Peadar Tóibín (Meath West, Aontú)
Link to this: Individually | In context | Oireachtas source

55. To ask the Minister for Transport, Tourism and Sport the number of data breaches experienced by his Department in each of the past ten years and to date in 2024; if a breakdown will be provided on the nature of the breaches; and if he will make a statement on the matter. [41744/24]

Eamon Ryan (Dublin Bay South, Green Party)
Link to this: Individually | In context | Oireachtas source

Data breaches are taken very seriously within my Department and staff are provided with training and procedures on what steps to take in the event of a possible data breach, including notifying, as soon as possible, the Department's Data Protection Officer.

I have outlined the number of data breaches within the timeframe requested by the Deputy in the table below. Please note that our records comprise 2017 to the present date.

The Deputy may also wish to be aware that the majority of the breaches identified were determined to be unlikely to result in a risk to data subjects and were handled in accordance with the Department's Personal Data Breach Response Policy.

All breaches must be formally notified to the Department’s Data Protection Officer for assessment. In line with DPC guidance, the majority of confirmed data breaches were deemed not to meet the threshold that would require reporting to the DPC due to the nature of the particular risk they represented and as such notification of the DPC was not undertaken. These were managed internally with steps taken to ensure that similar breaches would not reoccur.

The majority of confirmed data breaches relate to incidents where personal data was accidentally and inadvertently disclosed to third parties. Examples include emails sent to the wrong recipient, incorrect photos issued in certificates, and errors in IT access permissions allowing staff to access information of other staff. There were also a number of incidents where laptops/tablets/mobile phones were temporarily mislaid but were recovered and it was confirmed with IT that no unauthorised access had been made to the devices.