Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context

Question 1: To ask the Taoiseach the procedures in place in his Department for the protection of personal data held by electronic means; and if he will make a statement on the matter. [25630/09]

Eamon Gilmore (Dún Laoghaire, Labour)
Link to this: Individually | In context

Question 2: To ask the Taoiseach the procedures in place within his Department to ensure the security of personal data held by electronic means; if he has satisfied himself with the adequacy of such measures; and if he will make a statement on the matter. [27240/09]

Caoimhghín Ó Caoláin (Cavan-Monaghan, Sinn Fein)
Link to this: Individually | In context

Question 3: To ask the Taoiseach the data protection procedures in place in his Department; and if he will make a statement on the matter. [27252/09]

Brian Cowen (Laois-Offaly, Fianna Fail)
Link to this: Individually | In context

I propose to take Questions Nos. 1 to 3, inclusive, together.

Although sensitive information belonging to members of the public is not generally collected by or stored in the Department's electronic systems, specific measures are in place in my Department to protect all data held electronically.

Access to personal information held on databases within my Department is controlled by application security and confined to relevant authorised personnel only. Access by users to these systems is granted on an "as needs only" basis. The Department's computer networks are secured against cyber attacks through the use of security products such as multiple firewalls, anti-virus software and e-mail security tools. Remote access equipment is only issued to staff who have a business need to access the Department's systems out of the office. All applications for access are sent to, and approved by, the personnel officer. Staff supplied with mobile equipment are issued with guidance to ensure devices are secured properly. The hard drives of all laptops are encrypted and do not store Departmental data physically on them. Strong authentication methods, in addition to user name and password, are in place to prevent unauthorised access to the Department's network from mobile devices.

My Department complies with the guidelines on protecting the confidentiality of personal data issued by the Department of Finance. It also evaluates and reviews advanced information security products and technologies as they come to market and implements them where appropriate. In short, my Department applies best practice and uses industry standard information security protection devices and software to protect all data within its systems. It regularly reviews and updates these security procedures and products as a matter of course.

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context

I listened carefully to the Taoiseach's reply and we need more than firewalls around here. In any event, in 2008 the personal data of 580,000 people was lost and the reporting of all of that was less than adequate. To date, in 2009, Bord Gáis has lost the personal information of 75,000 customers and the HSE had 15 laptops stolen, two of which were not encrypted. The Taoiseach is aware that in April 2007 the personal information of 380,000 social welfare recipients went missing. It took 16 months, until August 2008, before the Minister for Social and Family Affairs was made aware of the extent of the losses. Furthermore, the data was only password protected and did not have any encryption in place.

The Taoiseach will also be aware that 16 laptops have been stolen from the Comptroller and Auditor General's Office since 1999. Laptops were stolen from the Bank of Ireland, computer disks were lost in New York by the Blood Transfusion Service Board, 15 HSE laptops were stolen in Roscommon and, as I said, Bord Gáis lost information on 75,000 customers.

As I understand it, there is no specific legal obligation on a body that loses personal information to notify the Office of the Data Protection Commissioner. That irritation was perfectly evident recently when that office only heard about the missing HSE laptops on the radio. There have been many high profile thefts, whether such data was being targeted deliberately or stolen by accident. Can the Taoiseach confirm that all the electronic data being held in his Department is encrypted and therefore of no use to people who have access to computers or hand-held technology? Can he say why the Data Protection Commissioner was not informed of the theft of the HSE laptops?

If Fine Gael were to introduce its Data Protection (Disclosure) (Amendment) Bill 2008, would the Taoiseach support it? That would create a legal obligation on organisations to disclose within a certain period any breaches of data security. Such an obligation would create very strong incentives for all organisations to ensure their data protection procedures were adequate in order to avoid any negative publicity that might ensue from having to disclose a breach of customers' sensitive and personal data. If we introduce that Bill will the Taoiseach support it, and will he say why the Data Protection Commissioner was not informed about the missing HSE laptops? Is he happy that all computer information, where personal data is stored with his Department, is at a minimum encrypted?

