Jim O'Keeffe (Cork South West, Fine Gael)
Link to this: Individually | In context

Question 81: To ask the Minister for Social and Family Affairs the guidelines or procedures in place within her Department to safeguard sensitive personal information of the public when lost or stolen; and if she will make a statement on the matter. [18706/08]

Mary Hanafin (Dún Laoghaire, Fianna Fail)
Link to this: Individually | In context

The Department of Social and Family Affairs administers around 50 schemes and makes payments to 1 million people each week. Due to the nature, scale and diversity of its work, the Department is heavily reliant on ICT and holds detailed information about its customers. The Department takes its responsibilities to safeguard this data extremely seriously.

All electronic data is stored in the Department's primary computer site. The site itself has rigorous control procedures and site perimeter protection. There are arrangements in place for inter-site back-up of data. Security arrangements, including encryption, are in place to cover the necessary transfer of data to other agencies for service delivery purposes. Our systems are subject to standard physical security measures. Industry standard security protocols, such as password protection and security software, are deployed to protect all devices supplied by the Department and to preserve the confidentiality of data.

Given their small size and portable nature, it is more likely that portable devices may fall into the wrong hands than a desktop system. It is the Department's policy not to hold sensitive personal data on laptops. Should we decide that we need such data on these devices, it will be encrypted. Procedures for the management and maintenance of portable devices are currently under review by the Department and revised operational guidelines are at an advanced stage of development.

Every effort is made by the Department to ensure that personal customer data is used solely for business purposes and that it is not compromised in any way. Over the last number of years, the Department has continuously strengthened security and data protection protocols. Policies and procedures governing the use of systems and data have been developed and communicated to staff. These policies and procedures are under constant review and are updated as appropriate. Staff are regularly reminded of their obligations under data protection and security policies and of the penalties applicable in respect of any breach of these policies.

In addition to the policy measures, the Department is also ensuring that higher levels of data protection are built into its latest generation of ICT systems to reflect the increased threats in this area. Considerable resources have also been devoted to increasing the security and monitoring facilities in its older systems.

Additional information not given on the floor of the House.

A high-level group has been established within the Department to review access management and control. The primary focus of the group is to direct the development of the Department's policy on access to data, ensure that existing measures are co-ordinated across systems and to initiate further work programmes to address emerging issues. In order to preserve public confidence in the operations of the Department, there has been considerable focus on the issue of data confidentiality. The Department recognises that security measures must continually evolve and it will continue to reflect this in its systems and procedures.

Olwyn Enright (Laois-Offaly, Fine Gael)
Link to this: Individually | In context

It was the issue regarding the banks that prompted me to put down this question. In recent years, eight items have been taken from officials of the Department of Social and Family Affairs. Five of those items were laptops taken from civil servants, three of which were taken in the home, one from a car and one from public transport. Were any of these items recovered? Did these events trigger any response within the Department at the time? What kind of information was on these laptops? The Minister stated it is not policy to hold sensitive information on laptops, so can she confirm there was no such information on these stolen laptops?

Is the Minister satisfied that the most up-to-date encryption data is used? We in this House were told there would be examination taking place of the encryption on the equipment we use. I am concerned that the same facilities may be operating in the Department of Social and Family Affairs as operate here and I would not like to think that is the case.

Mary Hanafin (Dún Laoghaire, Fianna Fail)
Link to this: Individually | In context

The five laptops and three mobile phones relate to the six years since 2002.

Olwyn Enright (Laois-Offaly, Fine Gael)
Link to this: Individually | In context

The data is out there.

Mary Hanafin (Dún Laoghaire, Fianna Fail)
Link to this: Individually | In context

None of them was recovered but none contained sensitive information so people need have no worries in that respect.

Encryption is an important aspect where information is being passed from one agency to another. Of all Departments, my Department is conscious that it holds personal information such as identity, PRSI contributions and claim activity. Some 6.8 million datasets are held by the Department of Social and Family Affairs for current and past recipients. Staff who wish to access information need a password, a personal account on a very secure network and authorisation from senior management. For inhouse and external information transfer, the best security measures in information technology are constantly reviewed. A senior unit in the Department monitors this.

Tommy Broughan (Dublin North East, Labour)
Link to this: Individually | In context

Is the Minister saying the disaster in the UK, when 25 million sets of information were transferred between the inland revenue and the work and pension sector, could not happen here? The Minister referred to the data protection section. Have the Minister and her predecessor thoroughly reviewed the procedures in that section in light of the number of cases of improper accessing of data?

Two years ago, it was alleged that 72 officials accessed the data of the winner of a large prize in the Euromillions. Every few months we get a disturbing instance of this. In October 2007 someone was prosecuted for accessing the records of 40 individuals. A recent report includes a serious allegation that an official improperly accessed information and passed it on to people engaged in criminality. Has the data protection unit been reviewed and have its procedures been assessed in light of these disturbing reports on personal information?

Mary Hanafin (Dún Laoghaire, Fianna Fail)
Link to this: Individually | In context

Any breach of confidentiality is inexcusable and is not tolerated in the Department. Disciplinary action, up to dismissal, has always been taken in cases over the past few years. Given the number of staff and the amount of information held, the number of incidents is small and few staff have been involved. That is not to excuse it because people need the comfort of knowing their information is secure. The Department is examining the most up to date ways in Ireland and internationally of protecting information. There is a multi-year programme to implement a new information security architecture for the whole system. In so far as people can have confidence that their information is private, the Department goes to the nth degree to ensure confidentiality is maintained and the information is protected, whether the information is kept inhouse or transferred elsewhere.

Olwyn Enright (Laois-Offaly, Fine Gael)
Link to this: Individually | In context

Does the Minister have a figure for the number of laptops issued to staff in her Department? Bearing in mind that sensitive information is not stored on them, what type of work are laptops used for? Is there a grade of civil servant issued with a laptop or do community welfare officers have them?

Mary Hanafin (Dún Laoghaire, Fianna Fail)
Link to this: Individually | In context

I do not know how many are issued but I am quite sure it is more than the five that were stolen over a six year period. I will check if the information is available.