Mary Hanafin (Dún Laoghaire, Fianna Fail)

The Department was notified in April 2007 that a laptop computer belonging to the Comptroller and Auditor General had been taken from the offices of the Department of Social and Family Affairs. The theft was immediately reported to the Garda. Some 16 months later, in early August 2008, the Department was informed that the laptop computer contained personal data relating to social welfare customers. The Department moved swiftly to respond to the incident and has taken all reasonable steps to minimise the concerns of the customers whose records were contained on it. Letters issued to customers informing them of the incident. A helpline was set up to answer inquires arising from this matter. An e-mail address and a post office box number were provided for written inquires.

The Department was also in contact with the Garda and payment institutions to alert them to the incident. While the Department notified the appropriate banks about the incident, individuals whose bank details were included on the laptop computer were advised, as an added assurance, to check their bank statements to establish if there had been any unusual activity.

The Department worked closely with the Data Protection Commissioner regarding his response to this incident. The commissioner welcomed the manner in which the Department addressed the issue by writing to those directly affected and establishing a dedicated helpdesk to provide further information and assistance as required. He stated publicly that he considered that this approach represented "best practice and a truly first rate response in the circumstances".

Up to the time that the helpdesk ceased operating on 3 October, 16,500 calls had been made to the special helpline number, 161 e-mails had been received and responded to and 750 letters have been received and are being dealt with.

The information contained on the laptop computer alone would not be sufficient to access public services. Public bodies, employers and others who are authorised to use the PPS number are required to exercise diligence in properly identifying those whom they employ or with whom they transact business. Additional evidence of identity such as photographic ID, signature, mother's birth surname, PIN, password etc. is required to fulfil this purpose.

From contacts to date with the Garda and various other Government and payment institutions, there has been no indication of any systematic misuse of the information contained on the laptop computer during the 18 months since the theft occurred.

Additional information not given on the floor of the House.

The Department has been engaged in a programme of continual development and deployment of measures to enhance data security. Since this incident came to light, the Department has further reviewed and enhanced its protocols for the transfer of data to third parties, including the Office of the Comptroller and Auditor General. All bulk data are now transferred in an encrypted format in accordance with the Department's external party electronic data transfer policy.

See this speech in context