Mandatory reporting of missing laptop data considered


MINISTER FOR Justice Dermot Ahern is considering introducing mandatory reporting in cases where personal data goes missing on stolen or lost laptop computers and other devices.

The new legislation would apply to Government departments and all other State agencies as well as banks and other entities.

Some 35 Government devices containing the personal data of members of the public have been lost or stolen this year.

Mr Ahern is anxious to introduce a system of immediate compulsory reporting to the Data Protection Commissioner when an electronic device containing information on members of the public is lost or stolen. The public would be informed in major cases.

A spokesman for Mr Ahern said such a system would prevent time being lost in the investigation of missing devices. He said Mr Ahern would conduct a broad consultative process before any legislative changes were introduced. "This would include the issue of a mandatory reporting system and incorporate an examination of the economic impact of any changes to data protection law. But it is a complex area."

At present, the law relating to the protection of personal data is contained in the Data Protection Acts of 1998 and 2003.

The laws provide for the secure storage of data and investigation of missing data.

However, there are no provisions setting out a system of mandatory reporting immediately after a device goes missing.

The 2008 figures for lost or stolen devices were contained in replies to parliamentary questions tabled by Labour's spokesman on education and science Ruairí Quinn TD. The written answers also reveal that only three of 15 Government departments that replied to Mr Quinn have fully encrypted their information technology (IT) systems. Encrypting electronic devices makes it almost impossible to access data on lost or stolen devices.

Mr Quinn said when he asked similar questions last year, he was told some 100 devices had gone missing over the preceding five years. He found it "incredible" that since the start of this year, that figure had increased to almost one device per week.

The devices lost or stolen this year include 19 laptop computers, three desktop computers, at least nine Blackberry mobile phones and four portable storage devices.

His concern was heightened by the fact that only three departments have fully encrypted their devices. Some nine departments were in the process of encrypting, while two - Communications and Education and Science - had "not done so at all".

"It beggars belief that the Department of Communications, tasked with developing our country's IT infrastructure, has absolutely no policy on securing IT devices," Mr Quinn said.