Peadar Tóibín (Meath West, Aontú)
Link to this: Individually | In context | Oireachtas source

204. To ask the Minister for Children, Equality, Disability, Integration and Youth the number of data breaches experienced by his Department in each of the past ten years and to date in 2024; if a breakdown will be provided on the nature of the breaches; and if he will make a statement on the matter. [41728/24]

Roderic O'Gorman (Dublin West, Green Party)
Link to this: Individually | In context | Oireachtas source

My Department is committed to protecting the rights and privacy of all individuals in accordance with the General Data Protection Regulation (EU 2016/679). As a data controller, my Department is cognisant of its obligations and has implemented a range of measures to protect personal data including a suite of policies and procedures and a data breach management policy.

The Department processes any personal data breaches that occur in accordance with its obligations under the GDPR. The Department has an internal personal data breach reporting protocol. All breaches must be formally notified to the Department’s Data Protection Officer for assessment. In respect of each incident reported, an assessment is conducted having regard to the protocol the Department has in place. Where appropriate, data breaches are reported to the Data Protection Commission and individuals are also informed in relation to a breach of their data, as appropriate.

The obligation to notify the Data Protection Commission of a personal data breach, and for the Department to maintain a register of all personal data breaches, only exists since the GDPR came into effect in May 2018.

In the years 2017 to 2024 (to date), a total of 168 breaches were recorded by my Department, broken down as follows:

2017 – 2 breaches.

2018 – 14 breaches.

2019 – 10 breaches.

2020 – 17 breaches.

2021 – 25 breaches.

2022 – 25 breaches.

2023 – 33 breaches.

2024 – 42 breaches to date

The majority of the breaches that occurred in my Department in the period 2017 – 2024 were as a result of administrative error. These were generally where an email was sent to an incorrect recipient, where an intended recipient incorrectly received data as part of an email attachment, or where an intended recipient inadvertently had sight of the full email recipient list.

Where data breaches were not reported to the Data Protection Commission, the breach was deemed to comprise no risk to the individual. In instances where the breach was deemed to be a low risk to the rights and freedoms of data subjects, the Data Protection Commission was notified. 40 breaches warranted formal notification to the Data Protection Commission. In instances where the breach was deemed to be a high risk to the rights and freedoms of an individual, the data breach was notified to the Data Protection Commission and the individual concerned in line with GDPR requirements. In 1 instance, the Department notified the relevant individual in relation to the data breach.