Published: 8 November 2021
‘As we approach six-months since the launch of our social initiative, Project Bijou, it’s clear again that there are real opportunities to reduce the incidents of data breaches and the harms that often result. Understanding better how there is always a human at the heart of a breach means we become more invested in caring for personal data properly, not just because it is our legal duty, but because it is right and ethical to do so. It is people that can be harmed when things go wrong but it is also people who have the opportunity to prevent those things from happening in the first place. If we genuinely engage with the significant responsibility we shoulder when handling other people’s data, we are much more likely to take care.
It’s pleasing to see that the level of breaches has dropped from the number seen for the previous reporting period, but each breach matters and we must continue to put every effort into reducing them as much as possible. While it’s true that not every email or piece of post sent to the wrong recipient represents a breach, every time a mistake like this is made, the potential is there for real harm to be done to an individual.’
Number of breaches reported (1 September – 31 October 2021) by category:
Breach category |
Number of reported breaches |
Percentage of total |
Cyber Incidents |
5 |
19% |
Data sent to incorrect recipient – E-mail |
9 |
35% |
Data sent to incorrect recipient – Fax |
0 |
0% |
Data sent to incorrect recipient – Post |
5 |
19% |
Inappropriate/Unauthorised Access |
0 |
0% |
Inappropriate/Unauthorised Disclosure |
4 |
15% |
Loss of data/paperwork/device |
0 |
0% |
Other |
2 |
8% |
System Error |
1 |
4% |
TOTAL |
26 |
Number of personal data breaches reported to the ODPA (Oct 2018 – present): view statistics for every two-month period from October 2018 - present.
Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.
However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.
‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.