Client Confidentiality and Why records Management Matters

It was reported in the Irish Times on the 1^st of May 2008 that a quantity of confidential patient records were found in a landfill during recent rail works in County Cork. The files date from the early 1980’s and contain sensitive personal and medical data on patients treated at Cork Regional Hospital (now Cork University Hospital) and St. Finbarr’s Hospital. Investigations are underway to discover why these files were not confidentially destroyed.

This scandal, following closely on the heels of data loss on the parts of Bank of Ireland and the Blood Transfusion Board, is a pointed reminder that few organisations in Ireland have given due care and consideration to their records. It is particularly worrying in the case of sensitive or confidential data about living persons. Ideally, all organisations should have a records management system in place to avoid similar mishaps.

It does not take an investigation to establish that with a proper records management system in place that allows for the secure destruction of records, the kind of mishaps described above would never happen.

Data Protection and Missing Databases

Media attention has recently centred on an enormous mistake on the part of the UK’s Revenue and Customs, who lost some computer disks containing the national child benefit database. This database stores personal information, such as bank account details, for millions of people in Britain. The disks have not yet been located and it is possible that they could fall into the hands of criminals.

Closer to home, according to the Irish Times, both Quinn Direct and AIB have breached Data Protection of late. The insurer apparently sent letters, containing personal information, to the wrong customers. The bank, on the other hand, sent notifications, other customers’ bank details, to 11,000 customers.

Large institutions and particularly government departments should not be making these kinds of mistakes. It is alarming that so little regard is paid to data protection. All staff who deal with people’s personal information should be trained in the Data Protection Act and how to keep their clients’ data safe and secure.

SOA Conference - Report

The Society of Archivists Annual Conference 2007 was held in Queen’s University Belfast from the 28^th to the 31^st of August. The conference marked the 60^th anniversary of the Society of Archivists (SoA) and examined the theme of ‘Differing Directions: Challenging Communities’. Three strands of talks occurred – archives and community, records management and preservation. Additionally, there was an ‘Information Marketplace’ on the Wednesday. Naturally, a host of social events and dinners for the delegates also took place in and around Belfast over the course of the conference, including a Gala Dinner at the Europa Hotel.

Many of the speakers represented Irish archives services and a good proportion of the delegates had journeyed to Belfast from the Dublin and further south. For those of a sociable nature, there were many opportunities for archives and records management professionals from all over Britain and Ireland to mingle and network, as the days were broken into sessions with plenty of tea breaks and a substantial lunch to boost flagging spirits.

Of course, socialising was not the extent of the Conference; many seminars and talks were delivered. Much of the records management strand on Wednesday concerned the legal admissibility and accountability of records, while Electronic Document and Records Management Systems (EDRMS) dominated on Thursday. Each day the archives sessions were devoted to the idea of archives in the community – this varied from how the media presents archives to the general public to how disenfranchised users, such as teenagers, can be encouraged into archives. Among the various conservation projects discussed in the preservation seminars were the Dead Sea Scrolls and Islamic manuscripts in the Chester Beatty and the Victoria and Albert Museums.

Society of Archivists Annual Conference

Good news for Irish archivists and records managers, this year’s Society of Archivists conference is to be held in Queen’s University, Belfast from the 28^th to the 31rst of August. This provides a unique opportunity for anyone in Ireland involved in the profession to attend professional seminars and to meet their colleagues.

Highlights of the programme for records managers are talks on:

· EDRMS

· Legal admissibility (a mock court session is to be held)

· Long term access

Of course, many archival and conservation-related topics will also be addressed.

Once the formal sessions are over, delegates can mingle at dinners and excursions – optional visits include PRONI and a bus tour of Belfast Murals.

For more information on this event, please e-mail White Rose events at: societyofarchivists@whiteroseconferences.co.uk

The Data Protection Act extends its reach

On the 30^th of July, the Irish Times reported that a restaurant had been warned, by the Data Commissioner, against sending unsolicited marketing text messages. Until now, people may have assumed that the Commissioner only investigated direct marketing companies. On the contrary, he is entitled to enquire into any reported abuses of the Data Protection Act, committed by any type of organisation. A breach of the Act can be penalised by fines of up to €3,000 per message sent. A sum which could mount up quickly!

