department takes its responsibilities to protect this information very seriously and has, for some time, been engaged in a broad programme of work to enhance the effectiveness of its information security controls,” said a spokeswoman.
“The Department acknowledges the concern that there have been a small number of breaches of data security in recent years. The Department can assure the public that it treats any unauthorised access to or disclosure of personal data to be an extremely serious offence.
“All civil servants are subject to the Official Secrets Act as well as Departmental data protection policies.
“All allegations of breaches are fully investigated and any staff member found to have breached the Department’s data protection policies and procedures is subject to the highest disciplinary sanction, up to and including dismissal.”
Fine Gael's spokeswoman on social affairs Olwyn Enright said the Department's response to the Data Protection Commissioner's findings was "totally inadequate" and would "reassure nobody".
“The Department controls more personal information about Irish citizens than any other body in the State but little reassurance has been provided in light of today’s disturbing report.
"The Minister and her Department failed to outline exactly what measures are being taken to address the failures, how far they are along in the process of securing sensitive personal data and what steps will be taken next.
“We cannot wait until there is a catastrophic breach of security to act and I will be calling on the Minister and her Department to address the Social and Family Affairs Committee - that sits through the summer - as soon as possible.”
Additional reporting: PA