Jack Wall (Kildare South, Labour)
Link to this: Individually | In context

Question 64: To ask the Minister for Social and Family Affairs the action he is taking to ensure his Department is fully compliant with the Data Protection Act 1988; and the steps, in view of recent newspaper reports, that have been taken to ensure data stored by his Department is properly secured and unavailable to third parties. [26278/07]

Martin Cullen (Waterford, Fianna Fail)
Link to this: Individually | In context

My Department, owing to the nature of its work, holds extensive and detailed personal information about customers. Most employees of the Department need and have access to this information to deliver the Department's services. The Department is aware of its obligations to its customers under the Data Protection Acts 1988 and 2003 to ensure information is collected appropriately, maintained securely and used only for the purpose for which it was intended. The Department takes these obligations very seriously and takes the strongest line on the misuse of customer information by any of its staff. Any breach of trust with regard to the confidentiality of information is treated as serious misconduct under the disciplinary code and comes under immediate consideration for dismissal.

Since the incidents referred to in the media, the Department has strengthened security and data protection protocols. The security of systems and processes is regularly reviewed and there is password protection on all accounts. A dedicated unit has been established to oversee business information protection across the Department and has developed and communicated policies and procedures covering the use of systems and data. This unit also investigates alleged breaches that arise.

Staff are regularly reminded of their obligations under data protection and security policies and the penalties applied to such misuse. In addition, the ongoing development of computer systems continues to incorporate further security and logging facilities. The protection of personal data is a matter for the Department. The Secretary General, as part of the risk management process, has established a high level group to review all aspects of access controls and security management.

Róisín Shortall (Dublin North West, Labour)
Link to this: Individually | In context

Earlier, in reply to a similar question, the Minister stated that improper access to confidential information occurred in only three cases. Given that just three cases came to the attention of the media, I find it impossible to believe these are the only cases in which improper access was gained to confidential information. On what basis did the Minister make a categorical statement on the number of cases? In the aftermath of three cases highlighted in the media, what look-back procedure was employed to assess access to confidential information and how did it enable the Minister to make such a categorical statement?

What role did the Data Protection Commissioner have in respect of the three cases that have come to light? What sanctions or recommendations did he make in respect of the operation of the Department?

Martin Cullen (Waterford, Fianna Fail)
Link to this: Individually | In context

I confirm my earlier statement that since 2002 three investigations have been concluded which highlighted unauthorised disclosure of personal data by officials of the Department.

Róisín Shortall (Dublin North West, Labour)
Link to this: Individually | In context

That is a different issue.

Martin Cullen (Waterford, Fianna Fail)
Link to this: Individually | In context

There are six investigations——

Róisín Shortall (Dublin North West, Labour)
Link to this: Individually | In context

The Minister indicated earlier that there were only three cases. He now states that three cases were investigated.

Martin Cullen (Waterford, Fianna Fail)
Link to this: Individually | In context

No, I said three investigations have been concluded since 2003.

Olwyn Enright (Laois-Offaly, Fine Gael)
Link to this: Individually | In context

The Minister said there had only been three cases since 2002.

Martin Cullen (Waterford, Fianna Fail)
Link to this: Individually | In context

There have only been three——

Róisín Shortall (Dublin North West, Labour)
Link to this: Individually | In context

How does the Minister know there have only been three cases?

Martin Cullen (Waterford, Fianna Fail)
Link to this: Individually | In context

All I can do is ask the question and secure the relevant information. It is as simple as that. Six investigations are under way. Two cases were referred to the Department by the Office of the Data Protection Commissioner, while five further cases relate to the disclosure of personal information and two further cases relate to alleged disclosure of personal information. The six investigations under way are current whereas the three cases to which I referred arose between 2003 and 2005.

Róisín Shortall (Dublin North West, Labour)
Link to this: Individually | In context

Potentially, there may be many more cases.

Martin Cullen (Waterford, Fianna Fail)
Link to this: Individually | In context

The number is not large. I am giving the Deputy the accurate figure which, in the scheme of things, is very low.

Róisín Shortall (Dublin North West, Labour)
Link to this: Individually | In context

Has a look-back procedure been employed?

Martin Cullen (Waterford, Fianna Fail)
Link to this: Individually | In context

There is constant look-back and study of all cases and the information gleaned is used to improve the security of the Department's systems.

Róisín Shortall (Dublin North West, Labour)
Link to this: Individually | In context

How many cases are there?

