Recommendation 13

As part of its investigation into the February 2022 data breach, the Department provided to the ICO details of its data protection policies, as well as training and guidance for staff on the risks of sharing information by email, that were in place at the time of the incident. The ICO found that, in its view, the Department did have policies and processes in place designed to address the risks of sharing information externally when the data breach took place, and that it had taken steps to implement improved systems and processes since then.29