Dáil Éireann Debate, Tuesday - 17 October 2023
373. Deputy Peadar Tóibín asked the Minister for Social Protection , further to Parliamentary Question No. 415 of 3 October, if she will provide detail on the nature of the data breaches suffered by her Department; the severity of the breaches; if all individuals whose information was compromised were notified of the breach; if the Data Protection Commission was notified of all data breaches; and if she will make a statement on the matter. [45343/23]
View answerThe vast majority of data breaches which arise in my Department occur for three reasons; because correspondence issues to the wrong address (because it has been either addressed incorrectly or delivered to the wrong address), or because an email is sent to the wrong recipient, or because personal data relating to a data subject is mistakenly included in correspondence sent to another person.
With the exception of one high risk data breach, they are either low risk, medium risk, or are unlikely to be a risk to the rights and freedoms of the affected data subject.
Data subjects are not notified in respect of every data breach. This is because the General Data Protection Regulation (GDPR) provides that data subjects need only be notified in cases where a breach has been assessed as representing a high risk to their rights and freedoms. My Department does notify data subjects in some cases where it deems it appropriate to do so, even if the breach is not considered a high risk.
Neither is the Data Protection Commission notified of all data breaches. The GDPR provides that the DPC does not need to be notified where a breach is unlikely to be a risk to the rights and freedoms of data subjects.
My Department takes its data protection obligations very seriously and has in place a set of data protection policies, standards, procedures and guidelines governing the use of its computer systems and customer data. These policies, procedures and guidelines are kept under constant review and are updated as appropriate.
