My Department is committed to protecting the rights and privacy of all its data in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Acts 1988 to 2018. My Department has a Data Protection Policy in place and a Data Protection Officer as required by Article 37 of the GDPR. Any processing of personal data is performed in compliance with the principles relating to processing under the GDPR.
My Department's ICT services are provided by the Office of the Government Chief Information Officer (OGCIO).
My Department has been assured that the services provided by the OGCIO are fully compliant with the requirements of the GDPR. In reference to Article 29 of the GDPR in particular, I understand that the OGCIO, as a data processor, has taken all reasonable measures to prevent unauthorised access to personal data through the use of appropriate security processes and controls. These processes and controls include the ability to ensure the ongoing confidentiality, compliance, integrity, availability and resilience of processing systems and services; and the ability to restore the availability and access to personal data in a timely manner in the event of a cybersecurity, physical or technical incident.
The OGCIO has employed a policy of least privilege security principle. IT staff are only assigned security roles with levels of access which are essential to perform the tasks and duties associated with their functions. The allocation and usage of privileged user accounts is reviewed and monitored.
This Civil Service Blended Working Policy Framework is available at the following link: www.gov.ie/en/publication/da010-blended-working-policy-framework-for-civil-service-organisations/. It includes references to obligations on employees, including in respect of protocols for the security and confidentiality of information when working in a blended environment.