Jan O'Sullivan (Limerick East, Labour)
Link to this: Individually | In context

Question 147: To ask the Minister for Social and Family Affairs the actions she has taken to ensure that the loss of sensitive data that occurred during an audit of her Department is never repeated; the extent of the loss to the clients affected; the liabilities that arise for the State as a result of losing this data; her plans to issue new PPS numbers to the persons affected; if a criminal investigation has been conducted; the extent of her Department's involvement in this; the disciplinary action that has occurred as a result of the theft; and if she will make a statement on the matter. [34871/08]

Mary Hanafin (Dún Laoghaire, Fianna Fail)
Link to this: Individually | In context

The Department was notified in April 2007 that a laptop, belonging to the C&AG, had been taken from our offices. The theft was immediately reported to the Gardaí. Some 16 months later, in early August, the Department was informed that the laptop contained personal data relating to social welfare customers.

The Department reported this matter to the Garda Bureau of Fraud Investigation (which deals with Computer Crime) and sought advice and guidance in that regard. I am not in a position to confirm the status of any criminal investigation.

The office of the C&AG was provided with access to the Department's records to enable them to carry out audits of our schemes. The data, which was stored in encoded format on our internal ICT network, was downloaded by a member of the C&AG audit team to a laptop where it was decoded. The decoded data was on the laptop when it went missing.

It is estimated that the laptop in question contained the records of 380,000 customers. The records contained personal information, including Name, PPSN, Address, Pay Amount and other personal information such as marital status, date of birth etc. They also contained bank account details in respect of those customers whose payments were made directly into their bank accounts during the periods in question.

The information contained on the laptop, alone, would not be sufficient to access public services. Public bodies, employers and others who are authorised to use the PPS Number are required to exercise diligence in properly identifying those whom they employ or with whom they transact business. Additional evidence of identity such as photographic ID, signature, mother's birth surname, PIN, password, etc. is required to fulfil this purpose.

In view of the time period that has elapsed and the fact that there is no evidence that the information has been misused or compromised in any way, the Department does not consider it necessary or appropriate to issue new PPS numbers to all of the customers affected. The Department has facilitated requests from individual customers to have their PPS Numbers changed. From contacts with the Gardaí, various other Government and payment institutions there is no indication of any systematic misuse of the information contained on the laptop in the 17 months since the theft occurred. Accordingly, the question of compensation does not arise as there is no evidence of any injury, loss or damage having been suffered arising from this incident.

Since being notified of the contents of the laptop on 1 August, 2008, the Department moved swiftly to respond to the incident and has taken all reasonable steps to minimise the concerns of the customers whose records were contained on it. Letters issued to customers informing them of the incident, a helpline was set up to answer any enquiries arising from this matter, an email address and a Post Office Box Number was provided for written enquiries. In addition, the Department engaged with the C&AG, the Data Protection Commissioner, An Post, banks and other financial institutions.

The Department has a programme of continuous development and deployment of measures to enhance data security. Since this incident came to light, the Department has further reviewed and enhanced its protocols in relation to the transfer of data to third parties, including the Office of the Comptroller and Auditor General (C&AG). All bulk data is now transferred in an encrypted format, in accordance with the Department's 'External Party Electronic Data Transfer Policy'.

The Department's policy is that sensitive data should not be stored on laptops. However, in the event that there is no alternative to local storage, all sensitive data must be appropriately secured. All new laptops are issued with encryption software. The Department is currently arranging a recall of its current stock of laptops to install encryption software. This process is expected to be completed by the end of the year.