Human error remains biggest risk in data protection locally

Published: 30 April 2019

Forty personal data breaches were reported to The Office of the Data Protection Authority (ODPA) in the two months up to 22 April 2019, with almost all (35) occurring due to human error.

The reports received indicate that human error poses the greatest risk to organisations’ safe handling of personal data. Whilst the majority of breaches were of a low-level with no further action required, the ODPA has an ongoing caseload and a number will be subject to further investigation. The Bailiwick’s Data Protection Commissioner, Emma Martins, commented on the trends observed in the nature of the breaches reported.
‘This period continues to demonstrate a trend of human error being one of the biggest hurdles to good data protection and there is much work to be done to better understand this and how best to mitigate it. We are focused on what we can learn from the breaches reported to us by the regulated community and how we can use this information to predict and prevent future breaches and in turn how best to prevent harm.’
Acknowledging the human error factor in data breaches, the ODPA has reiterated advice it first issued in October 2018 which include taking all reasonable precautions to avoid complacency in the workplace by reminding staff to slow down, and double check recipients of emails and documentation. Mrs Martins also confirmed that nearly half of recent breaches were reported by the Bailiwick’s financial sector.
‘It is no surprise that 18 of the 40 breaches reported have come from the finance sector as this part of the local economy employs ~22% of the island’s workforce and is well-accustomed to adhering to tight regulatory standards. It is reassuring to us that this sector is taking its statutory obligation to report personal data breaches to us seriously.’
All organisations are encouraged to take a proactive approach to their breach reporting obligations in the knowledge that this will assist them in understanding and managing their own risk, as well as providing the ODPA with valuable information to support its work.

Notes This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.  

Number of personal data breaches* by sector:
Finance 18
Healthcare 15
Other 4
Public authorities 3
*Period: 23 February 2019 – 22 April 2019

Breach criteria A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so. However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident.

It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

‘Significant interests’ explained A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.