My Department takes its responsibilities in relation to data protection and protecting the data of its clients very seriously. Every effort is made to ensure that personal customer data is used solely for business purposes and that it is not compromised in any way. My Department has data protection and information security policies, standards, procedures and guidelines in place governing the use of its computer systems and customer data. These are communicated on an ongoing basis to the staff of the Department and high standards are expected in relation to the handling and processing of personal client information.
The policies, procedures and guidelines are kept under constant review and are updated as appropriate. Staff members are regularly reminded of their obligations under data protection and information security policies and of the penalties that are applicable in respect of any breach of these policies. Data protection obligations are also covered on induction programmes for new staff members and on management development programmes and in presentations given by the Department’s Business Information and Internal Control Support Units.
I cannot accept the point made by the Data Protection Commissioner that the cases that are under investigation by his office, and which appear to have informed the view expressed by him, can be used to make a sweeping generalisation that the Department’s staff as a whole are lax in dealing with client data. Using such a very small number of cases to make a sweeping generalisation implying that my Department’s staff are, or may be lax, is grossly unfair on all of our staff and management in all of the Department’s offices. I agree however that even one data breach by staff in the Department is one too many.
Records of data accesses by staff are kept and are subject to audit. All cases of suspected data breaches are investigated by my Department. Breaches that are discovered by my Department’s own auditing and monitoring systems, or brought to the Department’s attention by third parties, are thoroughly investigated and appropriate action is taken. Where a data protection breach has been substantiated by an internal investigation, appropriate sanctions are applied in all cases in accordance with the Civil Service Disciplinary Code. Sanctions applied reflect the severity of the breach and have included dismissal, financial penalties such as the loss of increments, removal of access to the Department’s systems and loss of entitlement to enter promotional competitions.
When issues arise requiring investigation a cross disciplinary team consisting of staff from the Department’s Business Information and Security Unit, the Internal Control Support Unit, Internal Audit and Information System Division work together to establish facts and report on matters. This substantial resource allocation is part of my Department’s commitment to ensuring that high levels of data protection governance are in place. My Department is constantly reviewing and updating its procedures in relation to data protection and will continue to do so. It will continue to cooperate fully, as it has done to date, with the Office of the Data Protection Commissioner on all matters relating to data protection.