Ciarán Lynch (Cork South Central, Labour)
Link to this: Individually | In context

Question 167: To ask the Minister for Social and Family Affairs the actions taken by her Department to implement the recommendations of the data protection commissioner following his audit of her Department earlier in 2008. [34886/08]

Mary Hanafin (Dún Laoghaire, Fianna Fail)
Link to this: Individually | In context

The Office of the Data Protection Commissioner (ODPC) undertook an audit of the Department in late January 2008. The audit focused on the measures in place to protect the security of personal data of customers and the extent of data-sharing in the broader public service using the Personal Public Service Number (PPSN) as an identifier.

The Report, which was received in the Department in June 2008, lists a series of recommendations covering access management, security, data-sharing and data protection policies. The Report was published on the Department's website in July 2008, alongside the Data Protection Policy and Guidelines.

The Department holds extensive personal information about its customers in order to conduct its day-to-day business, pay entitlements and provide a range of services over people's lifespan. We take our responsibilities to protect this information very seriously and, for sometime, we have been engaged in a broad programme of work to enhance the effectiveness of the information security controls. The Department welcomes the contribution of the Commissioner's Report to enhancing the effectiveness of its information security programme.

The Data Protection Commissioner, while recognising the specific challenges for an organisation as large and diverse as this Department, highlighted areas of concern and areas in need of strengthening. In response, the Department has implemented some improvements and others have been incorporated into our wider information security programme.

Policies and procedures governing the use of information systems and data are constantly under review. Recently a number of new policies have been developed and issued to staff in covering data transfers and the use of mobile computing and storage devices. Staff are regularly reminded of their obligations under data protection and security policies and of the penalties applicable in respect of any breach of these policies.

In addition to the policy measures, the Department is also ensuring that higher levels of data protection are built into its latest generation of ICT systems to reflect the increased threats in this area. Considerable resources have also been devoted to increasing the security and monitoring facilities in its older systems.

The Department has committed itself to informing the Commissioner of progress on the issues highlighted in his recommendations by the end of 2008.