Peadar Tóibín (Meath West, Aontú)
Link to this: Individually | In context | Oireachtas source

170. To ask the Minister for Finance further to Parliamentary Question No. 241 of 3 October 2023, if he will provide detail on the nature of the data breaches suffered by his Department; the severity of the breaches; if all individuals whose information was compromised were notified of the breach; if the Data Protection Commission was notified of all data breaches; and if he will make a statement on the matter. [45335/23]

Michael McGrath (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

The Deputy should note that my Department has a data breach management policy in place to ensure that any data breaches are dealt with as required under Articles 33-34 of the General Data Protection Regulation (GDPR). For operational security reasons, my Department is not in a position to provide any details of its cyber security systems, as it would be inappropriate to disclose information that may in any way assist those with malicious intent.

I am informed that the nature of data breaches which have been identified since 2018 in my Department fall into three broad categories: accidental exposure of personal data to unauthorised persons; the loss or theft of IT equipment; and personal data shared in error with unintended recipients. Of those breaches, only a small portion (six) warranted formal notification to the Data Protection Commissioner, and these were fully resolved. Immediate follow-up action was taken by my Department in respect of all of the breaches and I understand that in some cases that data subjects were informed out of courtesy despite there being no or low risk to them.