Mr. Seamus McCarthy:

On that specific example, there is a stringent requirement on a public body or any other body that loses personal data to report it very promptly to the Data Protection Commissioner. It would be a serious breach or matter of non-compliance if it had not been done. If we found there had been a serious data breach that was not reported, we would expect, once we pointed it out, for the body to go immediately to the Data Protection Commissioner and report it because that is the fastest way. It would take time for us to complete the process. Generally, we would not have to report it in those kinds of circumstances.

There is an obligation on us as auditors, if we suspect fraud in a body, to report any such circumstances to An Garda Síochána. We would do that, but we normally would not talk about a specific instance publicly. I would not refer to that as there may be a danger of tipping off. There are circumstances where we will report things, but normally the onus is on the body, if we point out to it that there might be a matter it needs to clarify with the Revenue Commissioners, for example. That is usually what happens