Michael McGrath (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

497. To ask the Minister for Justice and Equality if a company (details supplied) involved in a recent data security breach, involving the credit card details of two companies (details supplied), is a regulated entity of the Central Bank of Ireland; the role the Central Bank has in investigating or following up on the affair; and if he will make a statement on the matter. [49095/13]

Michael McGrath (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

498. To ask the Minister for Justice and Equality if third party companies that hold credit card details on behalf of other companies are regulated entities under the Central Bank of Ireland; the legal requirements governing any company that wishes to hold credit card details for a period; and if he will make a statement on the matter. [49096/13]

Alan Shatter (Dublin South, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I propose to take Questions Nos. 497 and 498 together.

I have been informed by the Central Bank that third party companies holding credit card details on behalf of other companies are not regulated by the Central Bank and that it has no role, therefore, in investigating such security breaches. The law relating to the protection of personal data, including the credit card data of individuals, is set out in the Data Protection Acts 1988 and 2003. This legislation requires, for example, that personal data are obtained for one or more specified, explicit and legitimate purposes; that they are not further processed in a manner inconsistent with that purpose or those purposes; that they are not excessive in respect of that purpose or purposes; and, importantly, that they are not kept for longer than is necessary. The legislation also requires that appropriate security measures be taken to guard against unauthorised access to, as well as any unauthorised alteration, disclosure or destruction of, such personal data. Moreover, it allows the Data Protection Commissioner to carry out investigations of infringements of the legislation on receipt of a complaint or on his or her own initiative. In 2011, the Data Protection Commissioner introduced a Code of Practice on Personal Data Security Breaches under section 13(2)(b) of the Data Protection Act 1988. The Code provides guidance on good practice in dealing with data security breaches, including the reporting of such breaches to the Commissioner's Office.

I am informed by the Data Protection Commissioner that his Office was notified of the data security breach referred to by the Deputy in accordance with this Code of Practice. In light of the seriousness of the breach, the Commissioner sent an inspection team to investigate it as soon as possible. I understand that the Commissioner has received a preliminary report on the findings of the inspection team. I also understand that the Garda Bureau of Fraud Investigations has received a report on the matter and is investigating the issue further. The European Commission published a Proposal for a General Data Protection Regulation in January 2012. The Proposal includes specific provisions, which I fully support, requiring the notification of certain personal data breaches to relevant supervisory authorities and, in serious cases, to individuals who may be affected by them. Negotiations on the Commission’s proposals are ongoing at EU level.