Written answers

Wednesday, 4 November 2020

Department of Justice and Equality

Commissions of Investigation

Photo of Martin KennyMartin Kenny (Sligo-Leitrim, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

115. To ask the Tánaiste and Minister for Justice and Equality if it has been established the personal information in relation to the Hickson Commission was on a USB key as reported in the media recently;and if her Department has notified the survivors or their legal team of its loss and contents; and if she will make a statement on the matter. [34138/20]

Photo of Martin KennyMartin Kenny (Sligo-Leitrim, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

116. To ask the Tánaiste and Minister for Justice and Equality the reason personal information relating to the investigation into allegations of sexual abuse by a person (details supplied) known as the Hickson Commission was stored on a USB key; the circumstances of the reported loss of this USB key; if the use of USB keys for the retention of sensitive data is common practice in her Department; and if she will make a statement on the matter. [34139/20]

Photo of Helen McEnteeHelen McEntee (Meath East, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I propose to take Questions Nos. 115 and 116 together.

It should be noted that the Hickson Commission is an independent body and I, as Minister for Justice, have no role in the conduct of its investigation.

I am informed by my officials that, in May 2019, having been made aware of the loss of the USB stick containing personal data in relation to the Hickson Commission, my Department notified the Data Protection Commission (DPC), as required under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. I am further informed that the Data Protection Officer in my Department investigated the circumstances surrounding the missing USB stick and the outcome of that investigation was subsequently notified to the DPC.

The investigation found that:

- Despite a thorough search of both premises the missing USB stick was not located.

- An Post indicated that no USB stick was identified in their Recovery/Reclaim Unit.

- The USB stick in question was an INTEGREL Courier USB key with hardware encryption. The encryption used with this device is AES 256-bit, which is ISO27001 compliant.

- The data contained on the USB stick had been uploaded to the Commission’s secure system prior to the stick being mislaid.

As the data contained on the USB stick continued to be available to the Commission and the missing USB stick was encrypted to industry standard, the risk to individuals whose personal data was on the USB stick was evaluated, as required by data protection legislation, and found to be low. Any third party finding the USB stick would be unable to access any information contained therein. In circumstances where the USB stick’s technical protection measures (i.e. encryption) rendered the data unintelligible, there was no reason to notify the data subjects. I understand that the details of the investigation were notified to the DPC and that, in mid-June 2019, the DPC notified my Department that the breach was closed.

I regret the upset and anger caused by the breach and in particular I regret that those concerned found out about it through the media. To avoid this occurring and as a courtesy, those concerned should have been notified of the data breach at the time that it occurred. I have written to them to express my regret about what happened.

In relation to the Deputy’s question regarding the use of USB keys by my Department, I wish to inform you that my Department’s policy in relation to the use of USB sticks is strictly controlled and it is not common practice for sensitive data to be stored in such a manner. In exceptional circumstances where they must be used, my Department uses dedicated encrypted USB keys.

Comments

No comments

Log in or join to post a public comment.