Dáil Éireann Debate, Wednesday - 3 March 2021
674. Deputy Mary Lou McDonald asked the Minister for Justice if, further to her Department’s loss of a USB stick containing personal data relating to the Hickson commission of investigation, she has met the persons whose personal data were on the USB stick; and if she has provided them with the details of their information contained on the lost item. [11488/21]
View answerAs the Deputy will be aware, the Hickson Commission is an independent body and I, as Minister for Justice, have no role in the conduct of its investigation.
I am informed by my officials that, in May 2019, having been made aware of the loss of the USB stick containing personal data in relation to the Hickson Commission, my Department notified the Office of the Data Protection Commissioner (ODPC), as required under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. I am further informed that the Data Protection Officer in my Department investigated the circumstances surrounding the missing USB stick and the outcome of that investigation was subsequently notified to the ODPC.
The investigation found that:
- Despite a thorough search of both premises the missing USB stick was not located.
- An Post indicated that no USB stick was identified in their Recovery/Reclaim Unit.
- The USB stick in question was an INTEGREL Courier USB key with hardware encryption. The encryption used with this device is AES 256-bit, which is ISO27001 compliant.
- The data contained on the USB stick had been uploaded to the Commission’s secure system prior to the stick being mislaid.
As the data contained on the USB stick continued to be available to the Commission and the missing USB stick was encrypted to industry standard, the risk to individuals whose personal data was on the USB stick was evaluated, as required by data protection legislation, and found to be low. Any third party finding the USB stick would be unable to access any information contained therein. In circumstances where the USB stick’s technical protection measures (i.e. encryption) rendered the data unintelligible, there was no reason to notify the data subjects. I understand that the details of the investigation were notified to the DPC and that, in mid-June 2019, the ODPC notified my Department that the breach was closed.
I regret the upset and anger caused by the breach and in particular I regret that those concerned found out about it through the media. To avoid this occurring and as a courtesy, those concerned should have been notified of the data breach at the time that it occurred. I have written to them to express my regret about what happened. I am continuing to liaise with the legal representatives of the persons concerned to arrange a meeting in the near future.
