Written answers

Tuesday, 17 October 2023

Department of Justice and Equality

Data Protection

Photo of Peadar TóibínPeadar Tóibín (Meath West, Aontú)
Link to this: Individually | In context | Oireachtas source

405. To ask the Tánaiste and Minister for Justice and Equality further to Parliamentary Question No. 438 of 3 October 2023, if she will provide detail on the nature of the data breaches suffered by her Department; the severity of the breaches; if all individuals whose information was compromised were notified of the breach; if the Data Protection Commission was notified of all data breaches; and if she will make a statement on the matter. [45340/23]

Photo of Helen McEnteeHelen McEntee (Meath East, Fine Gael)
Link to this: Individually | In context | Oireachtas source

My Department is committed to protecting the rights and privacy of all individuals in accordance with the EU General Data Protection Regulation, 2016/679 (GDPR) and the Data Protection Act 2018. My Department complies fully with data breach reporting requirements.

Securing and managing personal data in accordance with the GDPR principles is a priority and is governed by a comprehensive set of policies, procedures and systems. For example, a Department Data Protection Steering Group operates with membership of senior personnel from across the Department to assist the Management Board and the Data Protection Officer in fulfilling their Data Protection responsibilities.

My Department has implemented appropriate measures to ensure that all data held under its control is secure and is not at risk from unauthorised access. Measures for the protection of personal data are reviewed and upgraded where appropriate, on an ongoing basis.

Further, data protection training is available to staff in order to ensure that my Department is compliant with obligations to protect all personal data processed.

Whether a data breach is notified to the Data Protection Commissioner (DPC) or not depends on a risk assessment conducted by my Department’s Data Protection Support and Compliance Office on a case by case basis. The majority (86%) of data breaches in 2023 have been assessed as low risk. As the Deputy may be aware, the law requires a breach be communicated to the data subject if the risk is assessed as high.

The information requested by the Deputy is provided in tabular form below.

Year Number of Breaches Recorded Notified to DPC Communicated to Data Subjects
2023 (to September 27, 2023) 113 24 2
2022 120 56 2
2021 122 73 7
2020 121 72 31
2019 131 68 44
2018 (from May 25, 2018 when GDPR came into effect) 41 14 9
2018 (pre GDPR) 5 1 1
2017 (pre GDPR) 1 1 0

The nature of breaches in 2023 year are indicated by the categorisations below:

  • 83% are categorised as unauthorised disclosure (43%/40% wrong email/postal address respectively)
  • 12% are categorised as paper lost or stolen (including official documentation)
  • 5% are categorised as lost or stolen devices.

Comments

No comments

Log in or join to post a public comment.