‘Effective, successful and trusted’ organisations benefit from considered breach response

The Office of the Data Protection Authority (ODPA) has released its latest statistics on the numbers of personal data breaches reported by local organisations during May and June 2021. 

In total, 29 such breaches were reported from 1 May through to 30 June, of which four were cyber security related and the remainder non-cyber incidents. Sending information about people to incorrect recipients, either by email or post, remains the most reported incident. 
 
Overall, the latest figures are broadly consistent in totals and nature of breaches with established trends going back to when breach reporting became mandatory in 2018. 16 (55% of total reported) incidents related to information about people being either posted or emailed incorrectly, resulting in that personal data ending up in the wrong hands. 7 (24% of total reported) incidents happened because of organisations either giving access to, or disclosing, information about a person when they should not have done so. These incidents can happen accidentally or deliberately. 

Anyone (‘controllers’ or ‘processors’ as the Law calls them) who uses information about people must remember that mandatory breach reporting is just a small part of a much bigger picture of how to respond after someone’s information has been breached. If you use people’s data, it is your responsibility to have an appropriate breach response plan, so that you can quickly minimise any harms caused when things don’t go well. See odpa.gg/breach-response for guidance on this.    

Emma Martins, the Bailiwick’s Data Protection Commissioner, commented:

'We continue to be grateful to our regulated community for the positive way in which they engage and comply with the breach reporting duties. It is our aim to be as open and transparent in all our activities as we can be and allowing our community to have accurate and meaningful information about data risks is an important part of that. The clear trends we continue to see point to the fact that there is much that we can all do to minimise risk. Building a considered breach response process into an organisation is not only a requirement of the legislation, it is also an essential part of running an effective, successful and trusted business.'
 

NOTES
This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it. 

Number of breaches reported (1 May – 30 June 2021) by category:

Breach category	Number of reported breaches	Percentage of total
Cyber Incidents	4	14%
Data sent to incorrect recipient – E-mail	9	31%
Data sent to incorrect recipient – Fax	0	0%
Data sent to incorrect recipient – Post	7	24%
Inappropriate/Unauthorised Access	4	14%
Inappropriate/Unauthorised Disclosure	3	10%
Loss of data/paperwork/device	0	0%
Other	2	7%
System Error	0	0%
TOTAL	29

Number of personal data breaches reported to the ODPA (Oct 2018 – present): view statistics for every two-month period from October 2018 - present.

Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.