ODPA publish latest personal data breach statistics

Published: 12 July 2023

The Office of the Data Protection Authority (ODPA) has published breach statistics for the second quarter of 2023.

Thirty two personal data breaches were reported from April to June 2023, affecting 549 people.

One case involved an employee who had used a personal device to record a customer’s personal data for work purposes, because an IT system failure meant they had no access to a work device.
It illustrates how important it is for companies to have built-in resilience and a clear procedure for employees to follow in the event of an IT outage or other event.

This case also highlights the importance of keeping your work and personal life separate. The ODPA receives regular reports of personal data breaches by people using personal email accounts or social media accounts to send work-related information.

Just last week, the UK High Court ruled that the Cabinet Office must release former Prime Minister Boris Johnson’s unredacted WhatsApp messages and notebooks to the Covid-19 enquiry. Using personal messaging to conduct your work can blur where the boundaries of your personal life and your job are in a way that is not helpful for you or your workplace.

Breach statistics are now published quarterly and include two new criteria: the severity of the reported breaches and the total number of people affected. This shift in focus reveals how relatively few incidents can impact a huge number of people.

More information about how to handle a data breach can be found at:


This release is part of the quarterly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.

Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.