Fergus O'Dowd (Louth, Fine Gael)
Link to this: Individually | In context | Oireachtas source

288. To ask the Minister for Employment Affairs and Social Protection if her Department is fully compliant with GDPR EU requirements, the EU network and Information Security Directive and standards with respect to her Department’s IT infrastructure including Article 29 of GDPR which requires that data processors access only the data they need for their task; if ISO 27001 Annex 9 standards on privileged access are fully met; and if she will make a statement on the matter. [27346/21]

Heather Humphreys (Cavan-Monaghan, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The Department of Social Protection has Data Protection policies, standards, procedures and guidelines in place governing the use of computer systems and customer data to ensure that the Department is fully compliant with GDPR EU requirements. Staff are regularly reminded of their Data Protection obligations. The importance of Data Protection and Cyber Security is promoted through awareness campaigns, presentations and regular notices.

The Department has adopted a defence-in-depth security strategy which is achieved by utilisation of people, processes, and technology to support the implementation of ICT security services. The threat landscape is constantly evolving, and significant effort is expended to continually enhance and strengthen ICT security to mitigate emerging threats, risks, vulnerabilities and cybersecurity issues.

In addition to deploying perimeter security measures, such as intrusion protection systems, software vulnerabilities are managed by maintaining up-to-date versions and aggressively deploying updates and patches to endpoints and applications as they become available.

My Department has developed an Information Security Management System (ISMS) aligned with the industry security standard ISO27001. his ISMS provides an overall governance framework for information security and sets out security policies, objectives, management oversight, practices and governance and ensures continual improvement of information security management. In addition, the Department is advanced in its programme to become ISO 270001 certified compliant with Annex 9, Access Control, ISO/IEC 27001:2013.

Fergus O'Dowd (Louth, Fine Gael)
Link to this: Individually | In context | Oireachtas source

289. To ask the Minister for Employment Affairs and Social Protection if any state or semi state bodies which report to her Department are fully compliant with GDPR EU requirements and the EU network and Information Security Directive and standards with respect to their IT infrastructure including article 29 of GDPR which requires that data processors access only the data they need for their task; if ISO 27001 annex 9 standards on privileged access are fully met; and if she will make a statement on the matter. [27365/21]

Heather Humphreys (Cavan-Monaghan, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The statutory bodies operating under the aegis of my Department are the Citizens Information Board, The Pensions Authority, the Pensions Council and the Social Welfare Tribunal. Both the Department of Social Protection and the statutory bodies operating under its aegis have Data Protection policies, standards, procedures and guidelines in place governing the use of computer systems and customer data to ensure that they compliant with EU GDPR requirements. Staff are regularly reminded of their Data Protection obligations. The importance of Data Protection and Cyber-security is promoted through awareness campaigns, presentations and regular notices. The bodies under the aegis of my Department are not subject to the EU Network and Information Systems (NIS) Directive as they are not considered to be 'essential providers' within the EU Directive definition. Specific information on each body is as follows:

Pensions Authority: The Pensions Authority is fully compliant with EU GDPR requirements. The Authority’s planned move to the Office of the Government Chief Information Officers’ (OGCIO) desktop as a service will significantly enhance its cyber security in the future and bring it under the ISO 27001 Certification standards.

Pensions Council- The Pensions Council is fully compliant with EU GDPR requirements and complies with Article 29 standards as the Council only uses the personal data required to carry out its functions. The Council does not provide services to the public and therefore holds a limited amount of personal data. The Council does not have its own IT system and uses the IT infrastructure systems operated by the both the Pensions Authority and the Department of Social Protection.

Social Welfare Tribunal– The Social Welfare Tribunal does not have its own IT system and uses the IT infrastructure systems operated by the Department of Social Protection, which are fully compliant with EU GDPR requirements.

Citizen’s Information Bureau (CIB)-The CIB commits to compliance with EU GDPR requirements. This includes transparently communicating with customers on how their personal data is managed (e.g. Data Protection Notice for Users of the Service).