Commissioner responds to media queries about Sure data breach

The ODPA was asked by local media to comment on Sure’s recent data breach:

Emma Martins, the Bailiwick of Guernsey’s data protection commissioner said:

‘I can confirm that Sure, aware of their statutory responsibility to report a data breach, let us know about this incident earlier this month. Anyone who is affected by this should speak directly to Sure in the first instance. Incidents like this act as reminder to us all to be vigilant of risks such as identify theft that can arise after personal data is compromised. More information about how to protect yourself from identity theft, and what your rights are under our local data protection legislation can be found on our website.’

More information:
8 steps to protect yourself from identity theft and scams
Exercising your rights 

 

ODPA appoints new key staff

The Office of the Data Protection Authority (ODPA) has recruited three staff in key roles, to ensure it has the right mix of skills to be an effective regulator of the Bailiwick’s data protection legislation.

Edward Chapman and Martin Harris join as case and compliance investigators to fulfil the role of investigating data breaches and complaints in the Bailiwick. Kirsty Bougourd has started as communications and outreach officer with responsibility for establishing and running the ODPA’s education programme for local schools as well as assisting with internal and external communications.

Emma Martins, Guernsey’s Data Protection Commissioner, says the appointments are very important and timely following the first anniversary of The Data Protection (Bailiwick of Guernsey) Law, 2017, in May.

ODPA new starters with Commissioner (L-R) Edward Chapman, Emma Martins, Martin Harris, Kirsty Bougourd.

‘I am delighted to welcome our three newest members of staff. Our Office has gone through a number of significant changes since the new legislation came into force last May. We have given careful consideration as to how we can perform our statutory duties, including how best we structure our limited resources.

‘The qualities our new team members bring to this increasingly important area of regulation will directly impact how successful we are. As with any organisation, our employees are our most important and valued asset and I am extremely proud of the team we now have in place. Our team’s mix of skills, combined with their genuine commitment to providing the highest quality regulation means we are now in a stronger position than ever to be an effective regulator and achieve our strategic aims,’ said Mrs Martins.

Kirsty’s extensive background in journalism and teaching will be instrumental in raising young people’s awareness of data protection and their digital footprint. Her work will cover a broad spectrum of ages from primary school children all the way up to college students.

New York-born Edward joins the ODPA as a skilled investigator following 10 years’ working for London’s Metropolitan Police, six of which were as a Detective Constable. His skills and experience will be a huge asset to the ODPA’s compliance and enforcement function, and will help inform how investigations are conducted.

Martin has a wealth of investigation experience having worked for Guernsey Police for 30 years. During his time with the Police he attained the rank of Sergeant and undertook various areas of specialisms ranging from uniformed operations to criminal investigations. Martin’s considerable experience and knowledge will make him an integral team member, and his valuable skillset will further strengthen the ODPA’s compliance and enforcement capabilities.

US CLOUD Act: local implications

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) published a preliminary report on 12 July highlighting a potential conflict between the US CLOUD Act and the EU’s data protection framework.

What is the CLOUD Act?
The US CLOUD (Clarifying Lawful Overseas Use of Data) Act was passed by Congress in early 2018. It is intended to enable US authorities to access personal data stored outside the USA, by bypassing any Mutual Legal Assistance Treaty (MLAT) in force. The Act’s provisions are wide in scope, covering personal data and metadata, the full range of governmental requests, including those that do not require judicial intervention, and real-time interception.

What is the conflict?
US authorities cannot legally rely on the CLOUD Act alone to force an entity in the Bailiwick to disclose a person’s data. The disclosure must be handled in accordance with our local data protection law.

What does this mean for the Bailiwick?
If you or your organisation receive a request from a US authority to disclose data about someone citing the CLOUD Act, you need to first establish whether this request is lawful.

You may wish to seek legal advice to answer these questions:

  1. Are you legally bound to comply with a decision of a US court, as these do not automatically have legal force here?
  2. Is there a legal basis you can rely on from Schedule 2 of The Data Protection (Bailiwick of Guernsey) Law, 2017 for you to disclose the personal data?
  3. Is there is a legitimate mechanism you can rely on to transfer the data to the US as an unauthorised jurisdiction?

For more information please read the EDPS and EDPB report: Initial legal assessment of the impact of the US CLOUD Act on the EU legal framework for the protection of personal data and the negotiations of an EU-US Agreement on cross-border access to electronic evidence (July 2019).

Data Protection Commissioner cautions against a ‘culture of blame’

Fifty personal breaches were reported to The Office of the Data Protection Authority (ODPA) in the two months up to 25 June 2019.

This is the highest figure reported since mandatory breach reporting was brought in on 25 May 2018. But the Bailiwick’s Data Protection Commissioner, Emma Martins takes it as a good sign that the regulated community trusts her office to respond proportionately.

