Skip to main content
Normal View

Data Protection

Dáil Éireann Debate, Thursday - 20 May 2021

Thursday, 20 May 2021

Questions (210, 211)

Fergus O'Dowd

Question:

210. Deputy Fergus O'Dowd asked the Minister for Finance if his Department is fully compliant with GDPR EU requirements, the EU network and Information Security Directive and standards with respect to his Department’s IT infrastructure including Article 29 of GDPR which requires that data processors access only the data they need for their task; if ISO 27001 Annex 9 standards on privileged access are fully met; and if he will make a statement on the matter. [27339/21]

View answer

Fergus O'Dowd

Question:

211. Deputy Fergus O'Dowd asked the Minister for Finance if any state or semi state bodies which report to his Department are fully compliant with GDPR EU requirements and the EU network and Information Security Directive and standards with respect to their IT infrastructure including article 29 of GDPR which requires that data processors access only the data they need for their task; if ISO 27001 annex 9 standards on privileged access are fully met; and if he will make a statement on the matter. [27357/21]

View answer

Written answers

I propose to take Questions Nos. 210 and 211 together.

In relation to my Department, I wish to advise that ICT services are provided by the Office of the Government Chief Information Officer (OGCIO). The services provided by the OGCIO are compliant with GDPR. In reference to your question about Article 29 of the GDPR in particular, as a data processor OGCIO has taken all reasonable measures to prevent unauthorised access to personal data through the use of appropriate security processes and controls. These processes and controls include: the ability to ensure the ongoing confidentiality, compliance, integrity, availability and resilience of processing systems and services; and the ability to restore the availability and access to Personal Data in a timely manner in the event of a cybersecurity, physical or technical incident.

The OGCIO has adopted a defence-in-depth security strategy which is achieved by utilisation of people, processes, and technology to support the implementation of ICT security services. The threat landscape is constantly evolving and significant effort is expended to continually enhance and strengthen ICT security to mitigate against emerging threats, risks, vulnerabilities and cybersecurity issues. In addition to deploying perimeter security measures, such as intrusion protection systems, software vulnerabilities are managed by maintaining up-to-date versions and aggressively deploying updates and patches to endpoints and applications as they become available.

The OGCIO has employed a policy of least privilege security principle. IT staff are only assigned security roles with levels of access which are essential to perform the tasks and duties associated with their functions. The allocation and usage of privileged user accounts is reviewed and monitored.

The OGCIO has developed an Information Security Management System (ISMS) aligned with the industry security standard ISO27001. This ISMS provides an overall governance framework for information security and sets out security policies, objectives, management oversight, practices and governance and ensures continual improvement of information security management. In addition are advanced in their programme for ISO 270001 certification and are on track to getting ISO 27001 certified in Q4 of 2021/Q1 2022.

Regarding the State bodies under the aegis of my Department, the Central Bank, Irish Fiscal Advisory Council, the Financial Services and Pensions Ombudsman, Irish Bank Resolution Corporation, the Irish Financial Services Appeals Tribunal, the Office of the Comptroller and Auditor General, and the Office of the Revenue Commissioners have advised that they are fully compliant with all the regulations cited.

The National Treasury Management Agency (NTMA) has confirmed that it is fully compliant with GDPR, including Article 29 requirements. The NTMA provides business and support services and systems to the National Asset Management Agency, the Strategic Banking Corporation of Ireland and Home Building Finance Ireland, which are also bodies under my Department’s aegis, and which are also fully compliant with GDPR, including article 29 requirements. The NTMA further advises that, while it is not ISO27001 accredited, NTMA policies are aligned with ISO27001 Annex 9 standards on privileged access.

The Investor Compensation Company has a comprehensive Data Protection Framework in place which includes a Data Protection policy and associated procedures and controls. This Framework complies with GDPR EU requirements, including Article 29. It has contracted an external IT services provider to ensure that it meets information security standards while also employing internal access controls as appropriate.

The Tax Appeals Commission (TAC) is fully compliant with GDPR EU requirements and the EU network and Information Security Directive and standards with respect to its IT infrastructure including article 29 of GDPR. Due to its small size and limited resources, the TAC does not subscribe to the International Organisation for Standardisation, however it does actively monitor privileged access rights for data protection purposes.

While the Credit Union Restructuring Board is a State body under my Department, it was operationally wound down in 2017 and is awaiting formal dissolution.

The Disabled Drivers Medical Board of Appeal (DDMBA) is a board of medical practitioners and has no employees or premises (including IT infrastructure). It operates through the National Rehabilitation Hospital, who provide the facilities, infrastructure and staffing to facilitate the DDMBA in carrying out its remit.

Question No. 211 answered with Question No. 210.
Top
Share