IRELAND 19 February 2017
Office of the Comptroller and Auditor General Press Release ? Stolen Laptops
The Comptroller and Auditor General (C&AG) audits over 350 public bodies and carries out a range of examinations of programmes and areas of administration where there is a perceived risk that public funds may not be properly or efficiently utilised. The Office of the Comptroller and Auditor General (the Office) assists the C&AG in carrying out his mandate.
The Office employs about 160 staff, most of whom are engaged in audit work or value for money examinations. Its staff are bound by official secrets legislation and professional obligations.
The nature of the work necessitates audit testing on location in client premises. To assist with their work staff are issued with laptop computers and all financial audit staff use an electronic working papers tool called Teammate.
The dispersion of the client base around the country and the extent of movement of staff introduces an exposure to theft and loss of equipment. A total of sixteen Office laptop computers have been stolen in the period from 1 January 1999 to date. One of these computers was recovered.
The Office acknowledges the need to manage any risk to the disclosure of client data and it very much regrets the loss of the equipment and any consequential risk that data, while held on password-protected equipment, could be improperly disclosed.
There is no evidence that the Office?s systems were specifically targeted and, in all cases, the thefts appeared to have been opportunistic in nature. The Office, therefore, considers the risk of injury or loss to data subjects is limited taking account of the passage of time.
The Office?s arrangements in relation to data security are outlined below.
Data Security Arrangements
As more advanced technology has become available the Office has moved to make its audit papers more secure. Teammate was introduced to audits in 2006 and was rolled out to all audits in 2007. All data contained within Teammate is encrypted. In addition, all laptop computers require a log-on password to gain access.
Apart from the migration to more secure processing within Teammate where full encryption pertains, the Office has embarked on a process of improving data security procedures. The changes introduced include
Curtailing the amount of data held on laptops to files which are located within the Teammate file structure. Staff have been instructed to transfer all other data to the more secure location of the Office network servers.
Putting specific procedures in place for the handling of personal and confidential data. These include
working, whenever possible, within clients? electronic systems thereby eliminating the need to hold files containing personal or confidential data on Office equipment.
where this is not possible, requesting clients to remove personal details from the files provided for audit so as to ensure that data subjects cannot be identified from information on the Office?s records.
The Office procedures prohibit the sending of personal data by email.
All staff have been issued with a USB memory stick which has an encryption facility. Staff have been instructed to use this more secure medium for data transfers.
An Office-wide collection of all portable media (floppy disks, CDs, DVDs and USB memory sticks) in use by staff was completed earlier in the year.
The various portable media collected are held in a secure location pending their destruction.
Current instructions require staff to provide a declaration that their computers do not contain any client data except within the encrypted Teammate file structure. Verification checks for compliance with this requirement have been put in train.
In addition, to its existing encryption of audit working papers, the Office is extending encryption to all other material on laptop computers.
Review of Data Security
The Office has had preliminary discussions with the Data Protection Commissioner and intends to ask him to conduct a detailed security audit of its systems and procedures.
Deputy Director of Audit
1 August 2008