The Office of the Data Protection Authority (ODPA) has
released the latest statistics of personal data breaches reported by local organisations, together with what can be learned from them. This information is aimed at all organisations looking to improve their breach preparedness.
A total of
39 personal data breaches were reported to the ODPA during Q2 2024, with 14,019 people affected.
The ODPA would like to focus on two specific reports received in Q2, to highlight actionable lessons:
- Case study 1
An organisation sent a password-protected document containing information about a person to an incorrect recipient. On its own this would not necessarily constitute a serious breach, as the password-protection of the document would prevent the incorrect recipient accessing the information. However, in this instance, the organisation sent the password for the document in the same email as the document itself thereby rendering the technical measure used to protect the information (the password) useless.
Learning: this case study brings home how security measures implemented with the best of intentions can fail due to poor execution. You must make sure your staff are adequately trained for handling personal data safely, and that they understand the importance of implementing security measures appropriately.
- Case study 2
A service user submitted a ‘data subject access request’ (DSAR) to an organisation, asking for all the details the organisation had about them and what they were doing with it. Whilst staff were gathering the hard copies of this information for the person, they accidentally picked up a document which contained highly sensitive information about several vulnerable children and included it in the pack sent out to the service user.
Learning: whenever any member of staff, regardless of their status or knowledge, is handling highly sensitive information about people they must recognise and carefully consider the risks involved, slow down and ensure they take extra care that the information is not accessible to (or in this case, given to) people with no right to see it. Mistakes will happen, but their likelihood can be reduced if extra care is taken. Remember, the Bailiwick is a small place so the chances of individuals knowing each other is high, which heightens both the risks and potential damage associated with breaches of this kind.
The Bailiwick’s Data Protection Commissioner, Brent Homan, commented:
“A prevailing theme of the case studies in this report is ‘attention to detail’. In each situation the organisation was trying to uphold data rights, but in one case they included the password in an email with an encrypted document, and in the other they packaged third party sensitive info with an individual’s access to information request. When sending out sensitive information it is always a good practice to ‘pause and verify’ before you hit that send button.”
Read this document for details of what can be learned from these most recent breach incidents.