I propose to take Questions Nos. 227 and 228 together.
As the Deputy will be aware, my Department was already subject to existing Data Protection regulatory provisions prior to the coming into effect of the EU General Data Protection Regulation (GDPR) in May 2018. A Data Protection Officer (DPO) was appointed in 2018, in line with the requirements of Article 37 of the Regulation. The DPO is supported by a dedicated Data Protection Unit, which monitors all data protection activity and provides ongoing advice and support to staff on any issues that arise.
Responsibilities of the DPO included the oversight of arrangements for transition to the new regulatory regime, updating of the Department’s Data Protection Policy, promotion of awareness of the requirements of the GDPR among staff and identification of training needs across the Department.
My Department is committed to protecting the rights and privacy of individuals in accordance with the GDPR and the Data Protection Acts 1988 to 2018 and continues to implement measures to meet its obligations in respect of this legislation. These include regular review of the Department's policies and procedures such as Data Processing Agreements, the Record of Processing Activities (ROPA), and retention schedules while also ensuring that staff have access to data protection training, and support materials and are provided with regular notifications of legal developments.
With regard to the Department's IT infrastructure, systems and procedures, these are operated in accordance with data protection requirements. With regard to the EU Network and Information Security Directive, the Department's technical staff continue to operate and monitor all relevant systems to the highest levels, and are closely engaged with experts in the OGCIO and the NCSC to ensure that it follows best practice as it relates to all aspects of cybersecurity. For operational and security reasons, my Department does not comment on operational security matters.
With regard to those bodies under the aegis of my Department I am advised that each body has a similarly comprehensive range of processes in place to meet the compliance requirements of the GDPR and data protection laws. These include the appointment of a dedicated Data Protection Officer, general and specifically tailored training courses for staff and regular reviews of data protection compliance. I am further advised that these bodies have confirmed IT infrastructure, systems are maintained and processes operated in accordance with relevant data protection laws and best practice as it relates to security requirements.
