Statistics:

Honest conversations about risk to people’s data needed

Published: 12 July 2022

The Office of the Data Protection Authority (ODPA) has published its latest breach statistics with 28 personal data breaches reported during May and June 2022.

Of these, 13 breaches occurred via email, which remains the most common cause for the breaches reported. The chart below helps illustrate the complexity of circumstances surrounding the incidents where information about people is compromised.




One incident reported by the commercial sector involved a poorly redacted digital document sent to another client. The “redaction” had used drawing objects to block out content, but could easily be selected and removed, revealing details which should not have been visible. This example emphasises the importance of effective redaction on documents.

In the healthcare sector meanwhile, over 30 documents intended for a pharmacy were incorrectly faxed to a non-medical premises over the course of a month. The error with the fax number was subsequently discovered and rectified but it was only when another organisation contacted them to ask about documents they had received in error that the surgery realised the extent of the breach. This was a particularly concerning incident because it involved several individuals’ special category data*.

Another reported incident involved a letter sent via post with details about an appointment for a support group meeting. The person it was intended for has the same name as a relative and they had requested that all communication be sent via email to avoid the relative inadvertently accessing this personal information. A note was added to the individual’s record on the computer system to that effect, however, it was not seen due to a system outage, resulting in communication being conducted instead via post.

The Bailiwick’s Data Protection Commissioner Emma Martins explains why data breach reporting is so important:

“The types of breaches we have seen in this period highlight the role that open and transparent reporting plays. We are not seeing organisations setting out to deliberately compromise data but we are seeing mistakes being made. Of course we will never eliminate human error entirely but we must always learn from mistakes that have been made. We want to encourage the whole community to have an honest conversation about where the risks are and then to take meaningful steps to reduce those risks. This is not about naming and shaming, this is about learning and improving.”

*Special category data’ is personal data revealing an individual’s racial or ethnic origin, political opinion, religious or philosophical belief, trade union membership, genetic data, biometric data, health data, data concerning an individual’s sex life or orientation, criminal data. 

NOTES 

Number of personal data breaches reported to the ODPA (Oct 2018 – present): view statistics for every two-month period from October 2018 - present.

More information about how to handle personal data breaches.  

This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it. 

Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.