ODPA report further increase in local data breaches

Forty-five personal data breaches have been reported to The Office of the Data Protection Authority (ODPA) in the two months up to 22 February 2019, with 22 of the 45 from the local healthcare sector. This is an increase compared with 28 over the previous two month period to 13 December 2018. The rise is likely due to organisations becoming more aware of their legal obligation to report breaches and the ODPA fully expects to see further increases as awareness continues to grow. Most incidents were low-level with no further action required. However, the ODPA has a heavy caseload of ongoing investigations, and a number of the recent breaches will be subject to further enquiry. The Bailiwick’s Data Protection Commissioner, Emma Martins, cautioned against looking at the breach statistics in isolation.

‘Whilst it appears on face value that the healthcare sector is disproportionately responsible for more breaches, the reality is much more complex. This sector routinely deals with significant amounts of sensitive ‘special category’ personal data, so more of their breaches are likely to meet the severity criteria at which there is a legal obligation to report to us. That, combined with the fact that certain healthcare providers are taking what we consider to be the enlightened approach of choosing to report all breaches to us, means that we see a high number of healthcare data breaches in the statistics. Organisations within other sectors, such as certain public authorities assess all incidents and only report medium-to-high level personal data breaches to us. This gives the appearance that these sectors are experiencing fewer breaches.’

Mrs Martins also emphasised that organisations who report are positively engaged with their legal obligations to protect people’s data.

‘Whilst no-one wants to see breaches, the reality is they are happening all the time. We would be more concerned if no reports were received as that would indicate a lack of compliance with the law as well as a lack of trust and confidence in our office by the regulated community.’

All organisations are encouraged to take a proactive approach to their breach reporting obligations in the knowledge that this will assist them in understanding and managing their own risk, as well as providing the ODPA with valuable information to support its work.

Notes This release is part of the bi-monthly breach report statistics the ODPA have been releasing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.