An internal audit warned gardaí were at high risk of data breaches involving sensitive information as well as complaints, fines, and sanctions because of a lack of trained staff and resources.
The audit said the data protection officer for the force had warned he did not have adequate resources to do his job and that no comprehensive training had been provided to employees of the wider organisation.
The review identified four areas of high risk for An Garda Síochána in how they handle sensitive personal information like criminal records, CCTV footage, and witness evidence. It said the absence of up-to-date polices, procedures, and guidance on processing personal data increased the chances of serious data breaches.
A response from garda management said: “Colleagues in [Garda Internal Audit Service] rightly identify the risks the current policy gaps present to the organisation in respect of breaches, complaints, fines and sanctions.”
It said extra resources were needed to bolster their data protection unit especially around requests for multimedia – like CCTV – which were “complex and resource intensive” to deal with.
The audit explained how priority was being given to manage requests, personal data breaches, and dealing with the Data Protection Commission. However, other work around training and development of a data protection code had not been progressed as easily due to workload issues.
The audit said: “Within its current resources and capacity, [the Data Protection Unit] has continued to provide bespoke advice, guidance and training on data protection issues … but by necessity on a mostly reactive basis.” It said the need for extra resources was “particularly acute” especially because of new data-sharing agreements between An Garda and other public bodies.
The audit also detailed how gardaí had no internal portal page to provide detailed data protection information to the force. This created a risk of “lack of employee awareness” of how they were supposed to manage the sensitive personal information they deal with daily.
The audit said: “This may result in data breaches, data breaches not being reported, complaints and fines and other sanctions to the organisation.”
The inquiry also found there were just 18 people in the garda’s data protection unit for an organisation with more than 17,000 staff.
“Non-compliance with data protection legislation due to lack of human resources will increase the risk of complaints and possible sanctions due to best practice not being followed,” said the report.
It also highlighted the potential for “inadequate service delivery due to lack of resources and high turnover of trained staff”. The audit said staff were being lost due to secondments, and opportunities available for career development or jobs offering a better work/life balance.
The report said: “A further internal factor is the lack of available progression routes for staff to be retained within the [data protection unit] on promotion, or capacity within the unit to cycle staff between processing of requests and more varied development opportunities.”
Internal auditors also explained how no comprehensive training had been provided for many gardaí and staff on their data protection responsibilities.
Difficulties were also being encountered in dealing with requests especially where they were complex and involving CCTV footage. In those cases, videos must often be redacted to ensure no other people can be identified, which is heavily time-consuming.
Asked about the audit, a spokesman said that An Garda Síochána took its data protection obligations seriously and continues to ensure all processing of personal information is done in line with legislative requirements.
He added: “A business case has been sanctioned by the Policing Authority for the recruitment and training of new personnel for the Data Protection Unit.
“An Garda Síochána through collaboration between the Data Protection Unit and the Garda College continue to provide training resources and guidance to Garda personnel.”