I propose to take Questions Nos. 115 and 116 together.
It should be noted that the Hickson Commission is an independent body and I, as Minister for Justice, have no role in the conduct of its investigation.
I am informed by my officials that, in May 2019, having been made aware of the loss of the USB stick containing personal data in relation to the Hickson Commission, my Department notified the Data Protection Commission (DPC), as required under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. I am further informed that the Data Protection Officer in my Department investigated the circumstances surrounding the missing USB stick and the outcome of that investigation was subsequently notified to the DPC.
The investigation found that:
- Despite a thorough search of both premises the missing USB stick was not located.
- An Post indicated that no USB stick was identified in their Recovery/Reclaim Unit.
- The USB stick in question was an INTEGREL Courier USB key with hardware encryption. The encryption used with this device is AES 256-bit, which is ISO27001 compliant.
- The data contained on the USB stick had been uploaded to the Commission’s secure system prior to the stick being mislaid.
As the data contained on the USB stick continued to be available to the Commission and the missing USB stick was encrypted to industry standard, the risk to individuals whose personal data was on the USB stick was evaluated, as required by data protection legislation, and found to be low. Any third party finding the USB stick would be unable to access any information contained therein. In circumstances where the USB stick’s technical protection measures (i.e. encryption) rendered the data unintelligible, there was no reason to notify the data subjects. I understand that the details of the investigation were notified to the DPC and that, in mid-June 2019, the DPC notified my Department that the breach was closed.
I regret the upset and anger caused by the breach and in particular I regret that those concerned found out about it through the media. To avoid this occurring and as a courtesy, those concerned should have been notified of the data breach at the time that it occurred. I have written to them to express my regret about what happened.
In relation to the Deputy’s question regarding the use of USB keys by my Department, I wish to inform you that my Department’s policy in relation to the use of USB sticks is strictly controlled and it is not common practice for sensitive data to be stored in such a manner. In exceptional circumstances where they must be used, my Department uses dedicated encrypted USB keys.