‘Highly-inappropriate’ details put on records of Malahide Library users

by Sylvia Pownall
0 comment

SEXUALLY explicit personal details were added to the library records of 20 people living in north Dublin, according to a report from the Data Protection Commissioner.

The details of the audit of a new system at Malahide Library found the records were altered to add in information of a “highly-inappropriate, sexually explicit nature”.

The DPC’s annual report, published on Tues-day, says it singled out the new library management system Sierra for further examination and the library at Malahide was randomly selected for audit.

A total of 91 assessments were carried out, including audits at Irish Prison Service prisoner management centres, BT Ireland, Virgin Media, Three and child and family agency Tusla.

The DPC outlined concerns regarding consent and inappropriate access to records as the new Sierra system was being rolled out across libraries nationwide.

It informed officials at the library that access controls and trigger mechanisms would need to be included in the final version of the system.

Shortly before the Malahide audit last August, Fingal County Council contacted the DPC advising that a library staff member based at another local authority inadvertently came across the record of a borrower in Fingal which contained inappropriate data entries.

The council then established that the records of 20 Fingal library borrowers had been similarly edited, and these records had been imported from the previous Galaxy system onto Sierra.

The report does not out-line the nature of the content and the DPC established that there was no way of establishing who had edited the records.

Staff in each library, who were using generic logins to access the systems, were instructed to implement audit trails “as a matter of priority” and to create individual login usernames and passwords.

The DPC also said library staff should be automatically prompted to change their passwords on a regular basis and warned that such changes to records would constitute a data breach from May under a new EU regulation.

Related Articles