Brian Cowen (Laois-Offaly, Fianna Fail)
Link to this: Individually | In context

This question applies to procedures within my Department, so I am not in a position to comment as regards other matters. Such questions are best put to the line Ministers concerned as regards specific queries the Deputy may have.

In terms of my Department, in the body of my reply I indicated that the hard drives of all laptops are encrypted and the departmental data is not physically stored on them. There are strong authentication methods in place to prevent unauthorised access to the network from mobile devices. I am satisfied on the basis of the information provided to me by the personnel office and the people in the Department responsible for this area, that best practice is being applied and that standard information security protection devices and software are being used to protect all data within the systems.

In that respect it is fair to say that a small amount of computer equipment was reported to be lost or stolen. Nine devices were reported lost or stolen since 2002, three of which were subsequently recovered. There was no personal data on any of the devices concerned and the procedures for dealing with equipment reported lost or stolen were enacted in regard to these situations.

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context

Arising from that, the Data Protection Commissioner's findings are only made public if the body being investigated actually requests it or agrees to it. For example, the Irish Blood Transfusion Board appears to have agreed to it but the Bank of Ireland does not appear to have agreed to it. Does the Taoiseach agree that in cases where an investigation is carried out by the Data Protection Commissioner concerning significant loss of personal or sensitive information, the findings should be made public, which is not always the case at present? Obviously, the findings of the Data Protection Commissioner would be helpful to all organisations and set a standard that everybody would want to adhere to. Does the Taoiseach agree there should not be this situation where the findings of the Data Protection Commissioner are made public only in circumstances where the organisation agrees or requests it? Should it not be the case that they are made public in all circumstances to help everybody else set a standard and so that items of personal and sensitive information on computer disk are not lost?

Brian Cowen (Laois-Offaly, Fianna Fail)
Link to this: Individually | In context

The availability of information as a general principle is obviously something of which one would be in favour. However, other considerations are sometimes in play, such as the confidentiality of personal information, and the information may not be regarded by the individuals concerned or affected as a matter that should come into the public domain in any event. There are, therefore, various considerations which must be applied in regard to data protection. For my part, any proposals that come from any part of the House on these issues will be considered constructively in line with the established principles of what is best practice in this area.

Joan Burton (Dublin West, Labour)
Link to this: Individually | In context

In recent years, more than 110 laptops and similar devices have been stolen from different Departments. Various e-Government projects have been spearheaded by the Department of the Taoiseach. One of the obvious consequences of e-Government is that the State inevitably accumulates vast amounts of information about the personal details of people's lives, whether that be health information, information relating to farms and farmers, or otherwise. If one is having a smart economy drive and an e-Government drive, it is inevitable that the Government ends up holding vast amounts of data about different aspects of people's lives.

I want to restate the question. First, devices which store data may be stolen or lost, perhaps because officials have them in their cars or take them home with them, or because the offices where the devices are held are broken into. The general public want to know what provision is in place for a type of rapid warning system which all Government agencies and Departments would sign up to in order to alert people to the fact that what to them may be sensitive information has been lost or compromised in some way. Second, given that the Department of the Taoiseach has over the past ten years led the information, smart economy and e-government project, would the Taoiseach not agree it is a matter for his Department to set standards and responses in regard to the observations from the Office of the Data Protection Commissioner concerning the security of devices, particularly concerning the issue of informing people whose data and personal information may have been compromised in one way or another?

Brian Cowen (Laois-Offaly, Fianna Fail)
Link to this: Individually | In context

With regard to what happens if a device is missing or stolen, in that event, the user account associated with that device is immediately disabled and, in the case of BlackBerries, they are centrally disabled from the server and the memory of the machine is also wiped in this procedure; the network provider is notified so that the SIM card is disabled, which renders the device inaccessible to unauthorised users; the Department's asset register is updated; in the case of theft, the user is asked to report the matter to the Garda; and, where personal or sensitive data are compromised, the Data Protection Commissioner will be also informed.

