Registration window open (1 Jan - end of Feb)

If you use personal data in your work you are legally obliged to register during January and February each year.
NEW REGISTRATION? View guidance and create new registration here
EXISTING REGISTRATION? Sign-in to Registrations Portal here


Data Protection Commissioner calls for a culture of improvement

Published: 21 January 2020

Forty-eight personal data breaches were reported to the Office of the Data Protection Authority (ODPA) in the two months leading up to 28 December 2019. Of the reported breaches, 39 were due to human error, highlighting again, how people’s action continues to be the biggest cause of personal data breaches locally. Information sent via email or post to the wrong person has consistently been the most common type of data breach reported since statutory reporting requirements came into effect. In response to this trend, the ODPA has recently been focussing on the role of human error in its events programme to help organisations and individuals understand and respond to the risks.

The Bailiwick’s Data Protection Commissioner, Emma Martins, notes that changing attitudes and behaviour is key to reducing data breaches and preventing harm.
‘These latest figures again illustrate how important it is for us all, whatever our role, to understand data protection as something more than an IT issue. We must focus on ensuring individuals’ rights are respected while also recognising the impact of human error when using personal data. It is unrealistic to expect people to never make any mistakes, but we can positively influence attitude and a culture in organisations where mistakes are learnt from, behaviours change as a result and the risk of future harm is reduced. ‘We do not seek a culture of blame, rather we seek a culture of improvement,’ added Mrs Martins.
The remaining self-reported breaches for the two month period fell into other categories including mislaid data, criminal, hacking, unauthorised access and unauthorised disclosure.

NOTES  This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.  

Number of personal data breaches reported to ODPA:
2 months to 28 December 2019 (details above) 48
Data breaches: workplace culture change needed (2 months to 27 Oct 2019) 44
Human behaviour remains key risk to protecting data (2 months to 26 Aug 2019) 32
Data Protection Commissioner cautions against a ‘culture of blame’ (2 months to 25 Jun 2019) 50
Human error remains biggest risk in data protection locally (2 months to 22 Apr 2019) 40
ODPA report further increase in local data breaches (2 months to 22 Feb 2019) 45
Increase in local data breaches (2 months to 18 Dec 2018) 28
ODPC offers advice after increase in local data breaches (2 months to 18 Oct 2018) 26
Breach criteria A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. 

There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so. However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident.

It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported. ‘Significant interests’ explained A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.