John O'Mahony (Mayo, Fine Gael)
Link to this: Individually | In context

Question 1291: To ask the Minister for Social and Family Affairs the procedures in place to ensure that personal data stored by her Department is secure. [30135/08]

Mary Hanafin (Dún Laoghaire, Fianna Fail)
Link to this: Individually | In context

The Department of Social & Family Affairs administers some fifty schemes and makes payments to one million people each week. There is also a considerable level of interaction between its staff and the public and with their representatives. In any given year, these interactions include: 1.9 million applications processed; 6.5 million telephone calls; 68 million payments; 360,000 assignments conducted by our investigators.

Because of the nature, scale and diversity of its work, the Department is heavily reliant on ICT and holds detailed information about its customers. The Department takes its responsibilities to safeguard this data extremely seriously. A dedicated unit oversees business information protection across the Department and it has developed and communicated policies and procedures covering the use of systems and data. This unit also investigates any alleged breaches that arise.

The Department maintains a central repository of client information. This information is stored on the Department's Central Records system that holds a record, or data set, in respect of each customer. The information maintained can be broadly categorised into customer identity, PRSI contribution history and summary claim activity information. There are some 6.8 million data sets on this database in respect of current and previous customers. More detailed data relating to particular transactions in relation to these customers are held separately on scheme payment system.

The data is generated by Departmental staff or agents entering information onto its internal computer systems and also by receipt of data from external agencies (e.g. the General Register Office for births). Staff and agents who need access to this data to carry out their duties are granted access in accordance with departmental policies and procedures, including the use of password protection. The data is made available over a secure network through bespoke application interfaces. These interfaces control the level and type of access an approved member of staff can have to the data. Authorisation to use an application is subject to a business case approved by local management. All changes made to a client data set are logged and subject to on-going audit. All electronic data is stored in the Department's primary computer site. The site itself has rigorous control procedures and site perimeter protection. There are arrangements in place for inter-site back-up of data. Security arrangements, including encryption, are in place to cover the necessary transfer of data to other agencies for service delivery purposes.

Our systems are subject to standard physical security measures. Industry standard security protocols, such as password protection and security software, are deployed to protect all departmentally-supplied devices and preserve the confidentiality of data. Every effort is made by the Department to ensure that personal customer data is used solely for business purposes and that it is not compromised in any way. Over the last number of years, the Department has continuously strengthened security and data protection protocols. Policies and procedures governing the use of systems and data have been developed and communicated to the staff. These policies and procedures are under constant review, and are updated as appropriate. Staff are regularly reminded of their obligations under data protection and security policies and of the penalties applicable in respect of any breach of these policies.

John O'Mahony (Mayo, Fine Gael)
Link to this: Individually | In context

Question 1292: To ask the Minister for Social and Family Affairs the number of laptop computers, data storage devices and USB memory sticks that have been stolen or lost from her Department in 2007 and to date in 2008; and if she will make a statement on the matter. [30150/08]

Mary Hanafin (Dún Laoghaire, Fianna Fail)
Link to this: Individually | In context

The following data devices, issued by the Department, were reported stolen or lost in the years in question: 2007 — One laptop (house break-in); 2008 — Two Laptops (1 house break-in, 1 office break-in).

In addition, a laptop belonging to the office of the Comptroller and Auditor General was reported missing from the Department's office in Oisín House in April 2007. Laptops can be used to access centrally stored client information through a secure remote log-in. No client data is retained on the laptops after the remote session ceases. Similarly, the Department's e-mail system retains its data in a central location although it can be accessed through a secure remote log-in.

It is now Departmental policy to password protect all laptops. All new laptops issued are encrypted and existing laptops are being recalled for encryption. The Department is also engaged in implementing a policy to restrict usage of USB memory devices. Members of staff who need such devices will be issued with encrypted devices and future usage will be restricted to these.