Olwyn Enright (Laois-Offaly, Fine Gael)
Link to this: Individually | In context

Exactly what spot checks are in place? The Minister stated the Department is aware of only three cases while six cases are under investigation. Will he clarify whether the latter figure includes the three cases under discussion or whether the overall number is nine? In each of the three specific cases investigated since 2002, how exactly did the breaches come to the attention of the Minister or his Department?

Martin Cullen (Waterford, Fianna Fail)
Link to this: Individually | In context

The Department has taken a number of initiatives. Since 2004, presentations have been given to more than 1,200 departmental staff, including 600 in the past 12 months. An Internet site is being developed to support staff in protecting the confidentiality, integrity and availability of the Department's business information. The Department regularly produces posters on information security for distribution and display in its offices and to date in 2007 two such campaigns have been completed. Articles on information security and data protection are published regularly in the Department's social affairs and training magazines. Furthermore, the business information security e-learning programme was launched this summer to increase and announce the options available to staff and complement the Department's other activities. This programme comprises five modules focusing on information and PC security awareness. Log-on messages are regularly displayed on computer systems and are usually run for a week at a time. In September 2005, the Secretary General issued two e-mails to all staff on the issues of internal fraud, failure to follow procedures and abuse and misuse of personal data and information. Subsequent messages have issued from the personnel section of the Department.

Olwyn Enright (Laois-Offaly, Fine Gael)
Link to this: Individually | In context

The Minister did not answer the specific question.

Caoimhghín Ó Caoláin (Cavan-Monaghan, Sinn Fein)
Link to this: Individually | In context

Given that there seems to be some uncertainty as to the number of such abuses — while the Minister spoke of a number of cases of which he is aware, he must accept that there may be many more cases of which he is not aware or which have not yet come to light — in trying to address all these issues, what additional security measures has the Department introduced to prevent the disclosure of personal information relating to social welfare recipients to whatever interest? To the Minister's knowledge, have concerns been raised in the Department regarding the feeding of information to commercial interests? I speak specifically with regard to insurance companies, an issue addressed in the House on a previous occasion. Recognising that such a practice would be an absolute breach of the data protection legislation, what steps are being taken to close off that avenue?

Martin Cullen (Waterford, Fianna Fail)
Link to this: Individually | In context

I assure the Deputy that I raised this issue in the Department. One of the first steps I took in discussions with senior management was to raise this issue and I indicated that it would be intolerable if further breaches of security were to arise in the Department's systems. I cannot deal with hypothetical questions but only the facts available to me, nor can I speculate as to whether there have been other cases because I simply do not know the answer. I can only deal with facts. I asked the Department for information and provided the accurate information available in the Department to the House. The security procedures for internal computer systems, which are significant in the Department of Social and Family Affairs, are up to the mark and up to date. All accounts have specific log-on security details.

This issue must be viewed in context. Given the scale of the Department's activities and the number of customers with whom it deals, the number of cases is minuscule. Nevertheless, I do not minimise their importance and the Secretary General, other senior staff in the Department and I take the matter seriously.

Olwyn Enright (Laois-Offaly, Fine Gael)
Link to this: Individually | In context

How were the breaches involved in each of the cases referred to brought to the attention of the Department and the Minister?

Róisín Shortall (Dublin North West, Labour)
Link to this: Individually | In context

I am concerned that the Minister has been less than forthcoming with information. First, he informed the House that there were only three cases. One hour later, he informed us that there are a further six cases. We still do not know whether any look-back procedure has been used or whether a spot-checking mechanism was introduced to determine the extent to which access to information was abused by his officials. I will repeat my earlier question. What role has the Data Protection Commissioner had in this debacle and what sanctions or recommendations has he made regarding the operation of the Department?

Martin Cullen (Waterford, Fianna Fail)
Link to this: Individually | In context

That information is not available, but I will get it if the Deputy tables a question on this matter. Deputy Enright asked how the information became available in the Department, but I do not have the details in front of me.

Olwyn Enright (Laois-Offaly, Fine Gael)
Link to this: Individually | In context

The Minister told the House that the information did not become available through leaks in the media. If the Minister knows this, then he knows how the information came to light.

Brendan Howlin (Wexford, Labour)
Link to this: Individually | In context

I call Question No. 65.

Martin Cullen (Waterford, Fianna Fail)
Link to this: Individually | In context

I referred to the fact that the information was in the media. I did not refer to the fact that——

Olwyn Enright (Laois-Offaly, Fine Gael)
Link to this: Individually | In context

The Minister did not. He should read the record.

Brendan Howlin (Wexford, Labour)
Link to this: Individually | In context

I ask that the Minister and the Deputy obey the Chair.