The Office of the Data Protection Authority (ODPA) has published the latest breach statistics with twenty-five personal data breaches reported during November and December 2021. In total 177 breaches were reported during 2021, which is a slight reduction on the number reported during 2020 (180).
More than half of the reported breaches in the last two months of 2021 (15 incidents) were due to personal data being sent to the wrong person. Usually the most reported incidents in this category are due to an email going to the wrong person, but during this period there were more incidents where this happened due to something being sent by post to the wrong person: 6 incidents were due to email errors, and 9 incidents were due to people misaddressing postal items. These types of errors are consistently responsible for the highest number of reported breaches, highlighting again the role that human error plays in data breaches.
The other main feature of this period’s statistics is that cyber incidents continue to be reported, where incidents have affected personal data. Four cyber incidents were reported during November and December 2021. Of the remaining breaches reported, two incidents were due to the inappropriate or unauthorised access of information, three were unspecified and one breach resulted from data being lost.
The 25 breaches were spread across a number of different sectors. The most, eight incidents, were reported from the health sector, then fiduciary with four breaches.
Emma Martins, the Bailiwick’s Data Protection Commissioner, commented,
“One of the key themes we continue to see in the breach reports we receive is their link to human behaviour, whether that be deliberate actions or human error. Cyber incidents occur where criminals attack systems or seek to exploit human behaviour to gain access to systems, and one of the strongest lines of defence against these crimes is to ensure your staff understand: the risks to personal data, the tactics cyber criminals use, and what your response plan is. So, your staff are both your biggest risk and your biggest opportunity in looking after the personal data in your care.”
On 1 January 2022 the ODPA introduced an improvement to its breach reporting system so that any organisations reporting a breach can now specify both how it happened (i.e. the circumstances that led to the breach occurring) and what the outcome was (e.g. accidental disclosure of personal data).
This change addresses the complexity of circumstances surrounding incidents where personal data is breached, and allows the person reporting the breach to provide greater clarity into the reasons why a breach occurred, and what impact it may have (or has had).
The ODPA will continue publishing anonymised statistics of the breach reports it receives from the regulated community, every 2 months, so that everyone can apply any lessons learned. The first breach statistics published which reflect the changes described above will be in March 2022 (covering breach reports received during 1 Jan – 28 Feb 2022).
NOTES
More information about
how to handle personal data breaches.
This release is part of the
bi-monthly breach report statistics the ODPA has been issuing since June 2018.
Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018.
The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.
Number of breaches reported (1 November – 31 December 2021) by category:
Breach category
|
Number of reported breaches
|
Percentage of total
|
Cyber Incidents
|
4
|
16%
|
Data sent to incorrect recipient – E-mail
|
6
|
24%
|
Data sent to incorrect recipient – Fax
|
0
|
0%
|
Data sent to incorrect recipient – Post
|
9
|
36%
|
Inappropriate/Unauthorised Access
|
2
|
8%
|
Inappropriate/Unauthorised Disclosure
|
0
|
0%
|
Loss of data/paperwork/device
|
1
|
4%
|
Other
|
3
|
12%
|
System Error
|
0
|
0%
|
TOTAL
|
25
|
|
Number of personal data breaches reported to the ODPA (Oct 2018 – present): view statistics for every two-month period from October 2018 - present.
Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria:
“
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.
However, organisations do
not have to report any incidents that meet the above criteria if the incident is ‘
unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.
‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as
any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.