As the Deputy will be aware, the commission of investigation, which is investigating the extent to which organisations, including State bodies and individuals, were aware of the child sexual abuse committed by an individual during the 1980s, is an independent body. The Minister and I do not have any role in the conduct of its investigation. I understand that, for its convenience, the commission is supported by the IT unit in my Department. I am informed that in May 2019, having been made aware of the loss of a USB stick containing personal data relating to the commission, my Department notified the Data Protection Commission, as required under the general data protection regulation, GDPR, and the Data Protection Act 2018.
I am further informed that, in keeping with the usual policy, my Department's data protection officer investigated the circumstances surrounding the missing USB stick, and the outcome of that investigation was subsequently notified to the Data Protection Commission. I understand the investigation found that despite a thorough search of both premises, the missing USB stick was not located. An Post indicated that no USB stick was identified in its recovery or reclaim unit.
The USB stick in question was an Integral Courier USB key with hardware encryption. The encryption used with this device is advanced encryption standard, AES, 256-bit, which is ISO 27001 compliant, a leading international standard for information security. The data contained on the USB stick had been uploaded to the commission’s secure system prior to the stick being mislaid so the information itself was not lost. As the data contained on the USB stick continued to be available to the commission and the missing USB stick was fully encrypted to industry standard, the risk to individuals whose personal data was on the USB stick was evaluated, as required by data protection legislation, and found to be low.