37
DAYS LEFT

New registration requirements

If you use personal data in your work you are legally obliged to register here during 1 Jan - 28 Feb.
More details at odpa.gg/2021.

GUIDANCE: personal data breach reporting

The Law is based around seven principles of ‘good information handling’.
These principles give people (data subjects) specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it.

Breach reporting is a specific requirement under the Law.

Overview 
This guidance explains to organisations when and how to notify us about a personal data breach. Breach reports can be made via our secure breach reporting facility.
  • This guidance applies to controllers, as defined under section 111 of the Law .
  • Controllers must provide the ODPA with written notice of a personal data breach (a breach) as soon as practicable and in any event no later than 72 hours after becoming aware of the breach. Where full details are not yet known, the initial notification may be followed up with further details as soon as practicable.
  • All breaches that come to the attention of the controller after 25 May 2018 must be considered for reporting, regardless of when they occurred.
  • Where a controller uses the services of a processor, the processor is required under section 42(1) of the Law to give the controller notice of a breach as soon as they become aware of it.
  • If it is likely that the breach will pose a high risk to the significant interests of a data subject, the controller must also notify those individuals:
    - as soon as practicable
    - in clear and plain language
    - describing the nature of the breach
    - providing them with the name and contact details of the controller’s data protection officer (DPO) or other relevant contact,
    - a description of the likely consequences of the breach and the measures taken or proposed to be taken by the controller to address the breach including, where appropriate, measures to mitigate its possible adverse effects.
  • Controllers must also keep an internal log of any breaches in accordance with section 42(6) of the Law. 

 

  • A breach is defined in section 111(1) of the Law as:

    “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”

    There will be a breach whenever any personal data (including any special category data) is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so. A breach may be broadly defined as an incident that affected the availability, integrity or confidentiality of the personal data. This therefore includes a network intrusion by an unauthorised third party and also a deliberate or accidental act by a service provider that disrupts the availability of personal data to those that need to use it. For example, the unintended deletion of personal data where no appropriate back-up exists would constitute a breach. 

  • Section 42(2) of the Law states:

    ‘Where a controller becomes aware of a personal data breach, the controller must give the Authority written notice of it as soon as practicable, and in any event, no later than 72 hours after becoming so aware,

    Controllers must therefore tell the ODPA no later than 72 hours of becoming aware that a breach has occurred. If a notification is not made to the ODPA within 72 hours, the notification must be accompanied by an explanation of the reasons for the delay (section 42(3)(e) of the Law).

    It is accepted that in some cases it may not be feasible to provide full details within 72 hours. In such cases, section 42(4) of the Law states that:

    ‘Where it is impracticable to give the Authority all of the required information at the same time as the notice is given, the controller may provide the information in phases as soon as practicable’

    Accordingly, a controller should still make the initial notification within 72 hours, to inform the ODPA that a breach has been detected and to provide the relevant details. This should then be followed up with any of the outstanding information and a follow up form is included on this page. It may be the case that controllers need to undertake an investigation to understand exactly what has happened and what needs to be done to mitigate the breach, and that in some cases this will take longer than 72 hours. However, controllers must still notify the ODPA of the breach within 72 hours of having become aware of it and submit a follow-up notification as appropriate. 

  • In accordance with section 43 of the Law any notice to data subjects must include the following information:

    • A description of the nature of the breach
    • The name and contact details of the data protection officer or other source where more information can be obtained
    • A description of the likely consequences of the breach
    • A description of the measures taken or proposed to be taken by the controller to address the breach, including, where appropriate, measures to mitigate the possible adverse effects.
    In addition, it is recommended that the notification to data subjects includes a helpline number or web address, if possible.

    The notification must be in clear and plain language. You may wish to consider publishing the notification in more than one language, depending on the nationalities of the data subjects affected.

    It should be noted that whilst the decision whether or not to notify the affected data subject of the breach initially rests with the controller, the ODPA can require the controller to do so if, in its opinion, there exists a high risk to the significant interests of the data subject.

  • Controllers must notify affected data subjects without undue delay – in other words, as soon as the controller has sufficient information about the breach.

  • Section 42(6) of the Law requires controllers to keep a written record of any breach:

    “In any case, a controller must keep a written record of each personal data breach of which the controller is aware, including – (a)The facts relating to the breach, (b)The effects of the breach, (c) The remedial action taken, and Any steps taken by the controller to comply with this section, including whether the controller gave a notice to the Authority under subsection (2), and if so, a copy of the notice..”

    The ODPA has created a template log to help you record the information you need. The ODPA will inspect such logs if a controller becomes subject to an audit pursuant to Schedule 7, paragraph 9 of the Law. The logs and any other relevant information will be used to check that controllers are complying with their obligations under the Law.

  • ☐ We are clear about our breach reporting duties
    ☐ We have robust breach detection in place
    ☐ We have a breach response plan
    ☐ We have allocated responsibility for the handling, management, and oversight of breaches
    ☐ All staff have received appropriate training about prevention, detection and management of breaches
    ☐ We have a process to consider the impact of the breach on individuals
    ☐ We have a process to inform affected individuals where necessary
    ​​​​​​​☐ We document all breaches regardless of the need to report

  • Section 42 of the Data Protection (Bailiwick of Guernsey) Law, 2017 sets out the legal obligations of a controller in the event of a personal data breach. Section 42(6) states: 

    “In any case, a controller must keep a written record of each personal data breach of which the controller is aware, including – (a) the facts relating to the breach, (b) the effects of the breach, (c) the remedial action taken, and (d) any steps taken by the controller to comply with this section, including whether the controller gave a notice to the Authority under subsection (2), and if so, a copy of the notice.”

    This document allows affected controllers to record the required information in a uniform format to assist with internal record keeping obligations as well as requests for information from the Office of the Data Protection Authority (ODPA) that may follow. It does not constitute legal advice and each case should be reviewed in detail by the controller to assess the specific requirements.

    Steps to take
    • Immediately collect as much information as possible
    • Ensure your DPO is informed and updated
    • Report breach to ODPA
    • Consider contacting interested parties (law enforcement, service provider)
    • Implement containment measures
    • Assess the harm
    • Consider notification of data subjects
    • Complete internal written record of the breach