Human behaviour remains key risk to protecting data

THIRTY-TWO personal data breaches were reported to The Office of the Data Protection Authority (ODPA) in the two months up to 26 August 2019. Eighteen of the breaches were due to personal data being sent, via email or post, to the wrong person. The remaining fourteen were through criminal activity, hacking, personal data being accessed inappropriately, the disclosure of personal data when not authorised to do so, or personal data being lost. Emma Martins commented on the human aspect of personal data breaches.

‘What is striking from this period’s statistics is that all the breaches reported to us were due to human action, whether deliberate or accidental. There was not a single incidence of system error.  We must all recognise that it is people’s awareness, attitudes, behaviour and choices that often pose the biggest risk to the protection of personal data, rather than our IT systems. Because of this, my office is laser-focused on raising everyone’s appreciation and awareness of data protection, in the hope that we can create positive cultural change around how people think, and feel, about taking care of personal data.’

Part of this awareness-raising is the ODPA’s decision to take part in this year’s Global Privacy Enforcement Network (GPEN) ‘Privacy Sweep’ for the first time. This international intelligence-gathering exercise examines a different theme each year and in 2019, the focus is on how data breach notifications are handled. Mrs Martins said,

‘We will be contacting a sample of local organisations directly, asking them to respond to a short survey from GPEN later this month. Honest responses to the survey are encouraged, as it is only through honesty that an accurate snapshot of the challenges organisations face can be taken, from which we can all learn lessons. Building a culture of honest and constructive learning can help us all to work towards higher standards of compliance.’

NOTES This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018 (previous releases are listed below). Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.

Number of personal data breaches reported to ODPA

Breach criteria A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so. However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident.

It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported. ‘Significant interests’ explained A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.