In this particular case, the restaurant had allegedly taken customers’ mobile phone numbers from the reservation book and used them to send out marketing texts relating to special offers. The clients had apparently not been aware that their phone numbers would be used for promotional purposes.[1]

According to the Data Protection Commission’s website, regarding direct marketing,

The Regulations say that where electronic contact details are obtained from a customer in the context of the sale of a product or service then e-mail and SMS marketing may take place, if an easy to use, free of charge opportunity is given to object to these marketing messages.

In order to be regarded as a customer, the sender must have sold a product or service to that individual or the individual must, as a minimum have given their contact details directly to the sender in connection with the sale of a product or service. The sale of a product or service would not include a competition to win a free unit(s) of that product or service.

If the individual is not a customer then prior consent is required. This consent must be opt-in consent i.e. where there is a statement on a form or on a website it must say that if you wish to receive marketing material etc…. then tick the box. The message should also set out the forms in which the marketing message may be sent i.e. telephone, fax, e-mail or SMS text.[2]

In this instance, the restaurant contravened the second data protection rule - Fair Obtaining and Processing:

"the data or, as the case may be, the information constituting the data shall have been obtained, and the data shall be processed, fairly"
- section 2(1)(a) of the Acts[3]

If an organisation wants to retain personal information (e.g. telephone numbers), it must be collected and used fairly. The individual whose data it is must be made aware at the time of providing the information who is taking their data, what it will be used for and to whom it will be disclosed. Any secondary uses to which the data may be put (e.g. marketing) should be brought to their attention at this time and their consent must be sought.

---

[1] www.ireland.com

[2] www.dataprotection.ie

[3] Ibid

The Mc Entee Report and its Implications for Irish Records Management

Following the Barron report, a Commission of Investigation under Patrick Mc Entee SC was set up in 2005 to look into the Garda Síochana investigations of the 1974 Dublin and Monaghan Bombings. Its report, published in April 2007, found no evidence of Garda collusion based on the documents available to it. However, an unquantifiable amount of records were missing (presumed either lost or destroyed), particularly from the Garda archives.

The report looked at the area of documentation with regard to the National Archives, the Garda Síochana, the Defence Forces, the Department of Justice and other government departments. The report findings can be summarised as follows:

· The National Archives: has insufficient staff and resources to discharge its statutory function. In practice, it does not receive the records envisaged by the 1986 National Archives Act from the Garda Síochana.
· The Garda Síochana: has not maintained the integrity of its files over the years since 1974. It is not possible to account for exactly what documents are missing owing to: 1) inadequate records management systems, 2) misfiling or human error and 3) unauthorised and/or accidental destruction and/or removal of documents. The Gardaí did not even know that they were missing documentation. There exists in the Gardaí the practice of not listing or recording individual documents within a given file, which is inappropriate in an organisation which handles security and intelligence material.
· The Defence Forces: have an adequate system in place to prevent documentation from disappearing. Every file they submitted to the Commission was intact and there is no evidence of any being missing.
· The Department of Justice: is missing three registered files opened in 1973 by its Security Division and it cannot be established whether or not these are relevant to the investigation. The content of the Department’s files were not indexed, so it cannot be established that they are intact. Documents containing confidential information received by them from the Gardaí were not registered and some may be missing.
· Other Government Departments: did not record the individual documents within a file, which means that documents could go missing, unnoticed.

The Commission praised the Defence Forces highly for their record-keeping, a view Eneclann can concur with having worked extensively in recent years with the Defense Forces on their Archives.

The overall message of the report (with regard to archives) is that better record-keeping systems are vital in several government departments, particularly for records of a sensitive nature. A thorough records management programme could have preserved and protected the missing documents. In this way, the various government departments would have been able to produce vital evidence and perhaps would have helped to clear up the mystery of what really happened in 1974. It is up to us to look after our current records, which will be the archives of the future.