Peadar Tóibín (Meath West, Aontú)
Link to this: Individually | In context | Oireachtas source

453. To ask the Minister for Employment Affairs and Social Protection the nature of the data breaches experienced by her Department since 2018. [29315/21]

Heather Humphreys (Cavan-Monaghan, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The majority of personal data breaches in my Department were in the following three categories:

- Delivery of correspondence to an incorrect address or to the customer's previous address;

- Accidentally including a document or an item of personal data of a customer in correspondence with another customer.

- Email errors such as auto population to an unintended address, or inadvertently including personal data of another customer.

The number of confirmed breaches should be viewed in the context of the scale of the Department’s business, administering over 70 separate schemes and services and processing almost 2 million applications every year.

In particular, in 2020, the Department has provided services to an extraordinarily high volume of customers.  At one point, the Department was processing over 50,000 claims per day.  At its peak, in early May 2020, 602,000 were in receipt of PUP.  Just under 20 million PUP payments have been made to nearly 900,000 people providing income support of more than €7.3 billion to date.

My Department takes its data protection obligations very seriously. In order to minimise incidents regarding these types of data breaches, there are regular reminders for staff to be vigilant in matters of data protection.

For example, recent Data Protection Awareness Weeks placed particular emphasis on how staff need to remain aware in relation to accidental data breaches.  Also, posters were issued to offices throughout the Department with the particular message to be vigilant when sending letters or e-mails, i.e., to double-check address details and letter contents and not to send personal data in bulk e-mails.

It is mandatory for all staff in the Department, and for new entrants, to complete the GDPR e-learning module and to obtain a pass rate of at least 80% at the exam that concludes the module.  All new staff (including temporary clerical officers) must complete the module before they are granted access to any system containing customer data.

In addition, Data Protection Unit staff visit the Department's Offices and deliver presentations on data protection and answer staff questions throughout the year.  Given the current travel restrictions, video presentations are being developed for staff to view online.