Highest number of breach reports since 2019

The Office of the Data Protection Authority (ODPA) has released its latest statistics on the number of personal data breaches reported by local organisations during July and August 2021.

In total, 36 breaches were reported from 1 July through to 31 August, this is the highest bi-monthly figure since late 2019. Of the 36 breaches, 22 occurred because information about, or related to, a person was sent to the wrong recipient, either by email (13 reported incidents) or post (9 reported incidents).

The ODPA is again encouraging all local businesses and organisations to take action on these preventable incidents which so often arise due to human error. In extreme cases, a personal data breach can cause lasting harm to the people whose data has been breached, not to mention the reputational damage that can be done to the organisations responsible for what went wrong. Taking steps to mitigate human error is therefore an exercise in accountability and risk management. For an overview of the issues and some practical steps that can be taken to reduce human error visit odpa.gg/humanerror.

One of the 36 incidents reported was from an organisation who sent a lengthy health report about a child, via post, to the wrong family. This incident should serve as a reminder of three key points:

1. Firstly how important it is for local ‘controllers’ (organisations or businesses that decide how people’s data is used) to have robust governance, fit-for-purpose processes, and regular staff training around how information about people is handled.
2. Secondly, where the data is particularly sensitive (‘special category data’ in legal terminology) those safeguards must be strengthened further.
3. Lastly, data protection does not start and stop on an organisation’s IT systems, the protection must follow the data wherever it goes and in whatever form it takes: including documents containing information about people that are printed off and posted.

Emma Martins, the Bailiwick’s Data Protection Commissioner, commented,

‘We are grateful for the honesty local organisations show by self-reporting these breaches to the ODPA. Each is an opportunity for lessons to be learned, and for improvements to be made. Remember that at the heart of these reported incidents are human beings who have been impacted. In a lot of cases the risk to that person is successfully mitigated by the steps an organisation takes to respond to the breach, but in rare cases there is
damage that simply can’t be undone. This is why we must all work to predict where damage to human beings is likely, and take action to prevent it from happening in the first place.’

NOTES
This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it. 

Number of breaches reported (1 July - 31 August) by category:

Breach category	Number of reported breaches	Percentage of total
Cyber Incidents	1	3%
Data sent to incorrect recipient – E-mail	13	36%
Data sent to incorrect recipient – Fax	0	0%
Data sent to incorrect recipient – Post	9	25%
Inappropriate/Unauthorised Access	3	8%
Inappropriate/Unauthorised Disclosure	6	17%
Loss of data/paperwork/device	0	0%
Other	4	11%
System Error	0	0%
TOTAL	36

Number of personal data breaches reported to the ODPA (Oct 2018 – present): view statistics for every two-month period from October 2018 - present.

Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.