ODPA sees similar levels of breaches being reported

The Office of the Data Protection Authority (ODPA) has confirmed that the number of personal data breaches reported by local organisations over the past two months is consistent with previous reporting periods.

In total, 32 such breaches were notified to the Authority from 1 March through to 30 April, of which five were cyber security related and the remainder non-cyber incidents. The total is just three more than the previous two months, with information sent to the incorrect recipient still proving to be the greatest cause of risk to an individual’s personal data.
 
Overall, from the latest figures, 17 incidents (58%) related to incorrect posting or emailing and 9 (31%) were inappropriate or unauthorised disclosure of information. These are broadly consistent in totals and nature of breaches and reported by organisations from a range of sectors, with the majority from finance and public authorities (65% and 17% respectively).

Emma Martins, the Bailiwick’s Data Protection Commissioner, confirmed she was encouraged that the number of breaches reported remain consistent, but advised on the role people play in personal data breaches.

‘This period’s statistics are in line with the established trend: the numbers are not increasing, which is positive, but it is what people, not systems, do that is the biggest factor in most data breaches reported to us. Protecting data well is first and foremost a human issue and armed with that knowledge there is a great deal that we can all do to reduce risk.’

Anyone wishing to find out more about mitigating human error can view a short webinar about it at odpa.gg/humanerror. 

Mrs Martins added:

‘The ODPA aims to be a transparent, open and supportive regulator, focussed on encouraging awareness and engagement. The wide range of events, workshops and support programmes scheduled each year are proving to be popular with local organisations and individuals so we would encourage both to continue to engage with us. Building a culture of honest and constructive learning can help us all to work towards higher standards of compliance.’

NOTES 
This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.

Breach categories explained 
The ODPA individually assesses each breach reported to them and assigns them to one of the nine categories listed below. The categories specify whether a breach in that category would normally be considered ‘accidental’ or ‘deliberate’. 

1. Loss of data/paperwork/device (accidental)
2. Data sent to incorrect recipient – email (accidental)
3. Data sent to incorrect recipient – post (accidental)
4. Data sent to incorrect recipient – fax (accidental)
5. Inappropriate/Unauthorised Access (accidental or deliberate)
6. Inappropriate/Unauthorised Disclosure (accidental or deliberate)
7. System error (accidental)
8. Cyber incidents (accidental or deliberate)
9. Other (accidental or deliberate)

Number of personal data breaches reported to the ODPA
View statistics for every two month period from October 2018 - present. 

Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so. 

However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported. 

‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.