Joe Costello (Dublin Central, Labour)
Link to this: Individually | In context

I thank Deputy Crawford for allowing me to speak first. A staff member of the New York Blood Centre was in public with a laptop containing the records of donors to the Irish Blood Transfusion Service, IBTS. That person was mugged, his laptop taken and all the records have disappeared. The manner in which these things happened is weird and wonderful. There is a touch of James Bond about this but one has to ask why the disc was encrypted and put on a laptop. The purpose of a laptop is ease of transport for use in a variety of areas. Why was the laptop brought into the public domain in New York and what actually happened? It occurred, as I understand it, on 23 October 2007 but seems to have been kept quiet until the new year. Why was this information only recently made public?

Tens of thousands of Irish citizens gave blood in good faith, in the expectation that all the information they supplied, personal details of their names, addresses, dates of birth and blood types, would have been confidential and would not enter the public domain in any way. The people whose confidential information was lost in that mugging received a letter from the IBTS, explaining in a technical fashion the method of encryption, the process that occurred and why the IBTS set up an agreement with the New York Blood Centre, but it does not explain why the information was on a laptop. Why was it not sent in a more confidential fashion? Why was it sent at all? The IBTS said it wanted to provide the best data control system available and therefore it employed the services of the New York Blood Centre. Why did it not bring an expert to Ireland? It beggars belief that anybody from the IBTS in his or her right mind would take a disc with all that information, transfer it to a laptop, put it surreptitiously in his or her luggage and carry it around the streets of New York where he or she was mugged. In Britain recently a large volume of confidential information that had been stored also got into the public domain. We do not know what will happen to that.

The IBTS says the information was securely encrypted and that it would be impossible to break the code. It may be impossible to break it but it is not impossible to find it. Where was the code? Was there a password, was it in somebody's head or written down in any way? We do not know the answers to those questions or what might happen to that information in the future.

Will the Minister of State tell us in the first instance why it took so long for the IBTS to make this common knowledge and to write to the people concerned? The mugging took place on 23 October 2007 but the letters were not sent out until 22 February 2008. Will the Minister of State give us the up-to-date information on what has happened so far in respect of the investigation and whether there is any prospect of retrieving the information?

Máire Hoctor (Tipperary North, Fianna Fail)
Link to this: Individually | In context

I welcome the opportunity on behalf of the Minister for Health and Children, Deputy Harney, to address the issue raised by the Deputy and to set out the current position on the theft of a laptop in New York containing Irish blood donor records. The Irish Blood Transfusion Service, IBTS, entered into an agreement with the New York Blood Centre, NYBC, for the provision of a data query tool on 23 October 2007. The tender was carried out in compliance with EU procurement rules. The NYBC was the successful tenderer. The IBTS entered into a five-year licence, services and support agreement with the NYBC. The purpose of the data warehousing and reporting tool being developed in conjunction with NYBC is to improve the existing IBTS blood banking computer system, Progesa, in order to provide a better service to its donors and clients. Under the terms of that agreement, the IBTS exported data on CD from its Progesa system. The data was encrypted using a 256 bit key encryption, prior to export on a CD.

On 7 February, an NYBC employee was carrying a laptop to enable him to continue to work on the data outside office hours. The employee was mugged and the laptop stolen.

The IBTS is very conscious of its obligations under the data protection Acts to take appropriate security measures against unauthorised access to, or unauthorised alteration, disclosure or destruction of data. In this instance, the IBTS is confident that it has complied with these obligations by virtue of the robust security measures taken by the IBTS and NYBC. They both consider that the risk of any person being in a position to bypass password controls and decrypt the data is extremely remote.

The IBTS informed the Data Protection Commissioner on the next working day after the theft, 11 February 2008, of the details of the case and the commissioner has been in regular contact with the IBTS, which has co-operated fully with the investigation. The commissioner has noted publicly that the IBTS had a legitimate reason to send the data out of the country, that it had taken its responsibilities to donors and clients seriously and that the information had been securely encrypted.

The Data Protection Acts specifically exclude disclosure to employees or agents. It was agreed between the parties that the NYBC would act as an agent of the IBTS for the purposes of the agreement. Therefore, as an agent of the IBTS, the disclosure of personal data to the NYBC does not constitute disclosure within the meaning of the Acts. At no time were these records ever unencrypted and the IBTS will continue to take every measure to protect the personal records of donors.

The IBTS has contacted all 171,324 donors affected directly to assure them that the data was protected by state of the art encryption. It has provided an information line to donors who were concerned about the data loss and since this matter became public, the IBTS has dealt with over 3,000 calls as well as many letters and e-mails from concerned donors. These donors were from all over the country.

The Minister is satisfied that in this case the IBTS acted appropriately and has taken, as confirmed by the Data Protection Commission, all reasonable steps to safeguard the confidentiality of its donors.