Michael McGrath (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

58. To ask the Tánaiste and Minister for Social Protection the number of data protection breaches reported in her Department this year; the action she has taken to address these breaches; and if she will make a statement on the matter. [45935/15]

Joan Burton (Dublin West, Labour)
Link to this: Individually | In context | Oireachtas source

To date this year, there have been a total of 42 reports of data protection breaches and suspected breaches to the Department of Social Protection.

In 18 of the 42 cases investigations were/are being conducted into alleged deliberate unauthorised access and/or disclosure of customers' personal data by staff members. In 10 of these cases no evidence was found of a data breach and 8 cases are still under investigation.

In the remaining 24 cases, data breaches occurred where customer information was erroneously and inadvertently disclosed to third parties (e.g., letters incorrectly addressed). In each case, efforts were immediately made to secure the compromised data, and the affected customers were informed. They were issued with a letter of unreserved apology and informed of their entitlement to contact the Office of the Data Protection Commissioner if they so wished. Local management examined work practices that led to the error being made and put measures in place to prevent a recurrence.

In each of these incidents, the action taken to address the breach was consistent with the Data Protection Commissioner's Personal Data Security Breach Code of Practice.

While every data breach is a matter of great concern to the Department, the number of confirmed breaches should be viewed in the context of the scale of the Department's business; during 2014, a total of 1.9 million applications were processed by the Department, a similar figure to that which is expected to be returned for 2015.

The Department takes its responsibilities in relation to data protection very seriously. Every effort is made to ensure that personal customer data is used solely for business purposes and that it is not compromised in any way. The Department has data protection and information security policies, standards, procedures and guidelines in place governing the use of its computer systems and customer data.

All members of staff of the Department are regularly reminded of their data protection obligations and the consequences of not adhering to policies such as loss of pay increment(s), loss of entitlement to enter promotional competitions and dismissal. Staff members are required to sign annual undertakings that they have read, and will act in accordance with, data protection policies and guidelines.

A high-level working group is in place to examine, and progress, all aspects of data protection compliance in the Department.

In June the Department ran its annual Data Protection Awareness Week for staff. Activities this year included a very effective short video on social engineering which was developed in-house and made available to all staff; a data protection newsletter issued to all staff; presentations were made to hundreds of staff nationwide and posters were exhibited in headquarter and local offices drawing attention to the importance of securing customers' personal data.