Máire Hoctor (Tipperary North, Fianna Fail)

I welcome the opportunity on behalf of the Minister for Health and Children, Deputy Harney, to address the issue raised by the Deputy and to set out the current position on the theft of a laptop in New York containing Irish blood donor records. The Irish Blood Transfusion Service, IBTS, entered into an agreement with the New York Blood Centre, NYBC, for the provision of a data query tool on 23 October 2007. The tender was carried out in compliance with EU procurement rules. The NYBC was the successful tenderer. The IBTS entered into a five-year licence, services and support agreement with the NYBC. The purpose of the data warehousing and reporting tool being developed in conjunction with NYBC is to improve the existing IBTS blood banking computer system, Progesa, in order to provide a better service to its donors and clients. Under the terms of that agreement, the IBTS exported data on CD from its Progesa system. The data was encrypted using a 256 bit key encryption, prior to export on a CD.

On 7 February, an NYBC employee was carrying a laptop to enable him to continue to work on the data outside office hours. The employee was mugged and the laptop stolen.

The IBTS is very conscious of its obligations under the data protection Acts to take appropriate security measures against unauthorised access to, or unauthorised alteration, disclosure or destruction of data. In this instance, the IBTS is confident that it has complied with these obligations by virtue of the robust security measures taken by the IBTS and NYBC. They both consider that the risk of any person being in a position to bypass password controls and decrypt the data is extremely remote.

The IBTS informed the Data Protection Commissioner on the next working day after the theft, 11 February 2008, of the details of the case and the commissioner has been in regular contact with the IBTS, which has co-operated fully with the investigation. The commissioner has noted publicly that the IBTS had a legitimate reason to send the data out of the country, that it had taken its responsibilities to donors and clients seriously and that the information had been securely encrypted.

The Data Protection Acts specifically exclude disclosure to employees or agents. It was agreed between the parties that the NYBC would act as an agent of the IBTS for the purposes of the agreement. Therefore, as an agent of the IBTS, the disclosure of personal data to the NYBC does not constitute disclosure within the meaning of the Acts. At no time were these records ever unencrypted and the IBTS will continue to take every measure to protect the personal records of donors.

The IBTS has contacted all 171,324 donors affected directly to assure them that the data was protected by state of the art encryption. It has provided an information line to donors who were concerned about the data loss and since this matter became public, the IBTS has dealt with over 3,000 calls as well as many letters and e-mails from concerned donors. These donors were from all over the country.

The Minister is satisfied that in this case the IBTS acted appropriately and has taken, as confirmed by the Data Protection Commission, all reasonable steps to safeguard the confidentiality of its donors.

See this speech in context