Enda Kenny (Mayo, Fine Gael)

I listened carefully to the Taoiseach's reply and we need more than firewalls around here. In any event, in 2008 the personal data of 580,000 people was lost and the reporting of all of that was less than adequate. To date, in 2009, Bord Gáis has lost the personal information of 75,000 customers and the HSE had 15 laptops stolen, two of which were not encrypted. The Taoiseach is aware that in April 2007 the personal information of 380,000 social welfare recipients went missing. It took 16 months, until August 2008, before the Minister for Social and Family Affairs was made aware of the extent of the losses. Furthermore, the data was only password protected and did not have any encryption in place.

The Taoiseach will also be aware that 16 laptops have been stolen from the Comptroller and Auditor General's Office since 1999. Laptops were stolen from the Bank of Ireland, computer disks were lost in New York by the Blood Transfusion Service Board, 15 HSE laptops were stolen in Roscommon and, as I said, Bord Gáis lost information on 75,000 customers.

As I understand it, there is no specific legal obligation on a body that loses personal information to notify the Office of the Data Protection Commissioner. That irritation was perfectly evident recently when that office only heard about the missing HSE laptops on the radio. There have been many high profile thefts, whether such data was being targeted deliberately or stolen by accident. Can the Taoiseach confirm that all the electronic data being held in his Department is encrypted and therefore of no use to people who have access to computers or hand-held technology? Can he say why the Data Protection Commissioner was not informed of the theft of the HSE laptops?

If Fine Gael were to introduce its Data Protection (Disclosure) (Amendment) Bill 2008, would the Taoiseach support it? That would create a legal obligation on organisations to disclose within a certain period any breaches of data security. Such an obligation would create very strong incentives for all organisations to ensure their data protection procedures were adequate in order to avoid any negative publicity that might ensue from having to disclose a breach of customers' sensitive and personal data. If we introduce that Bill will the Taoiseach support it, and will he say why the Data Protection Commissioner was not informed about the missing HSE laptops? Is he happy that all computer information, where personal data is stored with his Department, is at a minimum encrypted?

See this speech in context