Olwyn Enright (Laois-Offaly, Fine Gael)
Link to this: Individually | In context

Question 108: To ask the Minister for Social and Family Affairs the way she will ensure that the information on 374,000 persons, whose personal data were contained on laptop computers recently stolen from her Department, is not being misused or compromised; the number of persons who have contacted her Department on this matter; if her attention has been drawn to any interference or fraud activity connected with the missing information; and if she will make a statement on the matter. [36036/08]

Mary Hanafin (Dún Laoghaire, Fianna Fail)
Link to this: Individually | In context

The Department was notified in April 2007 that a laptop computer belonging to the Comptroller and Auditor General had been taken from the offices of the Department of Social and Family Affairs. The theft was immediately reported to the Garda. Some 16 months later, in early August 2008, the Department was informed that the laptop computer contained personal data relating to social welfare customers. The Department moved swiftly to respond to the incident and has taken all reasonable steps to minimise the concerns of the customers whose records were contained on it. Letters issued to customers informing them of the incident. A helpline was set up to answer inquires arising from this matter. An e-mail address and a post office box number were provided for written inquires.

The Department was also in contact with the Garda and payment institutions to alert them to the incident. While the Department notified the appropriate banks about the incident, individuals whose bank details were included on the laptop computer were advised, as an added assurance, to check their bank statements to establish if there had been any unusual activity.

The Department worked closely with the Data Protection Commissioner regarding his response to this incident. The commissioner welcomed the manner in which the Department addressed the issue by writing to those directly affected and establishing a dedicated helpdesk to provide further information and assistance as required. He stated publicly that he considered that this approach represented "best practice and a truly first rate response in the circumstances".

Up to the time that the helpdesk ceased operating on 3 October, 16,500 calls had been made to the special helpline number, 161 e-mails had been received and responded to and 750 letters have been received and are being dealt with.

The information contained on the laptop computer alone would not be sufficient to access public services. Public bodies, employers and others who are authorised to use the PPS number are required to exercise diligence in properly identifying those whom they employ or with whom they transact business. Additional evidence of identity such as photographic ID, signature, mother's birth surname, PIN, password etc. is required to fulfil this purpose.

From contacts to date with the Garda and various other Government and payment institutions, there has been no indication of any systematic misuse of the information contained on the laptop computer during the 18 months since the theft occurred.

Additional information not given on the floor of the House.

The Department has been engaged in a programme of continual development and deployment of measures to enhance data security. Since this incident came to light, the Department has further reviewed and enhanced its protocols for the transfer of data to third parties, including the Office of the Comptroller and Auditor General. All bulk data are now transferred in an encrypted format in accordance with the Department's external party electronic data transfer policy.

Olwyn Enright (Laois-Offaly, Fine Gael)
Link to this: Individually | In context

Has there been any non-systematic misuse of the information from the laptop computer? The laptop computer was stolen from the Department of Social and Family Affairs. Were departmental officials made aware of its theft when it was stolen? What was the reason for the 16-month delay before the Minister was informed of it having been taken? There was a commitment that all laptop computers in the Department of Social and Family Affairs would be retrospectively encrypted. Has this happened with all the laptop computers in the Department? Likewise there was to be a restriction on the use of USB memory sticks. Has that measure been implemented? Will the Minister ensure that this type of information is not easily removed from the places where it needs to be accessed and that when it is removed it is all encrypted?

Mary Hanafin (Dún Laoghaire, Fianna Fail)
Link to this: Individually | In context

The laptop computer, which was the property of the Comptroller and Auditor General, was used in an office solely used by the staff of the Comptroller and Auditor General in the Department of Social and Family Affairs. I understand it was just the caretaking and security people who were informed that it was lost. However, no indication was given at that time that there was information on it. It was only when the loss of subsequent laptop computers from the Office of the Comptroller and Auditor General came to public attention that it came to light that this amount of information was on it. That is why there was a gap in informing us. As soon as we were informed in August 2008, 16 months later, we immediately put in place the processes I have outlined to allay people's fears. Judging by the response, I believe those fears have been allayed. There is no indication that the information has been used in any way.

Obviously such an incident causes everybody to review security arrangements. Now the information is password protected on personal accounts with a secure network. There are bespoke application interfaces which can control the level and type of information to individuals who are working in the Department. People who are looking to access information from the system need to make a business case to management, which determines whether that staff member may have that information. We have also added read-access logging. The electronic data are stored in a secure computer site. The perimeter of the site is also secured. Encryption is now in place for all information that is being transferred.

Olwyn Enright (Laois-Offaly, Fine Gael)
Link to this: Individually | In context

Is encryption now in place on all the Department of Social and Family Affairs laptop computers? Anyone who is in anyway good at this will be able to get around a password. The Minister's predecessor was questioned on a similar matter in October 2007 when there was abuse of information by a Department of Social and Family Affairs official. At the time he advised that a high-level group was constantly reviewing all aspects of controls and security management. Has this high-level group chaired by the Secretary General made a full report on the issue? A laptop was stolen in a house break in and two desktop computers were stolen from a social welfare office. Can the Minister be fully satisfied information about people is secure?

Mary Hanafin (Dún Laoghaire, Fianna Fail)
Link to this: Individually | In context

Two relevant policies were introduced recently — the external party electronic data transfer policy and the portable computing device security policy. It is now Department policy to password protect all laptops and all new laptops are encrypted. Existing laptops are being recalled for encryption.

Olwyn Enright (Laois-Offaly, Fine Gael)
Link to this: Individually | In context

Within what timescale will that be completed?

Mary Hanafin (Dún Laoghaire, Fianna Fail)
Link to this: Individually | In context

There are not many laptops and, therefore, it is a priority. We are also engaged in a policy to restrict the usage of USB memory devices. Staff members who need such devices will be issued with encrypted devices and future usage will be restricted to them.

Laptops are generally used to access centrally stored information. No client data is retained on laptops. It was a highly unusual situation and we asked the Comptroller and Auditor General why all the encrypted information was downloaded to a laptop and made readable. This is the issue that caused concern for people. Given changing technologies, we must keep this policy firmly under review.