Peadar Tóibín (Meath West, Aontú)
Link to this: Individually | In context | Oireachtas source

624. To ask the Minister for Health further to Parliamentary Question No.614 of 3 October 2023, if he will provide detail on the nature of the data breaches suffered by his Department; the severity of the breaches; if all individuals whose information was compromised were notified of the breach; if the Data Protection Commission was notified of all data breaches; and if he will make a statement on the matter. [45338/23]

Stephen Donnelly (Wicklow, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

My Department is committed to protecting the rights and privacy of data subjects and adhering to obligations as a data controller under data protection legislation.

The Department deals with personal data breaches in line with the Department of Health’s Data Breach Management Policy.

Under the GDPR, the Department must notify personal data breaches to the DPC unless it is unlikely to result in a risk to data subjects. Where a breach is likely to result in a high risk to data subjects, the Department must also inform those individuals without undue delay. In certain instances, the Department has made data subjects aware of breaches, even where the high risk threshold has not been met. The majority of personal data breaches the Department of Health have been caused by human error.

All personal data breaches are assessed on a case-by-case basis. Once a potential breach has been detected and secured, a risk assessment is undertaken to determine the risk to the rights and freedoms of the affected data subject(s). All incidents are then logged and reviewed to prevent a similar breach from reoccurring.