Peadar Tóibín (Meath West, Aontú)
Link to this: Individually | In context | Oireachtas source

108. To ask the Minister for Enterprise, Trade and Employment the number of data breaches experienced by his Department in each of the past ten years and to date in 2024; if a breakdown will be provided on the nature of the breaches; and if he will make a statement on the matter. [41731/24]

Peter Burke (Longford-Westmeath, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The answer below has been compiled in respect of personal data breaches under the General Data Protection Regulation (the "GDPR").

As the Deputy will be aware, the GDPR was introduced on 25th May 2018. From that date, Data Controllers are mandated under Article 33(5) of the GDPR to record all personal data breaches that occur within their organisations. These records may be reviewed by the Data Protection Commission (DPC) to verify compliance with data protection requirements.

Information on the number of personal data breaches for my Department and its Offices since the introduction of the GDPR to the current date in 2024 is set out in the Table below.

Table 1.1:

Department of ENTERPRISE, TRADE AND EMPLOYMENT (DETE) & its Offices

*For 2018 – figures are not full-year figures – data recorded from introduction of GDPR – data recorded from

25/05/2018 to 31/12/2018.

** For 2024 – figures are recorded from 01/01/2024 to YTD at 14/10/2024.

The Offices under the aegis of the DETE are: (1) The Workplace Relations Commission (WRC); the Companies Registration Office (CRO); the Registry of Friendly Societies (RFS), the Register of Beneficial Ownership (RBO); the Intellectual Property Office of Ireland (IPOI) and the Labour Court (LC). The Office of the Director of Corporate Enforcement (ODCE) were an Office of the DETE until their establishment as an independent statutory agency - the Corporate Enforcement Agency (CEA) on 7th July 2022.

I can inform the Deputy that almost 9 out of every 10 breaches that occurred in my Department and its Offices since 2018, were categorised as ‘Low Risk’ or "No Risk" breaches (88% or 179 breaches). The remaining 12% of breaches were made up of 15 "Medium" Risk and 7 "High Risk" breaches. The majority of these breaches were caused by administrative error, for example where an e-mail (or attachment) containing personal data was sent to an unintended recipient.

The decision to report breaches to the Data Protection Commission (DPC) and affected data subjects (individuals) is taken by my Department's Data Protection Officer (DPO), who is an independent appointed officer, following a full risk analysis of the details relating to each personal data breach case. In general, while all High Risk and Severe Risk breaches are required to be reported to the DPC, Medium and Low Risk personal data breaches do not require reporting unless the mitigation actions implemented by the Data Controller have not been effective in reducing or eliminating the privacy risks for affected individuals. Since 2018, a total of 22 breaches for my Department and its Offices have been notified to the Data Protection Commission (DPC). Of those 22 notified breaches, 10 were categorised as ‘Low Risk’, 5 were categorised as ‘Medium Risk’, and 7 were categorised as ‘High Risk’. There were also 15 notifications made to affected data subjects (individuals) during this period. Following the mitigation actions that were put in place by my officials to protect the privacy rights and freedoms of the affected individuals, the Data Protection Commission (DPC) were satisfied that no further action was required.