Alan Farrell (Dublin North, Fine Gael)
Link to this: Individually | In context | Oireachtas source

123. To ask the Minister for Justice and Equality in view of the recent electronic security breach of a company (details supplied) which exposed the financial details of 43,000 customers, his plans to ensure companies report on-line security breaches to the data protection officer in a more timely and efficient manner; and if he will make a statement on the matter. [48523/13]

Alan Shatter (Dublin South, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The position is that the law relating to the protection of personal data, including the requirement to implement appropriate security measures, is contained in the Data Protection Acts 1988 and 2003. This legislation requires that appropriate security measures be taken to guard against unauthorised access to, as well as any unauthorised alteration, disclosure or destruction of, personal data, and allows the Data Protection Commissioner to carry out investigations of security breaches on receipt of a complaint or on his own initiative. In 2011, the Data Protection Commissioner introduced a Code of Practice on Personal Data Security Breaches under section 13(2)(b) of the Data Protection Acts. The Code provides guidance on good practice in dealing with data security breaches, including the reporting of such breaches to the Commissioner's Office.

I am informed by the Data Protection Commissioner that his Office was notified of the data security breach referred to by the Deputy in accordance with the Personal Data Security Breach Code of Practice. Given the seriousness of the breach the Data Protection Commissioner sent in an inspection team to investigate the breach. I understand that the Commissioner has received a preliminary report on the findings of the inspection team. I also understand that the Garda Bureau of Fraud Investigations has received a report on the matter and are investigating the issue further.

The European Commission published a Proposal for a General Data Protection Regulation in January 2012. The Proposal includes specific provisions in relation to the notification of personal data breaches to relevant supervisory authorities and individuals who may be affected by them. Negotiations on the Commission's proposals are ongoing at EU level.