A breach is defined in section 111(1) of the Law as:
There will be a breach whenever any personal data (including any special category data) is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so. A breach may be broadly defined as an incident that affected the availability, integrity or confidentiality of the personal data. This therefore includes a network intrusion by an unauthorised third party and also a deliberate or accidental act by a service provider that disrupts the availability of personal data to those that need to use it. For example, the unintended deletion of personal data where no appropriate back-up exists would constitute a breach.
“personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
Section 42(2) of the Law states:
Controllers must therefore tell the ODPA no later than 72 hours of becoming aware that a breach has occurred. If a notification is not made to the ODPA within 72 hours, the notification must be accompanied by an explanation of the reasons for the delay (section 42(3)(e) of the Law).
‘Where a controller becomes aware of a personal data breach, the controller must give the Authority written notice of it as soon as practicable, and in any event, no later than 72 hours after becoming so aware,
Accordingly, a controller should still make the initial notification within 72 hours, to inform the ODPA that a breach has been detected and to provide the relevant details. This should then be followed up with any of the outstanding information and a follow up form is included on this page. It may be the case that controllers need to undertake an investigation to understand exactly what has happened and what needs to be done to mitigate the breach, and that in some cases this will take longer than 72 hours. However, controllers must still notify the ODPA of the breach within 72 hours of having become aware of it and submit a follow-up notification as appropriate.
‘Where it is impracticable to give the Authority all of the required information at the same time as the notice is given, the controller may provide the information in phases as soon as practicable’
In accordance with section 43 of the Law any notice to data subjects must include the following information:
Controllers must notify affected data subjects without undue delay – in other words, as soon as the controller has sufficient information about the breach.
Section 42(6) of the Law requires controllers to keep a written record of any breach:
The ODPA has created a template log to help you record the information you need. The ODPA will inspect such logs if a controller becomes subject to an audit pursuant to Schedule 7, paragraph 9 of the Law. The logs and any other relevant information will be used to check that controllers are complying with their obligations under the Law.
“In any case, a controller must keep a written record of each personal data breach of which the controller is aware, including – (a)The facts relating to the breach, (b)The effects of the breach, (c) The remedial action taken, and Any steps taken by the controller to comply with this section, including whether the controller gave a notice to the Authority under subsection (2), and if so, a copy of the notice..”
☐ We are clear about our breach reporting duties
☐ We have robust breach detection in place
☐ We have a breach response plan
☐ We have allocated responsibility for the handling, management, and oversight of breaches
☐ All staff have received appropriate training about prevention, detection and management of breaches
☐ We have a process to consider the impact of the breach on individuals
☐ We have a process to inform affected individuals where necessary
☐ We document all breaches regardless of the need to report
Section 42 of the Data Protection (Bailiwick of Guernsey) Law, 2017 sets out the legal obligations of a controller in the event of a personal data breach. Section 42(6) states:
This document allows affected controllers to record the required information in a uniform format to assist with internal record keeping obligations as well as requests for information from the Office of the Data Protection Authority (ODPA) that may follow. It does not constitute legal advice and each case should be reviewed in detail by the controller to assess the specific requirements.
“In any case, a controller must keep a written record of each personal data breach of which the controller is aware, including – (a) the facts relating to the breach, (b) the effects of the breach, (c) the remedial action taken, and (d) any steps taken by the controller to comply with this section, including whether the controller gave a notice to the Authority under subsection (2), and if so, a copy of the notice.”