Brian Hayes (Dublin South West, Fine Gael)

I have been informed by the Minister for Finance that he has not received any complaints about the leaking of personal banking information by nationalised banks to the media. Without knowledge of the specific issue to which the Deputy referred I can only comment on this issue in the most general of terms. Primary responsibility for the safeguarding of customer information rests with the financial institutions themselves. As a shareholder the Government has no role in investigating data breaches in the State-owned financial institutions, although it obviously has an interest in ensuring that the State-owned banks follow best practice in order to protect their customers and the reputation of the institutions.

The Data Protection Commissioner is responsible for ensuring that people's rights are respected and those who hold personal information meet their responsibilities in this regard. The Data Protection Acts make it clear that organisations that hold personal data on individuals owe them a duty of care. This protection also extends to State-owned institutions. In regard to data protection breaches, I understand that the policies in place between the banks and the Data Protection Commissioner are such that breaches are notified immediately to the commissioner upon discovery. These breaches are then investigated internally and appropriate remedial actions are taken. Outside of this process, any individual is entitled under the Data Protection Acts to make a written complaint to the Data Protection Commissioner, who will then deal directly with the relevant organisation. The commissioner will make a full and thorough investigation of all the facts before making a decision. If the complaint is found to be in breach of the electronic communications regulation the commissioner may decide to prosecute the organisation concerned. The commissioner has significant powers to ensure that all organisations act in accordance with data protection laws.

The data protection rules are very specific and are binding on every data controller. A failure to observe these rules is a breach of the Act. It is the responsibility of all institutions to ensure their data on individuals is safe and secure. If any individual suffers damage to his or her reputation, financial loss or mental distress, the data controller of an organisation may be subject to civil sanctions and the individual may be entitled to claim compensation through the courts. I strongly urge any individual who may suffer as a result of the leaking of personal banking information to explore these avenues of resolution.

The protection of customers' data is taken seriously by all of the State-owned financial institutions. Each bank is fully aware of its obligations to safeguard the security of customer data and they employ a wide range of measures to protect the confidentiality and integrity of that information. All banks have strict security protocols for information technology and physical access in order to protect information. They employ dedicated information security personnel, who commonly report to an information technology security council. They also have an information security policy. Bank network repositories and systems have robust password protection and access control, which restricts access to relevant personnel only.

All bank premises are protected by swipe card access control systems and certain areas allow access to designated personnel only. Banks generally also employ what is termed a clean desk policy, requiring all personnel to keep their desks clear of any sensitive or confidential data that should be stored securely. Banks also have mandatory annual training courses for all personnel on the requirements of the Data Protection Acts and their responsibilities under them. The courses also cover ethics and include the banks' code of conduct. I understand all personnel are required to review and electronically accept key policies, such as the code of conduct and information security policy. These policies also inform personnel of the potential consequences of policy breaches. As a shareholder, the Government will continue to work with the institutions to ensure that they take all necessary actions to safeguard the personal banking information of their customers.

See this speech in context