Non Flash Content - Children running through a field of corn

DPC Report and Bord Gáis response


Below is a copy of a letter from David Bunworth (Managing Director Bord Gáis Energy) to Diarmuid Hallinan (DPC Office) in response to the DPC report.

Diarmuid Hallinan
The Data Protection Commissioner Office,
Canal House,
Station Road,
Co. Laois.

Response detailing the current status of recommendations and actions instigated by Bord Gáis Éireann

Dear Diarmuid,

Bord Gáis Éireann has received and accepts the findings and recommendations contained in the report of the Investigation by the Data Protection Commissioner into data protection issues arising from the criminal theft of four laptops from offices being used by Bord Gáis Energy in Dublin on the night of 5th June 2009.

Since the security breach on 5th June, Bord Gáis Éireann has taken the following actions:

  • Completed the encryption process on all laptops
  • Reviewed and implemented a number of changes to the sales management system including removing inactive users, placing the management and control of user access within the Bord Gáis Éireann's IT function, reviewed administrator access on a strict "essential business" basis and completed a full analysis of user roles and profiles
  • We have already furnished Bord Gáis Éireann's Acceptable Usage Policy (PD 82) and Acceptable Usage Agreement. We have developed these documents using best in class principles and practices for Information Security.

    These documents will be rolled out to all employees at our mandatory Training and Awareness Programme. This classroom training will be provided to all employees and will outline the responsibilities and obligations of all persons who have access to our systems.

  • Initiated a number of reviews with external consultants to assess the following:
    • Overview of Information Security & Data Protection Policies
    • Governance and Organisation Structure
    • Data Review across all business areas
    • Data Security Assessment including 3rd party management, retention of data and data transfer methods
    • Information Asset Management
    • Incident Management

There were a number of recommendations in your report and we have responded to each individually,

"That an immediate review takes place of all access levels among staff members to personal data and systems within BGE and that an effective system be put in place for granting, reviewing and removing such access to personal data and systems when it is no longer needed".

A detailed examination of user access to systems has been completed, and the function to provide user access has been transferred across under the remit of IT.

Updated policies and procedures are in development around the retention and disposal of data within Bord Gáis Éireann. These policies will be applied across all systems in the organisation to ensure the business is in compliance with its obligations under the Data Protection Act. On-going reviews will be performed to ensure that any data which is no longer required will be destroyed in a secure manner.

"That an appropriate standing governance structure be put in place to ensure implementation of the data protection issues to be addressed in BGE".

Interim arrangements are now in place and roles and responsibilities are currently under review. An Information Security Committee will be established with representation from both IT and the business unit and two additional Information Security Managers will be appointed to support the Information Security process.

Individuals will also be assigned for specified systems and data within the business areas and responsibilities have been clearly defined for these individuals.

An Information Risk Officer will be appointed reporting directly to the Head of Internal Audit & Risk so we can ensure that we have the appropriate governance structure capable of meeting the high standards of data protection compliance that is expected within Bord Gáis Éireann.

"That it be made abundantly clear to all staff that personal data should not be downloaded to local drives and should be maintained on networked systems for any use that is considered appropriate".

A comprehensive Information and Security Training and Awareness programme is currently under way. This programme is centred on two main components, classroom training for all employees and e-learning based training for 3rd parties working for Bord Gáis Éireann.

The training will cover the following areas:

  • Internal User Security (e-mail, internet, passwords)
  • Laptop and Mobile Device Security
  • Data Classification and Data Handling
  • Data Protection
  • Physical Security
  • Incident Response

We were pleased to note in your report that there was recognition of the serious and committed approach to Data Protection that is in place within Bord G áis Éireann.

Please be assured that Bord Gáis Energy has taken the report and its recommendations very seriously and will ensure that there will be no recurrence of the issues that emerged following the theft of the laptops from Bord Gáis Energy premises.

Yours sincerely,

David Bunworth
Managing Director
Bord Gáis Energy
Foley Street
Dublin 1

Attached Files