Lowest number of data breaches: less data harms, or less engagement?

The Office of the Data Protection Authority (ODPA) has published its latest breach statistics and emphasised the need for local organisations to continue positively engaging with their legal duties around how they handle people’s data.

Twenty-one personal data breaches were reported to the ODPA in the two months leading up to 31st August 2020. Just over half of these (12 incidents) happened when personal data was accidentally sent to the wrong person by email and the next highest figure was composed of instances where data was sent to the incorrect recipient by post, which totalled just under a fifth (4 incidents).

The 21 breaches were split across a variety of sectors, with the bulk of the incidents stemming from public authorities (6), retail/wholesale (5) and legal (3). There were also two breaches which originated from employment agencies and the remaining number were split evenly across five other sectors.

This period’s reported breaches are the lowest on record. On the face of it this implies a positive shift – fewer reported data breaches could be the result of increased awareness of the importance of preventing data breaches from happening in the first place, leading to fewer data harms occurring. Equally the opposite could be true, the low number of reported breaches could indicate under-reporting, a lack of engagement in looking after people’s data well, and data harms going undetected.

Emma Martins, the Bailiwick’s Data Protection Commissioner, commented,

‘Whilst on the one hand we welcome the low numbers of breaches, we also recognise that our reporting figures are unlikely to reflect the true picture. Some organisations will suffer breaches but not be aware of them, and others may be aware but not report them. Awareness of, and ability to respond to data breaches is essential for all organisations; not just because there is a legal duty to report them to the ODPA, but importantly because data governance is inextricably linked to business success. Organisations thrive on trust and confidence, so the way they look after people’s information is critical in building and maintaining both. We work hard to support and encourage the regulated community to deliver the highest standards of data protection. We also recognise that things do go wrong and that by engaging positively with organisations, we hope they will continue to trust us to handle breach reports in a constructive way and one which seeks to learn and improve.’

Effective breach management is an essential part of data governance for all organisations and the reporting of breaches that meet the threshold is a statutory requirement.

It is important to remember that behind the breach statistics there are human beings who have potentially been significantly affected. Because of this it is crucial that organisations carefully consider the impact on the people whose data has been affected when assessing the level of risk. Organisations must have robust mechanisms in place for accurately reviewing the possible impact and the risk level associated with each individual breach, appreciating that the risk may not necessarily be obvious and may not manifest itself immediately.

NOTES 

Breach reporting
One of the key changes to the local data protection law that came into force in May 2018 is that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it (see section 42 (2) of the Law). Organisations can report breaches to the ODPA via odpa.gg/breach-reporting.

Why does the ODPA publish breach statistics?
The ODPA has published statistics of the number of breach reports it receives, every 2 months since October 2018. Publishing this information allows everyone to benefit from a better understanding of how and why breaches happen and how they can be avoided in future.

Number of personal data breaches reported to ODPA (2018 – present)

How are personal data breaches categorised?
The ODPA individually assess each breach reported to them and assign them to one of the eleven categories listed below. Nine of the eleven categories specify whether a breach in that category would normally be considered ‘accidental’ or ‘deliberate’. One of the eleven categories (‘cyber incidents’) can be either accidental or deliberate. It should be noted that breaches categorised as ‘deliberate’ are not necessarily considered to be malicious.

1. Loss of data/paperwork/device (accidental)
2. Data sent to incorrect recipient – email (accidental)
3. Data sent to incorrect recipient – post (accidental)
4. Data sent to incorrect recipient – fax (accidental)
5. Inappropriate access (accidental)
6. Inappropriate disclosure (accidental)
7. System error (accidental)
8. Cyber incidents (accidental or deliberate)
9. Unauthorised access (deliberate)
10. Other (accidental or deliberate)

What is a personal data breach?
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “ a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

What is the threshold for reporting a data breach to the ODPA?
Organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident (see section 42 (5) of the Law). It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

What are a person’s ‘significant interests’?
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.