Over on the Irish Computer Society’s data protection blog yesterday, Daragh O’Brien wrote about the news that the Department of Social Protection is monitoring Facebook when investigating suspected welfare fraud.

Daragh discusses the data protection principle of fair obtaining in this context. He notes section 8(b) of the Data Protection Acts 1988 and 2003, which suspend the restrictions in the Acts for the purposes of the investigation or prosecution of offences and in the case of collecting or assessing monies due to the State. However, the section 8(b) exemption only applies where processing of personal data (which would include getting it from Facebook) is required for the purposes of investigation, etc. The provision is, as yet, untested, but the wording certainly suggests that it is not open to the Department to process personal data obtained from Facebook merely as an aid to investigation.

This morning, the Irish Independent followed up on the story with surprising statements from Facebook itself, primarily that:

“Facebook protects people’s right to privacy but in the same way officials investigating a case can access post office details or phone records, accessing Facebook profiles would be the same kind of thing,” a spokesman said.

It comes as a surprise to me* that the Department could access post office details (and: what are those details?) and phone records without a court order or the consent of the data subject, but Facebook apparently believes this is the done thing. It’s an important point because Facebook’s privacy policy purports to allow the company to hand over your information.

We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards.

It is not known from the news reports whether Facebook has facilitated the Department of Social Protection or handed over information or access to profiles to the Department. If not, it is difficult to see how the Department has accessed any meaningful information from the site, unless it has taken advantage of data which has inadvertently been made public or, alternatively, if the Department has obtained the data by deception.

From the comments made by Facebook to the Irish media, it appears that Facebook has an off-hand attitude to the specifics of Irish law on this point and its privacy policy suggests that the company will err on the side of caution in assisting a State agency. It won’t surprise many that Facebook might not rush to defend your privacy.

The incident is certainly worthy of investigation by the Data Protection Commissioner.

* I’m not an expert on the Social Welfare Acts and they are labyrinthine, but anyone with more knowledge on the powers of the Department in this area might comment below. I understand certain information can be shared by some State agencies for the purposes of making a decision on whether to provide social welfare or grants, but I don’t believe that extends to investigations by the Department.

• Data Protection