Office of the Comptroller and Auditor General    Press Release ? Stolen Laptops Update


The Comptroller and Auditor General (C&AG) has access to information on payments by the State. This statutory right of access is designed to allow the C&AG to audit and report on the accounts of public bodies. Much of the audit processing of data by the Office is carried out on laptop computers using proprietary software.

In a press release on 1 August 2008 the Office reported that 16 laptops had been stolen over the past ten years. Following an examination of its audit files, and interviews with staff, three of these laptops have been identified as containing data that could, if improperly disclosed, be misused. This examination was finalised in the past week.

The personal information contained on the three computers falls into two categories ? data where a PPSN or banking details or both were held relating to the payrolls of certain public bodies and data relating to social welfare scheme payments. In the case of payroll data seven public bodies were involved. The Office has contacted those public bodies and they are examining how to inform their staff or clients. 

One of the computers lost was used on the audit of the Department of Social and Family Affairs. It was stolen in April 2007. At that time, the matter was reported to the Gardai and the Department.

In regard to data held on the machine, which covered a maximum of 380,000 records the Office is assisting the Department to identify those clients for whom personal data was recorded and, in particular, those cases where payments were made through personal bank accounts.

The C&AG regrets the loss of the laptop computers and the risk that the information on them could be improperly disclosed or misused. While the data was held on password-protected computers it was not encrypted. Steps have been taken to reduce the risk of any recurrence through

  • Introducing an encrypted working papers system in 2007
  • Limiting the amount of client data held on laptop computers
  • Working within client systems where possible
  • Ensuring that accounting data transferred to it is done through encrypted media
  • Prohibiting the transfer of personal data via e-mail
  • Gathering all historic data on portable media and holding it securely for destruction.

The Office is currently testing data encryption software for use on information not held within its electronic working papers. This will be implemented as soon as testing is complete.

Arrangements have been put in place for a security audit to be conducted by the Office of the Data Protection Commissioner. An independent review will also be undertaken of the Office?s ICT governance and management. The Office will disclose the results of that examination and implement any further measures that arise out of the audit by the Data Protection Commissioner.

Gerry Smyth
Secretary and Director of Audit
Office of the Comptroller and Auditor General

11 August 2008