In reply to Parliamentary Question No. 133 of 3 October, 2023 the Deputy was notified of two instances of a data breach identified within the Department during the past decade.
The case in 2016 arose on foot of a complaint by an individual made to the Data Protection Commission (DPC) in 2017. The complaint concerned an allegation that a breach had occurred by way of the unauthorised disclosure of personal information by the Department in correspondence to two other public bodies. The complainant declined the offer of an amicable resolution, including an apology, and so the DPC issued a formal decision in 2020.
The incident in 2022 resulted from a misdirected email (due to a small typographic error in the address) which attached correspondence relating to an individual which also contained personal data. Given the nature of the personal data and the likelihood that the recipient account was dormant, the risk of harm to the individual’s rights and freedoms was therefore assessed to be low. Nevertheless, the Department reported the incident to the DPC as soon as the error was discovered. The individual (data subject) was also notified and apologised to.