Wednesday, 11 July 2018

Questions (200, 201, 202)

Catherine Murphy

Question:

200. Deputy Catherine Murphy asked the Minister for Public Expenditure and Reform the changes he has made to allow access by persons to their own data held by his Department and bodies under its aegis following the introduction of GDPR; and if he will make a statement on the matter. [31476/18]

View answer

Catherine Murphy

Question:

201. Deputy Catherine Murphy asked the Minister for Public Expenditure and Reform the staffing complement and resources of his Department's data protection officer; and if he will make a statement on the matter. [31500/18]

View answer

Catherine Murphy

Question:

202. Deputy Catherine Murphy asked the Minister for Public Expenditure and Reform the data protection impact assessments his Department has commenced since 15 May 2018; and if he will make a statement on the matter. [31517/18]

View answer

Written answers (Question to Public)

I propose to take Questions Nos. 200 to 202, inclusive, together.

The EU General Data Protection Regulation (GDPR) was enacted on 24 May 2016 and came into direct legal effect in all EU Member States, including Ireland, on 25 May 2018.  My Department recognises the need to treat all personal data in an appropriate and lawful manner and is committed to complying with its obligations in this regard.  In this context, a suite of GDPR and Data Protection policies have been rolled out in my Department including an overall Data Protection Policy; a Subject Access Request Policy; a Data Breach Policy; a Data Protection Impact Assessment Policy; and a Data Retention Policy. 

A Data Protection Officer (DPO) has been appointed as required by the GDPR.  The Department’s DPO is currently an Assistant Principal who works in the Department's Corporate Office.  The Department is well advanced in the recruitment of an Assistant Principal who will fulfil the DPO role on a full-time basis.  More generally, the Deputy may wish to note that over 300 staff in my Department have attended GDPR training over the past 6 months.

Under the GDPR, any individual has the right to request details on personal data my Department may hold about them and this can be done by submitting a Subject Access Request.  The details on how a Subject Access Request can be made to my Department can be found on its website.  It is the responsibility of each body under the aegis of my Department to ensure they have appropriate policies and procedures in place for dealing with Subject Access Requests and all other GDPR related obligations.

Article 35 of the GDPR makes provision for the undertaking of a Data Protection Impact Assessment (DPIA) in certain instances.  A DPIA is a privacy-related impact assessment that enhances my Department’s objective to identify and analyse how data privacy might be affected by certain actions or activities. A policy of completing DPIAs where required was put in place in my Department prior to GDPR coming into effect.  Five DPIAs have been completed by my Department since 25 May 2018.