‘We want to support a culture that is focussed on delivering good outcomes and we recognise the part we play in that. A mature system of self-reporting of data breaches provides both transparency and an opportunity to learn from events, improve performance and reduce risk. In recognising that in an increasingly data-rich world, both human error and technological error are inevitable, we want to avoid a culture of blame and encourage a more constructive culture of sharing, questioning and improvement.’

Forty-two of the breaches reported were due to personal data being sent, via email or post, to the wrong person. The remaining eight breaches happened because of criminal hacking, people accessing personal data inappropriately, or data being lost.

Mrs Martins described the ODPA’s positive approach to breach reporting.

‘We discourage an adversarial, blame-focussed approach and encourage a collaborative one which in turn allows the regulated community to positively engage with their legal and ethical responsibilities in an enlightened way, rather than through fear of sanction.’

A personal data breach will likely happen whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

Mrs Martins concluded by commenting on the ODPA’s strengthened enforcement powers.

‘There will always be a small minority of our regulated community who only respond to threat of enforcement. Our local data protection law gives us greater powers than ever before to deal with that. But the significant powers of sanction now available should not mean that we only talk in those terms. If we do, we risk alienating the vast majority of our community who are, in our experience, trying to do the right thing. By focussing on giving them the information, support and tools which enable them to do the right thing is not only a more positive use of our time, it can reduce harm and lead to better outcomes for everyone.’

Number of personal data breaches reported to ODPA:

  • 2 months to 25 June 2019: 50 (details above)
  • 2 months to 22 April 2019: 40 (read press release)
  • 2 months to 22 February 2019: 45 (read press release)
  • 2 months to 18 December 2018: 28 (read press release)
  • 2 months to 18 October 2018: 26 (read press release)

Breach examples
All breaches reported to the ODPA remain confidential, but to help the regulated community understand some circumstances that may lead to a breach, below are five hypothetical scenarios along with how they could be avoided:

Scenario Breach How could this be avoided?
 

Inappropriate action

A lack of staff training led to an employee accessing and printing clients’ personal data without authority.

 

It may have been accidental and not malicious, but it is still a breach.

Educating staff about what they are and are not authorised to do with the data they have access to should avoid this happening again.
 

 

Email error

When replying to an email with several recipients, an additional person was accidentally included in the chain and received a number of messages and associated personal data that they were not authorised to have.

 

This was probably down to human error, possibly a typing mistake leading to an unintended recipient.

Reminding staff to slow down, double check recipients, and consider the consequences of their actions before hitting the ‘send’ button should prevent this breach being repeated.
Mislaid data An organisation posted out a client’s original documents, containing personal data. They were lost in the post and were never received by the intended recipient.

In a large jurisdiction like the UK this information would be unlikely to be found by someone that knows the client. However, in the Bailiwick it is much more likely that personal data lost here could be found by someone that knows the person concerned. Once this kind of data is lost it may be impossible to recover and it is also not possible to be sure of the identity of and how many people, might have viewed it.

When sending out any of this kind of personal data, the organisation should carry out a risk assessment to identify all the potential areas of risk.

Appropriate measures could be put in place to prevent the loss of data in the post.

The use of couriers or recorded delivery may be necessary. It may also be prudent to keep copies of data if authorised to do so.

Unsecured special category data An organisation holding special category data (eg. data relating to a person’s race/religion/sex life/health etc.) stored it in an unsecured area of the IT system that meant that all members of staff had access to it with or without permission or the correct training to do so. An audit of the IT systems would identify what areas are freely accessible to all staff and ascertain what data needs to be more securely stored.

The correct training and policies and procedures need to be put in place to facilitate staff awareness regarding the use of special category data and the importance of keeping it secure and confidential.

 

 

Phishing attack

An employee within an organisation received a phishing email that appeared to be from a reputable and known client.

Unwittingly the individual replied to the email which allowed the scammer access to the organisation’s systems and data stored within them.

Training on the importance of data security and how to verify the sources of emails would help reduce the risk of this re-occurring.

 

It may also be possible to install systems that identifies these kinds of scams or suspicious correspondence and flag them up.

 

It’s also vital that staff know the correct response and action if this does happen. There needs to be an agreed action plan in place to reduce the harm caused by the attack and to ensure all the correct reporting is carried out afterwards.

Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.

Read: ODPA Guidance on mandatory personal data breach reporting 

Register for our free event ‘Data breaches: Human error vs. technology’ (27 November 2019)

ODPA public events programme to start in July

We have released details of our series of events designed to raise awareness of citizens’ rights and improve compliance within the regulated community. The first event, to be held on 10 July, will focus on The Seven Data Protection Principles.

This follows a month-long public and industry consultation earlier this year which gathered feedback on the scope and format of the programme. The 2019 season of events will cover a range of topics including data protection in the workplace, data protection in healthcare, human error versus technology, and data ethics.

Emma Martins, Guernsey’s Data Protection Commissioner, confirmed that building public awareness is a key part of the ODPA’s statutory role and detailed how consulting with the public and industry has helped shape this aspect of their role.

