A minister who sits at cabinet has admitted sharing some of her constituents' data outside of the Oireachtas server to a private email account.
Hildegarde Naughton, the Minister of State for Justice, previously sent letters that included some constituents' private details, along with other information for representations, from her Oireachtas email address to her private Gmail account.
This took place over an extended period from 2016 in an apparent breach of the Oireachtas Data Processing Agreement.
Staff in Ms Naughton's office would send the correspondence to the minister on her personal email account for her approval before being given sign-off.
Among the details being shared without constituent knowledge were names, addresses, contact details, queries and supporting documents, as well as other private information.
After an investigation by the, the minister's office admitted that the practice had taken place.
"Call-back lists and letters requiring her approval were forwarded to a Gmail account held by Ms Naughton for her attention," a spokesman said.
"This is no longer the practice. Ms Naughton accepts this was not best practice. Regarding her use of Gmail, she has been advised that this did not constitute a data breach.
"All staff in the constituency office of Hildegarde Naughton TD are bound by a legal/contractual duty of confidentiality.
"Any correspondence received by her office is treated as confidential, and personal information or data is not shared with third parties."
TDs all have an official Oireachtas email account they are advised to use for sending information on constituency work, as the accounts are encrypted.
Private accounts are not end-to-end encrypted and as such are more vulnerable to hacking attempts from outside parties.
A spokesperson for the Oireachtas said TDs receive "ongoing training, in GDPR such as seminars, regularly."
An agreement signed by TDs notes: "An email message cannot be guaranteed privacy. In particular, email messages which are sent to addresses outside the government network are transmitted over public networks, and the Oireachtas has no control over what happens to them when they leave the Oireachtas, or over what route they take to reach their ultimate destination.
"For this reason, you should not send anything sensitive or confidential by email."
The agreement notes: "The parties enter into this Agreement further to Article 28(3) of the General Data Protection Regulation (Regulation (EU) 2016/679) and those statutory provisions pursuant to which the Processor provides information and communications technology and related facilities to Members."