Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context

Question 5: To ask the Taoiseach the procedures in place in his Department for the protection of personal data held by electronic means; and if he will make a statement on the matter. [18732/08]

Caoimhghín Ó Caoláin (Cavan-Monaghan, Sinn Fein)
Link to this: Individually | In context

Question 6: To ask the Taoiseach the procedures in his Department for protection of personal data retained electronically; and if he will make a statement on the matter. [20936/08]

Eamon Gilmore (Dún Laoghaire, Labour)
Link to this: Individually | In context

Question 7: To ask the Taoiseach if any computers, disks, laptops or memory storage devices containing personal information about members of the public have been lost or stolen from his Department; if any of these contained personal information; the frequency with which an audit of such equipment is done; and if he will make a statement on the matter. [21762/08]

Eamon Gilmore (Dún Laoghaire, Labour)
Link to this: Individually | In context

Question 8: To ask the Taoiseach the procedures in place within his Department to ensure the security of data held by electronic means; and if he will make a statement on the matter. [21763/08]

Brian Cowen (Laois-Offaly, Fianna Fail)
Link to this: Individually | In context

I propose to take Questions Nos. 5 to 8, inclusive, together.

My Department applies best practice and uses industry standard information security protection devices and software to protect all data within its systems. The Department regularly reviews and updates these security procedures and products as a matter of course.

No computers, disks, laptops or memory storage devices containing personal information about members of the public have been lost or stolen from my Department. Although sensitive information belonging to members of the public is not generally collected by, or stored, in the Department's electronic systems, a number of specific measures are in place in my Department to protect all data which is held electronically.

Access to personal information held on databases within my Department is controlled by application security and confined to relevant authorised personnel only. Access by users to these systems is granted on a "needs only" basis. The Department's computer networks themselves are secured against cyber attacks through the use of security products such as multiple firewalls, anti-virus software and e-mail security tools. Staff supplied with mobile equipment are issued with guidance to ensure devices are secured properly. The hard drives of all laptops are encrypted and do not store departmental data physically on them. Strong authentication methods, in addition to username and password, are in place to prevent unauthorised access to the Department's network from mobile devices.

My Department also evaluates and reviews advanced information security products and technologies as they come to market and implements them where appropriate. The Department's IT assets are audited by the IT unit on an annual basis. The IT unit is currently carrying out an asset audit. Audits are also carried out on an ad hoc basis by the Department's internal audit unit. My Department is also subject to annual audit inspections by the Comptroller and Auditor General.

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context

I thank the Taoiseach for that reply. If I understood him correctly, he clarified that no laptops, as far as is known, have been stolen from his Department.

The Taoiseach will be aware that personal information on 380,000 people on the social welfare register went missing in April 2007. It took until August 2008 — 16 months — before the Minister for Social and Family Affairs was made aware of the extent of the loss. I understand that the data was only password protected instead of being encryption protected. Am I correct that sensitive data in the Taoiseach's Department are encryption protected and not only password protected?

The Taoiseach will be aware that personal data on 580,000 people has been lost in the past 18 months and that the reporting of that seems to be inadequate. As he is aware, there are procedures in place but there are no specific legal obligations on a body which loses personal data to notify a person that private information on him or her has been lost. Also, there is no legal obligation on a body to notify the Data Protection Commissioner of any such loss. Does the Taoiseach agree that it is only right and proper that if a person's information is lost, he or she should be notified and there should be a legal requirement in that regard? Does he also agree that if a body loses similar relevant information, it should be obliged to inform the Data Protection Commissioner? The Taoiseach is aware that the reports of the Data Protection Commissioner are only made public if the body being investigated agrees to their publication. The Irish Blood Transfusion Board agreed to publication, but the Bank of Ireland did not.

John O'Donoghue (Kerry South, Ceann Comhairle)
Link to this: Individually | In context

The Taoiseach can only comment on his Department.

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context

The question is in respect of his Department, but I have given examples from others.

Brian Cowen (Laois-Offaly, Fianna Fail)
Link to this: Individually | In context

With regard to the Department of Social and Family Affairs, I understand there is no evidence to suggest the information was used. The Minister provided a full and frank disclosure upon being notified of what had happened so the people concerned could take whatever precautions they wished to ensure their personal information would not be used by anybody in an unauthorised way. It is regrettable that theft happened, but I am sure whatever lessons are to be learned in terms of encryption arrangements will be learned.

On the issue of data protection legislation and the Data Protection Commission, perhaps a question directed to the Minister concerned would elicit the accurate information. One must balance the need to let people know of any infringement of their rights or privacy with the efficacy of being able to do so in terms of the number of people who may be affected. One may need to use other means to bring the matter to their attention so they can take whatever proactive steps they wish to ensure they are unaffected. This may provide the more practical means of assessing any damage or otherwise that arises as a result of these events happening.

Caoimhghín Ó Caoláin (Cavan-Monaghan, Sinn Fein)
Link to this: Individually | In context

In light of the recent series of laptop theft, will the Taoiseach indicate what steps are being taken within his Department and across all Departments to assess the security of personal data on citizens? Does the Taoiseach accept the theft of a laptop with the social welfare records of some 380,000 citizens and significant other material on their personal circumstances, including details of marriages, births etc., is very distressing? There is an undoubted confidence deficit in the public arena that must be addressed. Does the Taoiseach accept the call of the Data Protection Commissioner for all major holders of information on clients or citizens, be it in the public or private sector, to employ every care to ensure that information is not put at risk?

