The Office of the Data Protection Authority (ODPA) has published breach statistics for the third quarter of 2023.
Thirty-eight personal data breaches were reported between the beginning of July to end of September 2023 with
46 underlying causes. These affected
77,321 people.
The unusually high number of people affected is largely down to one particular self-reported breach involving the sending of an email to an incorrect recipient which contained a significant volume of personal data. This particular breach involved information relating to thousands of people within the Bailiwick, as well as a number from other jurisdictions.
In another example, a template document which had been filled-in with someone’s personal information was accidentally shared.
This prompted the organisation involved to provide an online template for clients to download, instead of sending copies of the template to clients.
This is a good solution for anyone providing templates, as online versions which can be downloaded should avoid this fairly common problem from recurring.
There is a continuation of the trend seen over recent quarters where emails containing personal data are sent either to the wrong person or to a personal email address, with this quarter seeing a doubling of these errors compared to quarter 2 2023 (22 incidents in Q3 as opposed to 11 in Q2).
As this has been a common theme, the ODPA takes this opportunity to remind organisations of the steps they can take to reduce risk.
More information can be found in the ODPA’s webinar ‘Data breaches human error vs technology’ and the recent podcast 'Data breaches: 10 pitfalls & why caring for our data matters'.
General information about how to handle a data breach can be found at: odpa.gg/breach-response.
Notes to Editors
This release is part of the
quarterly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.
Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.