Twenty-six personal data breaches have been reported to The Office of the Data Protection Commissioner (ODPC) in the last two months up to 18 October 2018. The number of breaches has increased slightly, when compared with the previous reporting period of 32 reported breaches over three months up to 18 August. The increase is likely due to organisations being more aware of their legal obligation to report breaches to the ODPC. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPC of any personal data breach within 72 hours of becoming aware of it. Most breaches received were low-level with no further action required. However, the ODPC has a heavy caseload of ongoing investigations into breaches and complaints that do require further action. There has also been a specific increase in hacking-related incidents and in particular, hackers gaining control of email accounts. Guernsey’s Data Protection Commissioner, Emma Martins commented on the role of breach reporting and its value in achieving regulatory compliance.
‘The continued high levels of compliance by local organisations when reporting these incidents is to be welcomed. We recognise that it may not come naturally for organisations to inform regulators when things don’t go to plan and we understand that having confidence in my Office and the way in which such matters are handled is vital. Taking a proactive approach in this area will help to enhance confidence in the organisations handling our personal data. It also provides my Office with extremely useful insight about the types and nature of breaches, which in turn enables us to target our education and compliance programme in a meaningful and effective way.’
The breach reports received suggest that organisations are exposed to the greatest risk of breach when personal data leaves their direct control, either by post or email. The ODPC offers the following advice to local organisations. When using postal or email systems for sending personal information:
When letting ODPC know that your organisation has experienced a breach:
- Regularly check your email security: update patches, and if you are making any significant changes think about whether penetration testing is necessary.
- Pause – think and check before you send: remind all staff members who are posting or emailing letters/documents that contain personal data to slow down, to always double check the recipients are correct and appropriate.
- Avoid complacency: consider the potential implications of the information you are handling falling into the wrong hands and take all reasonable precautions to prevent this from happening.
- Beware of the secondary breach: if you experience a breach and report it to the ODPC, take care not to commit a secondary breach in the process. For instance, as part of an initial self-reported breach you don’t need to send ODPC the specific evidence of the breach, you just need to disclose how it happened, what personal data has been put at risk, how many people’s data are affected, the category of person affected (i.e. staff members, customers, suppliers), and the category of personal information affected.
If you sent a breach report similar to the below, it would constitute a secondary breach, as it exposes
the data and individuals concerned.
“I’ve sent details related to Mrs A. Bloggs positive pregnancy test results to Mrs C. Bloggs.”
Instead, you should submit a breach report in the below format, which protects
the data and identities concerned.
“At 13:10 on 19 October 2018, I sent special category medical data related to a patient’s pregnancy to an individual with a similar name in error.”
The Office of the Data Protection Commissioner is working to improve its online breach reporting mechanism and has asked for any comments to be submitted via firstname.lastname@example.org
What is a breach?
A personal data breach is defined in section 111(1) of the Law
as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
There will likely be a breach whenever any personal data (including any special category data) is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.
Action points for organisations after a personal data breach
Action we take following a reported breach
- Let us know the breach has occurred – via our secure online breach reporting mechanism
- Take steps to limit the damage. Where appropriate, advise the person who received the data in error that they should delete the data and must not make use of or disclose the data to anyone else
- Consider whether it may be necessary or appropriate to report the breach to any other regulatory or law enforcement agency
- In some cases you will need to notify the person whose data was disclosed in the breach
- Ensure your organisation reviews and learns from what has happened
- We record the breach, securely and confidentially, and assess its severity.
- We contact the organisation to confirm receipt of their breach report and discuss what happens next (each report is assessed on a case by case basis).
- Where necessary we may need to communicate with other data protection authorities, if the breach is likely to affect people outside of our jurisdiction.