799 data breaches notified by Government departments in 2019
Department of Social Protection was responsible for nearly half the breaches notified. File Picture.
The Department of Social Protection was responsible for nearly half the data protection breaches notified by Government departments across the whole of last year.
However, the department, currently headed up by Fine Gael's Heather Humphreys, declined to outline how many of these breaches were brought before the Data Protection Commission (DPC), the only government department to do so.
The DPC is the independent regulator responsible for the adjudication on all such breaches involving people’s personal data.
Egregious breaches can potentially lead to heavy fines under the EU’s General Data Protection Regulation (GDPR). Such fines are capped in Ireland at €1m for State bodies. They can be significantly higher for private entities.
All told, 799 breaches were notified by 17 departments, according to a series of parliamentary question responses first lodged by Sinn Féin leader Mary Lou McDonald.
However, two of those departments, that of the Taoiseach and Rural and Community Development, recorded no breaches whatsoever.
With 374 breaches, the Department of Social Protection recorded 46.8% of all complaints over the 12 months.
Ms Humphreys said that the high number of breaches should be seen “in the context of the scale of the department’s business, administering over 70 separate schemes and services and processing almost two million applications every year”.
The department has typically been the source of large numbers of data-based complaints given the sheer amount of private citizens’ information it holds given its remit of delivering welfare payments to qualifying members of the public.
Typically, when a data breach is notified within a body, it is referred to its Data Protection Officer (DPO) - a prerequisite role under GDPR — for its seriousness to be ascertained and to decide whether or not to refer it to higher authority in the form of the DPC.
Of the remaining bodies consulted, the Department of Justice had the most number of breaches with 130, with just over half of them — 67 — referred onwards to the Data Protection Commission.
Excluding the Department of Social Protection, 65% of breaches notified, 275 out of 425, were sent to the DPC.
The DPC recorded 712 breaches referred by DPOs in 2019, meaning that State departments accounted for at least 39% of all serious data protection infractions relayed to the regulator for the 12 months, with the figure likely to be far higher.
“Many breaches are a result of human error,” Minister for Justice Helen McEntee said.
“Just under half of the breaches recorded posed no risk to the individuals involved.”
Two departments — Agriculture, Food and the Marine and Foreign Affairs — referred all of their complaints, 124 and 50 respectively, to the regulator.
One interesting response came from Simon Coveney, the Minister for Defence (and also Foreign Affairs), who said that of the nine breaches notified to his department, eight were deemed of insufficient importance to pass on to the DPC.
“These eight breaches did not involve the disclosure or loss of multiple documents or amounts of data,” he said, adding however that where the breaches did involve such documents or data, it related to single individuals only.
All other bodies recorded less than 10 breaches across 2019, save the Departments of Education, Enterprise, and Housing, which had 24, 30, and 12 violations noted respectively.
