Michael McGrath (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

189. To ask the Minister for Finance the instances in which customer data was lost or misplaced by banks (details supplied); if such instances were referred to the Data Protection Commissioner; the policy of each bank on employees travelling with printed documents containing personal and confidential information relating to customers; and if he will make a statement on the matter. [39759/17]

Paschal Donohoe (Dublin Central, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I, as Minister for Finance, have no statutory role in relation to the matters referred to in the question. As the Deputy will be aware the Office of the Data Protection Commissioner comes under the aegis of my colleague the Minister for Justice and Equality.

I am aware of recent media reports on the loss of certain customer data. I have been informed by the AIB Group that it adheres to the Office of the Data Protection Commissioner’s Personal Data Security Breach Code of Practice in respect of the bank's reporting obligations. In addition, all AIB staff are subject to a number of Bank Policies, Standards and Guidance documents in relation to safety and security of AIB customer and business information. The Bank’s Information Security Policy and Standards prescribe the Bank’s standards and controls in respect of the handling and transfer of confidential and sensitive information and provides that the confidentiality of customer, staff and business information must be maintained at all times.

AIB has informed me that all staff are required to keep documents, files and folders in a secure environment and ensure that confidential documents are not read in public view and to use electronic means of securing the data where possible. When a staff member becomes aware of any incident where customer or employee information has potentially been compromised they must immediately report the incident to the Data Protection Team. A Data Protection error is also logged on the Bank’s internal Complaints & Error Management systems. The Data Protection Team record all confirmed Data Protection breaches, manage all interactions with the Office of the Data Protection Commissioner and advise business areas on the resolution of incidents. AIB’s Information Security Standards For All booklet also provides guidance to staff on the handling of information in their care and provides that confidential paper must not be left unattended and or taken out of the office unless required. AIB staff are also reminded through on-going training and awareness sessions that protecting customer information is a key part of the Information Security and Risk Awareness procedures and is fundamental to their Data Protection obligations to keep personal data safe and secure.

I have been informed by the Bank of Ireland Group that it is committed to ensuring the privacy rights of individuals are upheld at all times and that it has policies in place to preserve the confidentiality of personal data it holds, in line with the Data Protection Commissioner's approved Personal Data Security Breach Code of Practice. The risks of accidental disclosure or loss of personal information are addressed through business controls and standards to protect such data during collection, processing, storage and transmission (transportation).

Permanent TSB have informed me that the bank fully complies with the Personal Data Security Breach Code of Practice, including reporting breaches to the Commissioner. PTSB takes its data protection and information security responsibilities seriously and has appropriate policies and procedures in this regard. For example their Code of Ethics, which is applicable to all staff, specifically refers to a duty of care to safeguard the confidentiality of their customers' data.

I understand from KBC that the bank manages instances in which customer data is lost or misplaced in line with the requirements of the Data Protection Acts 1988 and 2003 and the Data Protection Commissioner's Personal Data Security Breach Code of Practice. KBC Bank takes appropriate security measures to help prevent against unauthorised access to, or alteration, disclosure or destruction of personal data and to help prevent against its accidental loss or destruction. This includes adopting enhanced security measures where personal data is being stored or processed outside of a KBC Bank office location.

Ulster Bank Ireland DAC has informed me that it takes its Data Protection responsibilities very seriously. They are registered with the Data Protection Commissioner (DPC) and actively follow the Personal Data Security Privacy Breach Code of Practice so that all known instances of customer data loss and/or misplacement are reported to the DPC. Their internal security policies set out how customer data should be managed, handled and stored.

On the issue more generally, the Central Bank has informed me that Irish Credit Institutions are required to notify regulators of operational risk and loss events. This condition is imposed on the banks’ licenses under Section 10 of the Central Bank Act, 1971. However, the Bank cannot disclose any specific information to third parties relating to its interactions with individual credit institutions per the Central Bank Act, 1942.