Dáil Éireann Debate, Tuesday - 17 October 2023
405. Deputy Peadar Tóibín asked the Minister for Justice further to Parliamentary Question No. 438 of 3 October 2023, if she will provide detail on the nature of the data breaches suffered by her Department; the severity of the breaches; if all individuals whose information was compromised were notified of the breach; if the Data Protection Commission was notified of all data breaches; and if she will make a statement on the matter. [45340/23]
View answerMy Department is committed to protecting the rights and privacy of all individuals in accordance with the EU General Data Protection Regulation, 2016/679 (GDPR) and the Data Protection Act 2018. My Department complies fully with data breach reporting requirements.
Securing and managing personal data in accordance with the GDPR principles is a priority and is governed by a comprehensive set of policies, procedures and systems. For example, a Department Data Protection Steering Group operates with membership of senior personnel from across the Department to assist the Management Board and the Data Protection Officer in fulfilling their Data Protection responsibilities.
My Department has implemented appropriate measures to ensure that all data held under its control is secure and is not at risk from unauthorised access. Measures for the protection of personal data are reviewed and upgraded where appropriate, on an ongoing basis.
Further, data protection training is available to staff in order to ensure that my Department is compliant with obligations to protect all personal data processed.
Whether a data breach is notified to the Data Protection Commissioner (DPC) or not depends on a risk assessment conducted by my Department’s Data Protection Support and Compliance Office on a case by case basis. The majority (86%) of data breaches in 2023 have been assessed as low risk. As the Deputy may be aware, the law requires a breach be communicated to the data subject if the risk is assessed as high.
The information requested by the Deputy is provided in tabular form below.
|
Year |
Number of Breaches Recorded |
Notified to DPC |
Communicated to Data Subjects |
|
2023 (to September 27, 2023) |
113 |
24 |
2 |
|
2022 |
120 |
56 |
2 |
|
2021 |
122 |
73 |
7 |
|
2020 |
121 |
72 |
31 |
|
2019 |
131 |
68 |
44 |
|
2018 (from May 25, 2018 when GDPR came into effect) |
41 |
14 |
9 |
|
2018 (pre GDPR) |
5 |
1 |
1 |
|
2017 (pre GDPR) |
1 |
1 |
0 |
The nature of breaches in 2023 year are indicated by the categorisations below:
• 83% are categorised as unauthorised disclosure (43%/40% wrong email/postal address respectively)
• 12% are categorised as paper lost or stolen (including official documentation)
• 5% are categorised as lost or stolen devices.
