Denis Naughten (Roscommon-South Leitrim, Fine Gael)
Link to this: Individually | In context

Question 221: To ask the Minister for Health and Children in view of the disclosure that the Health Service Executive breached its commitment to the Data Protection Commissioner and State code of practice following the theft of laptops from the HSE offices in Roscommon town and following concerns that unencrypted information may include confidential information relating to individuals, if she will outline HSE procedures regarding the handling of sensitive patient data and details of the content of the material on the laptop concerned; and if she will make a statement on the matter. [24756/09]

Mary Harney (Dublin Mid West, Progressive Democrats)
Link to this: Individually | In context

The Health Service Executive fully recognises the obligation it has in relation to the personal and sensitive information that it holds and is fully committed to ensuring its protection. The HSE has developed and implemented a comprehensive set of information security policies based on respecting and protecting the privacy and confidentiality of the information it holds at all times. These policies cover electronic communications, acceptable use of information and communications technology, password standards, encryption and security of mobile devices. The policies apply to all information held by the HSE, all ICT technology resources and all users of HSE information. Responsibility for ensuring ongoing compliance with these policies is primarily a matter for senior HSE management, line managers and users of the information.

The HSE currently has approximately 5,400 laptops in use. Encryption of all laptops commenced last September with priority being given to those holding clinical and other sensitive data. A dedicated programme supported by communications was put in place with over 90% of all laptops encrypted to date.

In the recent break-in at the Roscommon HSE office fifteen laptops were stolen. Thirteen of these stolen laptops were encrypted but, unfortunately two of the stolen laptops were not encrypted. One of these unencrypted laptops did not contain confidential or personal data, while the other contained information relating to a social worker's case notes involving nine families.

The HSE very much regrets the breach in its security policy and procedures. The families concerned have been contacted and briefed on the matter.

The HSE has reissued a directive to staff informing them of their responsibilities to have laptops encrypted and drawing attention to the potential consequences for clients, staff and the organisation of failure to do so.