On whether I am satisfied that personal data belonging to members of the public held in the Department's databases are safe from unauthorised access or from hackers, I am satisfied that my Department applies best practice on data protection. The procedures, products and devices they have are regularly reviewed and updated to ensure they are capable of providing the best security appropriate to the Department's needs at all times. On whether there were any instances where personal data held by the Department or any of its agencies were compromised in any way, I am informed that no personal data held electronically by my Department have been compromised in any way.

Regarding the need to comply with data protection legislation in the protection of personal data, I am informed that the Department fully complies with the provisions of the 1988 and 2003 Acts, and the Freedom of Information Acts 1997 and 2003 in managing electronic and paper based records.

On the overall situation in terms of data held electronically in all Departments, when I was Minister for Finance, the Department of Finance, as the Department of the public service, wrote to all Departments, offices, and agencies in November 2007 seeking information on the systems and procedures in place to protect the confidentiality of personal data. After collating and examining those responses the Department of Finance then produced a report for Government which contained the findings and a number of recommendations. It was circulated to relevant stakeholders for comment and observation and was presented to Government for consideration in April 2008. The Government noted the report and also that the Department of Finance was convening a working group to produce guidelines based on the recommendations of that report. That cross-departmental working group had its first meeting in May 2008. The CMOD section of the Department of Finance chairs meetings of the group and provides a secretariat.

The group has produced guidelines and a template code of practice for Departments, offices and agencies on the protection of personal data held electronically, on paper and on data storage devices. Those guidelines also cover the protection of data while being transferred electronically between Departments and via e-mail. Those documents, based on best practice in this area were passed to the Data Protection Commissioner and other members of the working group for observations. Following their responses both documents were circulated to all Departments, offices and agencies. There has been an effort to provide uniform standards through that process in the past 12 to 18 months.

Caoimhghín Ó Caoláin (Cavan-Monaghan, Sinn Fein)
Link to this: Individually | In context

On the questions before us, does the Department of the Taoiseach have a co-ordinating role on data protection procedures across all Departments? Does that function arise and is it the Taoiseach's Department that would carry out same?

On a more general point about data protection but in an area for which the Taoiseach is directly responsible, namely, social partnership, has progress been made on the commitment in the Towards 2016 agreement that legislation would be enacted so that employment agencies shall in their dealings with jobseekers abide by all employee protection and data protection legislation in force in the State? Will the Taoiseach give an indication, as it is directly under the aegis of his Department, on what progress there has been in moving towards such an assurance, a guarantee?

Brian Cowen (Laois-Offaly, Fianna Fail)
Link to this: Individually | In context

I indicated in a previous reply to a supplementary questions from Deputy Burton that the Department of Finance is the Department of the public service and when I was Minister for Finance I undertook a process of co-ordination to ensure best practice in this area across all Departments, agencies and offices. In my detailed reply to a previous supplementary I indicated that that process was extensive, comprehensive and is now complete. That answers that question.

The other question about what progress has been made to date on employment agencies and commitments in Towards 2016 would be best tabled for a specific answer to the Department of Enterprise, Trade and Employment.

Caoimhghín Ó Caoláin (Cavan-Monaghan, Sinn Fein)
Link to this: Individually | In context

As social partnership is an area under the direct responsibility of the Taoiseach's Department I would have thought he would have an oversight on not only the proposal but the agreement within Towards 2016. Can he not give us something more than just a referral to another Department? Has any progress been made, to the Taoiseach's knowledge, in bringing about the commitment in Towards 2016 in this regard?

Brian Cowen (Laois-Offaly, Fianna Fail)
Link to this: Individually | In context

With respect, the question put down relates to the procedures in place in my Department for the protection of personal data held by electronic means. The supplementary question is far wider in scope than could have been contemplated.