Does the Taoiseach accept that, in most instances, it appears the laptops stolen were not in an office environment at the time of the theft? They were stolen in transit between home and work or from public transport. The need for the removal of sensitive data transported in that manner must be examined. Will the Taoiseach assure us there is a review under way and that steps are being employed to ensure the security of information held on citizens by all Departments?

John O'Donoghue (Kerry South, Ceann Comhairle)
Link to this: Individually | In context

The Taoiseach can only answer for his Department.

Brian Cowen (Laois-Offaly, Fianna Fail)
Link to this: Individually | In context

It is important that the person responsible for equipment lost or stolen notifies authorities as quickly as possible, and immediately if possible. The procedures in place to deal with equipment reported as lost or stolen in my Department is that, where a device is reported missing or stolen, the user account associated with that device is immediately disabled. BlackBerries are centrally disabled from the server, a procedure which also wipes the memory of the machine. The network provider is notified so that the SIM card can be disabled, which renders the device inaccessible to unauthorised users. The Department's asset register is updated and, in the case of theft, the user is asked to report the matter to the Garda. Where personal or sensitive data are compromised, the Data Protection Commissioner is also informed.

These procedures satisfy us that best practice is followed to ensure Departments' databases are safe from hackers, for example. Industry standard information security protection devices and software are used to protect all data within systems. These procedures, products and devices are regularly reviewed and, in the case of a breach of security, would have to be reviewed and updated to ensure they are capable of providing the best security appropriate to a Department's needs at all times.

In regard to whether any incidents have occurred whereby personal data held by the Department of the Taoiseach or its agencies were compromised in any way, no personal data held electronically by my Department has been compromised in any way.

Obviously, every Department has to be vigilant in this area and employ good people in the relevant units so that they have the most up-to-date means of ensuring data are not accessible by other than authorised users and, immediately upon notification of theft, the ability to disable that information and render it useless to anyone else. Wiping the information held on a server or whatever is also an important part of the process of protection.

Eamon Gilmore (Dún Laoghaire, Labour)
Link to this: Individually | In context

With regard to the laptops which were already stolen and the information they contained, including the social welfare information which affected 380,000 people and the blood bank details of 170,000 people, is there any evidence to suggest this information has been accessed?

John O'Donoghue (Kerry South, Ceann Comhairle)
Link to this: Individually | In context

We have a problem because the Taoiseach can only address questions for his own Department. Questions for the Department of Social and Family Affairs would have to be addressed to that Department's Minister.

Eamon Gilmore (Dún Laoghaire, Labour)
Link to this: Individually | In context

The matter that has to be addressed is the public's concern about personal and sensitive information being accessed by somebody who should not have it. We now have a situation whereby certain medical tests in hospitals have been outsourced. There are clearly concerns about where that information might end up and it would help to reassure people if information could be provided as to whether material contained on laptops which have already been stolen has been accessed in any way.

John O'Donoghue (Kerry South, Ceann Comhairle)
Link to this: Individually | In context

The Taoiseach is not responsible for that.

Brian Cowen (Laois-Offaly, Fianna Fail)
Link to this: Individually | In context

The answer to that is not in my knowledge. I have not been notified of any adverse subsequent development beyond the fact that the events took place. The Ministers concerned have brought the events to public notice and have indicated what the people who may have been affected would need to do to reassure themselves that their information was not improperly accessed or used in a way that was adverse to their interests. I have not heard anything since then.

Fergus O'Dowd (Louth, Fine Gael)
Link to this: Individually | In context

I ask the Taoiseach to investigate Departments and agencies, including his own, which publish on their websites personal information pertaining to inquiries they conduct. I refer specifically to the Private Residential Tenancies Board when it holds hearings into disputes over tenancies or whether a tenant is causing serious social problems in an area. The law requires that such hearings are held in public but, if members of the press do not attend and if nobody is present other than those involved in the hearing, the PRTB puts the name, address and all the details of the complaints and the responses to them on its public website. This compromises the people concerned in respect of their neighbours, so this issue needs to be addressed. The Data Protection Commissioner is trying to resolve the issue by having the town in which Mr. X or Ms. Y lives posted rather than his or her personal details. This is an important issue because it leads to the continuation of serious social problems.

John O'Donoghue (Kerry South, Ceann Comhairle)
Link to this: Individually | In context

The Taoiseach can only answer for his own Department.

Brian Cowen (Laois-Offaly, Fianna Fail)
Link to this: Individually | In context

This is a matter for the line Minister concerned. I can only observe that, unlike family law proceedings, these are not held in camera. There is not a requirement for privacy, so the question arises of how one can transparently communicate the outcome of these arrangements.

Fergus O'Dowd (Louth, Fine Gael)
Link to this: Individually | In context

That is fine, but the detail is the issue with which I am concerned.

Brian Cowen (Laois-Offaly, Fianna Fail)
Link to this: Individually | In context

The question of the level of personal information and the extent to which this infringes privacy issues is a matter that can be taken up by the competent authorities and resolved in a practical manner.

John O'Donoghue (Kerry South, Ceann Comhairle)
Link to this: Individually | In context

There is very little time for the next question.