Mary Lou McDonald (Dublin Central, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

566. To ask the Minister for Employment Affairs and Social Protection the breakdown of the 374 data breaches identified by her Department in 2019. [36249/20]

Heather Humphreys (Cavan-Monaghan, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The majority of personal data breaches in 2019 were in the following three categories:

46% - Delivery of correspondence to an incorrect address or to the customer's previous address;

31% -Accidentally including a document or an item of personal data of a customer in correspondence with another customer.

14% - Email errors such as auto population to an unintended address, or inadvertently including personal data of another customer.

Apart from those three main categories, the other breaches of data protection in 2019 included instances where, at frontline customer service, a wrong appointment letter was handed to a customer or personal data was inadvertently allowed to be viewed by a third party; some personal data was not redacted in granting a freedom of information request; a notification to an employer was sent in error in the absence of customer consent; and system errors, e.g. where the files of one unit of the Department became temporarily visible to another unit.

The number of confirmed breaches should be viewed in the context of the scale of the Department’s business, administering over 70 separate schemes and services and processing almost 2 million applications every year.

My Department takes its data protection obligations very seriously. In order to minimise incidents regarding these types of data breaches, there are regular reminders for staff to be vigilant in matters of data protection.

For example, the 2019 Data Protection Awareness Week placed particular emphasis on how staff need to remain aware in relation to accidental data breaches.  Also, posters were issued to offices throughout the Department with the particular message to be vigilant when sending letters or e-mails, i.e., to double-check address details and letter contents and not to send personal data in bulk e-mails.

It is mandatory for all staff in the Department, and for new entrants, to complete the GDPR e-learning module and to obtain a pass rate of at least 80% at the exam that concludes the module.  All new staff (including temporary clerical officers) must complete the module before they are granted access to any system containing customer data.

In addition, Data Protection Unit staff visit the Department's Offices and deliver presentations on data protection and answer staff questions throughout the year.  Given the current travel restrictions, video presentations are being developed for staff to view online.