The Office of the Data Protection Authority (ODPA) has published its latest breach statistics with
39 personal data breaches reported during Q4 2023, which affected
1,115 people. This brings the total breaches reported for 2023 to 145 (compared to 151 in 2022, 177 in 2021, and 180 in 2020).
Despite the total number of breaches reported locally reducing over the past 4 years, 2023 was exceptional in terms of the large numbers of people affected. In total 9,908,526 people were affected by breaches reported locally during 2023. This high number of people related to a single incident which affected customers of a UK-based company which was the victim of a large cyber-attack. Although the company was not based locally, it reported the breach to data protection regulators in all jurisdictions where its customers were based. This incident underlines how interconnected the Bailiwick is with the wider world and the importance of a consistent regulatory environment.
“It is interesting to note the slight decrease in reported breaches over the past few years.” said Brent Homan, the Bailiwick’s Data Protection Commissioner, “This could be a positive indicator of organisations better assessing the risk of harm for any given breach incident and reporting accordingly.”
During Q4 2023, four breaches were reported by charities. The ODPA works closely with the charitable sector to support their awareness of, and compliance with, the Law. The fact that they are reporting breaches points to this engagement having a positive effect on their understanding of their breach reporting requirements. Many charities handle very sensitive information about people so breaches may present higher risks so engagement on this issue is to be welcomed.
Looking back at Q4’s statistics specifically, there is a continuation of the long-established trend of emails containing personal data being sent to the wrong person, with Q4 2023 seeing a further increase in these errors compared to Q2 2023 (24 incidents in Q4 as opposed to 11 in Q2).
As this has been a common theme, the ODPA takes this opportunity to remind organisations of the steps they can take to reduce risk. More information can be found in the ODPA’s
webinar ‘Data breaches human error vs technology’ and
podcast 'Data breaches: 10 pitfalls & why caring for our data matters'.
This clear trend of personal data being sent to the wrong person is by far the most common breach reported to the ODPA. That said, it is important to remember how broad the legal definition of a personal data breach is: it is a breach of security that results in information about an identified (or identifiable) living person being accidentally or unlawfully destroyed, lost, altered, disclosed without authorisation, or accessed without authorisation. These outcomes can happen in all sorts of ways, not just a rogue email.
More information about how to handle a data breach.
Notes
This release is part of the
quarterly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.
Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.
&
Indulge