Dr. Richard Browne:

We issue advice and guidance to Departments and Government agencies on an ongoing basis. We have had advice on mobile phone use and device use for many years. We reissued and revised some of that advice in March of this year to be more specific on certain aspects of app use. That is primarily aimed at a wide range of social media, gaming and leisure applications. Much of that advice is in the public domain. Essentially, it suggests that people should not have any applications of any kind on their device that they do not need for business. This is simply because every single application has some degree of risk. If one removes an application, one removes some of that risk, at least.

We were subsequently asked by the Taoiseach to do a risk assessment of a particular social media company. That company had been the subject of similar risk assessments across Europe. We spoke to a number of European colleagues about this process but nobody outside of Europe. We conducted our own risk assessment and issued a piece of guidance across Government at that point. The nature of the analysis was very straightforward and much of it is in the public domain. It is a challenge for us to keep an eye on every single device, application, software and hardware element that is on sale right now. We do not even seek to do so. However, when we are asked to conduct a particular risk assessment, we will produce a report. Is it possible that more will follow? The answer is "Yes". We keep all our advice under constant review. There are particular issues with some applications around permissions and around the way in which data are accessed and used that cause particular concerns. However, we have no immediate advice coming on any other application or any other area.

To summarise, this is a very complex area. Some of the risks will be very apparent to people. Some others will not be. An aspect of our role is to take information that is very varied in its origins. Some of it will be in the public domain and some of it will not. This means that we have to closely guard the analysis and the information we use to create that risk assessment because we will burn sources and capability. We are not keeping things secret for the hell of it. We are keeping things secret because to release that information would compromise our ability to do our job in four or eight weeks' time or six months' time.