Peadar Tóibín (Meath West, Aontú)
Link to this: Individually | In context | Oireachtas source

3. To ask the Taoiseach the number of data breaches experienced by his Department in each of the past ten years and to date in 2024; if a breakdown will be provided on the nature of the breaches. [41742/24]

Simon Harris (Wicklow, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Please see the accompanying table setting out two instances of a data breach identified within the Department during the past decade with one occurring in 2016 (pre GDPR) and one in 2022.

The case in 2016 arose on foot of a complaint by an individual made to the Data Protection Commission (DPC) in 2017. The complaint concerned an allegation that a breach had occurred by way of the unauthorised disclosure of personal information by the Department in correspondence to two other public bodies. The complainant declined the offer of an amicable resolution, including an apology, and so the DPC issued a formal decision in 2020.

The incident in 2022 resulted from a misdirected email (due to a small typographic error in the address) which attached correspondence relating to an individual which also contained personal data. Given the nature of the personal data and the likelihood that the recipient account was dormant, the risk of harm to the individual’s rights and freedoms was therefore assessed to be low. Nevertheless, the Department reported the incident to the DPC as soon as the error was discovered. The individual (data subject) was also notified and apologised to.