Ruairi Quinn (Dublin South East, Labour)
Link to this: Individually | In context

Question 93: To ask the Minister for Social and Family Affairs the number of client data sets held by his Department or his Department's agencies; the security measures in place to protect such data; the level of training provided to staff; when policy procedures were last updated; and if he will make a statement on the matter. [32172/07]

Martin Cullen (Waterford, Fianna Fail)
Link to this: Individually | In context

The Department administers some fifty separate schemes and makes payments to one million people each week. It relies on other agencies in carrying out some of its business, for example An Post for payments, and the Revenue Commissioners for the collection of PRSI contributions. Information is also provided to other agencies such as the CSO and Health agencies, for various purposes, in accordance with legislation. The nature and volume of its business means that it is heavily dependent on Information Communications Technology (ICT) facilities to carry out the bulk of its business and it has responsibility for a significant amount of data. The Department is fully aware of its obligation to safeguard the security of this data and employs a wide range of measures to protect the confidentiality, availability and integrity of information. Every effort is made to ensure that business is conducted in a secure way by security-conscious staff.

The Department maintains a central repository of client information. This information is stored on the Department's Central Records system that holds a record, or data set, in respect of each customer. The information maintained can be broadly categorised into customer identity, PRSI contribution history and summary claim activity information. There are some 6.8 million data sets on this database in respect of current and previous customers. More detailed data relating to particular transactions in relation to these customers are held separately on scheme payment systems.

The data is generated by Departmental staff or agents entering information onto its internal computer systems and also by receipt of data from external agencies (e.g. the GRO for births). Staff and agents who need access to this data to carry out their duties are granted access in accordance with departmental policies and procedures, including the use of password protection and personal accounts. The data is made available over a secure network through bespoke application interfaces. These interfaces control the level and type of access an approved member of staff can have to the data. Authorisation to use an application is subject to a business case approved by local management. All changes made to a client data set are logged and subject to on-going audit.

All electronic data is stored in a secure computer room in the Department's primary computer site. The site itself has rigorous control procedures and site perimeter protection. There are arrangements in place for inter-site backup of data.

Security arrangements are in place to cover the necessary transfer of data to other agencies for service delivery purposes. Backup arrangements for these include encryption.

Over the last number of years, the Department has strengthened security and data protection protocols. Staff are regularly reminded of their obligations under data protection and security policies and the penalties applied to any breach.

A dedicated unit has been established to oversee business information protection across the Department and has developed and communicated policies and procedures covering the use of systems and data. These policies and procedures are under continuous review and are updated as appropriate. The most recent policy update took place in June 2007, with the publication of a corporate Information Security Policy.

Over the past few years, the Department has undertaken a number of information security projects and has established internal structures to implement its policies.

A High-Level Group has been established within the Department to review access management and control. The primary focus of the Group is to formulate the Department's policy on access to data and to initiate a further work programme to address the issues involved.