ESB changes procedures after data leaked to private investigator

Data Protection Commissioner to broaden inquiries to include sectors other than credit unions

The ESB has said it has implemented changes to its processes after it emerged that one of its employees had passed a huge amount of personal data belonging to customers to a private investigator.

Michael Gaynor (62), trading as MJG Investigations, Beatty Grove, Celbridge, Co Kildare, was this week convicted on two charges of illegally accessing personal information held by An Garda Síochána and of disclosing it without authority to credit unions.

Some 72 criminal charges in total against Gaynor related to alleged breaches of data protection legislation, including illegally accessing and disclosing personal information on individuals held by An Garda Síochána and the ESB.

Tracing agents



Data Protection Commissioner

Tony Delaney

told the court extensive information on ESB customers had turned up in reports which Gaynor had given to credit unions as a so-called tracing agent to help track down unpaid debts.

This included people’s ESB account details, names, dates of birth, PPS numbers, information on whether the ESB account holder had tenants, details of who paid the last ESB bill and where and whether it was paid by cash or direct debit. Some reports also included bank account information.

Mr Delaney said the commissioner’s office would in future expect credit unions to carry out due diligence in relation to tracing agents, and he had set down stringent rules for how they would operate.

Mr Delaney said he was also “very disappointed” at how information was getting out from the ESB customer database. “The private investigator [was] almost a staff member because he had a staff member’s access. The staff member was looking up the material for him and calling it out over the phone.”

The ESB would be subject to a data protection audit shortly, he said.

In a statement, the ESB said it took data protection issues “very seriously and strives to protect customers’ data at all times. Once ESB became aware of this issue, it fully co-operated with the ODPC [Office of the Data Protection Commissioner] in investigating this matter and in bringing this case forward.”

“ESB also immediately instigated its own internal investigation into the matter and as a result has implemented a number of changes to its processes and procedures, designed to avoid this type of incident occurring in the future.”

The company said it was “satisfied that appropriate actions have been taken to address the serious issues which have arisen in this case”.