The Deputy should note that my Department has a data breach management policy in place to ensure that any data breaches are dealt with as required under Articles 33-34 of the General Data Protection Regulation (GDPR). For operational security reasons, my Department is not in a position to provide any details of its cyber security systems, as it would be inappropriate to disclose information that may in any way assist those with malicious intent.
I am informed that the nature of data breaches which have been identified since 2018 in my Department fall into three broad categories: accidental exposure of personal data to unauthorised persons; the loss or theft of IT equipment; and personal data shared in error with unintended recipients. Of those breaches, only a small portion (six) warranted formal notification to the Data Protection Commissioner, and these were fully resolved. Immediate follow-up action was taken by my Department in respect of all of the breaches and I understand that in some cases that data subjects were informed out of courtesy despite there being no or low risk to them.