2020’s reported data breaches down 30% on previous year

ONE hundred and eighty (180) personal data breaches were reported to the Office of the Data Protection Authority (ODPA) during 2020, a 30% reduction on the 259 reported in 2019.

The ODPA release details every two months of the number and category of data breaches reported to them by local organisations who use people’s data. This is to raise awareness in local organisations that they all have a legal obligation to notify the ODPA within 72 hours if they become aware of a breach. Publishing this information also allows everyone to benefit from a better understanding of how and why breaches happen and how they can be avoided in future.

During November and December 2020, 33 breaches were reported. 16 were due to personal data being sent to the wrong person via email, and a further 11 breaches occurred via post. The remaining were due to ‘inappropriate disclosure’ (4), ‘loss of data/paperwork/device’ (1), and ‘cyber incidents’ (1).

It is important to remember that breaches can occur in a broad range of circumstances, this is not just about sending emails to the wrong person. Wherever information about, or related to, people is compromised there is a potential risk to people.

The Bailiwick’s Data Protection Commissioner, Emma Martins, commented,

‘I have been extremely impressed at our regulated community’s engagement and conduct since these new reporting requirements came into force in 2018. Whilst the statistics are very important and can help us better understand and respond to certain trends and areas of risk, the real prize is positive and constructive engagement. As a jurisdiction we are maturing into a community which is increasingly accountable and intelligent in its handling of data, including when things go wrong. We have all learned a great deal about how some key risks are often hidden in plain sight. Talking openly and maturely about those risks allows us to tackle them and reduce them.’

NOTES 
Bi-monthly breach statistics

• This article is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018.
• Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018.
• The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.