Data Protection Commissioner cautions against a ‘culture of blame’

Published: 28 June 2019

Fifty personal breaches were reported to The Office of the Data Protection Authority (ODPA) in the two months up to 25 June 2019. This is the highest figure reported since mandatory breach reporting was brought in on 25 May 2018. But the Bailiwick’s Data Protection Commissioner, Emma Martins takes it as a good sign that the regulated community trusts her office to respond proportionately.
‘We want to support a culture that is focussed on delivering good outcomes and we recognise the part we play in that. A mature system of self-reporting of data breaches provides both transparency and an opportunity to learn from events, improve performance and reduce risk. In recognising that in an increasingly data-rich world, both human error and technological error are inevitable, we want to avoid a culture of blame and encourage a more constructive culture of sharing, questioning and improvement.’
Forty-two of the breaches reported were due to personal data being sent, via email or post, to the wrong person. The remaining eight breaches happened because of criminal hacking, people accessing personal data inappropriately, or data being lost. Mrs Martins described the ODPA’s positive approach to breach reporting.
‘We discourage an adversarial, blame-focussed approach and encourage a collaborative one which in turn allows the regulated community to positively engage with their legal and ethical responsibilities in an enlightened way, rather than through fear of sanction.’
A personal data breach will likely happen whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so. Mrs Martins concluded by commenting on the ODPA’s strengthened enforcement powers.
‘There will always be a small minority of our regulated community who only respond to threat of enforcement. Our local data protection law gives us greater powers than ever before to deal with that. But the significant powers of sanction now available should not mean that we only talk in those terms. If we do, we risk alienating the vast majority of our community who are, in our experience, trying to do the right thing. By focussing on giving them the information, support and tools which enable them to do the right thing is not only a more positive use of our time, it can reduce harm and lead to better outcomes for everyone.’

Number of personal data breaches reported to ODPA

Breach examples

All breaches reported to the ODPA remain confidential, but to help the regulated community understand some circumstances that may lead to a breach, below are five hypothetical scenarios along with how they could be avoided:
Scenario Breach How could this be avoided?
 Inappropriate action A lack of staff training led to an employee accessing and printing clients’ personal data without authority.   It may have been accidental and not malicious, but it is still a breach. Educating staff about what they are and are not authorised to do with the data they have access to should avoid this happening again.
    Email error When replying to an email with several recipients, an additional person was accidentally included in the chain and received a number of messages and associated personal data that they were not authorised to have.   This was probably down to human error, possibly a typing mistake leading to an unintended recipient. Reminding staff to slow down, double check recipients, and consider the consequences of their actions before hitting the ‘send’ button should prevent this breach being repeated.
Mislaid data An organisation posted out a client’s original documents, containing personal data. They were lost in the post and were never received by the intended recipient. In a large jurisdiction like the UK this information would be unlikely to be found by someone that knows the client. However, in the Bailiwick it is much more likely that personal data lost here could be found by someone that knows the person concerned. Once this kind of data is lost it may be impossible to recover and it is also not possible to be sure of the identity of and how many people, might have viewed it. When sending out any of this kind of personal data, the organisation should carry out a risk assessment to identify all the potential areas of risk. Appropriate measures could be put in place to prevent the loss of data in the post. The use of couriers or recorded delivery may be necessary. It may also be prudent to keep copies of data if authorised to do so.
Unsecured special category data An organisation holding special category data (eg. data relating to a person’s race/religion/sex life/health etc.) stored it in an unsecured area of the IT system that meant that all members of staff had access to it with or without permission or the correct training to do so. An audit of the IT systems would identify what areas are freely accessible to all staff and ascertain what data needs to be more securely stored. The correct training and policies and procedures need to be put in place to facilitate staff awareness regarding the use of special category data and the importance of keeping it secure and confidential.
    Phishing attack An employee within an organisation received a phishing email that appeared to be from a reputable and known client. Unwittingly the individual replied to the email which allowed the scammer access to the organisation’s systems and data stored within them. Training on the importance of data security and how to verify the sources of emails would help reduce the risk of this re-occurring.   It may also be possible to install systems that identifies these kinds of scams or suspicious correspondence and flag them up.   It’s also vital that staff know the correct response and action if this does happen. There needs to be an agreed action plan in place to reduce the harm caused by the attack and to ensure all the correct reporting is carried out afterwards.
Breach criteria A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so. However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident.

It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

‘Significant interests’ explained A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.