‘Building awareness of citizens’ rights, and promoting awareness within our regulated community of their legal duties is a statutory obligation for us. When we outlined our proposed events plan in our consultation exercise in April 2019, we received really useful feedback. We then looked very closely at the range of things we could do to deliver this part of our role well. The result is what we’re calling ‘season 1’ of our events programme. During season 1, we will also announce details of an ambitious new initiative, called Project Blue Tit, which will explore working with people to create cultural change.’

Our events programme’s aim is to initiate positive cultural change through being accessible to local organisations and citizens of all ages, improving compliance by building awareness of topical issues in data protection, encouraging innovation and excellence in data protection practices, exploring official guidance with the regulated community and gathering feedback from local industry and individuals. A series of events will be held each year, with continuous feedback and improvement built in.

The first of the free one hour sessions, The Seven Data Protection Principles, starts on 10 July at midday and the programme continues through to the end of 2019 at our offices in Le Bordage.

More details of each event and how to register can be found at www.odpa.gg/events.

24 June – 1 July: Apple collecting map data on Guernsey

In May 2019 Apple Maps informed us of their intended visit to Guernsey to collect mapping data. They submitted detailed documents to us covering how they will:

  • collect the data
  • remove any data that can identify a person from publicly available images (i.e. blurring of faces, number plates etc.)
  • secure the data
  • how long they will keep the data for
  • inform the public of what they’re doing
  • provide a contact point for members of the public

As the regulator of data protection locally, ensuring all data collected is processed fairly and lawfully is a high priority for us.

Apple have undertaken similar mapping data collections across Europe and we expect them to understand and work within our local data protection regulatory environment.

They have informed us that the data collection will take place between 24 June 2019 – 1 July 2019 (weather permitting).

If you have any questions or concerns about Apple’s activity please contact: MapsImageCollection@apple.com

 

8 steps to protect yourself from identity theft and scams

We are all producing more personal data than ever before and much of the collection of that data occurs online. This, in turn, has led to a significant rise in criminal activity that seeks to misuse, manipulate and profit from the personal data of their victims. Such activity comes in many forms but could, for example, involve a fraudster taking your personal data and using it to apply for credit in your name.
Misuse of our personal data is a serious problem but there are some practical steps we can all take to reduce the likelihood of it happening to us:
1. Always remember that your personal data is valuable.

2. Scam emails – if you receive an email asking for your personal details or to click on a link, always err on the side of caution. Legitimate organisations will never pressure you into divulging your personal data. If in any doubt, do not reply and do not click on the link.

3. Shred documents – fraud does not only happen online. Make sure you shred personal data you may have in paper form, such as bank statements, before you throw them away.

4. Be careful what personal data you make public – information you choose to make public, such as on social media, can be a rich source of data for fraudsters. Do not share information that may help others guess your passwords or answer your security questions.

5. Check bank statements – review your bank and card statements regularly and be on the look out for suspicious transactions. If you see anything that doesn’t look right, report it to your bank straight away.

6. Use strong passwords – we rely on passwords for so much of our routine activities these days so it can be hard to be disciplined about using strong passwords and changing them often but it is definitely worth it.

7. Never share or write down passwords, account details or PINs.

8. Never be embarrassed about being suspicious or asking for advice from someone you trust.

Why Strategy Matters: ODPA publish Strategic Plan (2019-2022)

We have published our Strategic Plan (2019-2022) which outlines how we plan to deliver effective and independent data protection regulation for the Bailiwick of Guernsey.

The word strategy is defined as a plan of action designed to achieve a long term or overall aim and it has its origins in Greek (stratēgia) referring to general command and leadership, mostly in a military context.

In today’s world we often hear it referred to in wider political and management contexts and companies spend a lot of time and money creating and publishing strategic plans.

But why does having a strategic plan matter?

Whatever our role, individually or organisationally, we need to know what it is we are seeking or needing to aim for – whether it is selling widgets or running a hospital. A strategy is a way of us thinking about and planning what we need to do to in order to successfully achieve those aims.

But how many of us know what the strategic direction of our own organisation is and where we may fit within that? Too often these documents, which have often taken considerable energy and resource, are launched in a flourish then neglected on a dusty shelf.

The new data protection legislation has given us, at the Office of the Data Protection Authority, the opportunity to reflect on what the law requires of us and how we think we can best deliver on those obligations. But data protection regulation poses unique and complex challenges; it gives every citizen rights and it imposes obligations on every organisation that handles personal data. Essentially, that means that every single individual and organisation in this Bailiwick is, in some way, affected.

The resources available to achieve our intended goals are limited. How we use, or not, those resources has real-world consequences. We cannot do everything or be everywhere. Having a strategy is therefore very important for us because it ensures we are thoughtful, honest and open about how we are approaching our work and utilising our resources.

If our jurisdiction considers data protection as an administrative burden of little value, or worse, as stifling economic success and innovation, we will have failed before we have even started. We will also be likely to have to deploy our resources in a largely reactive way, managing and investigating breaches and complaints where harm has already been done.

Conversely, if our jurisdiction engages with and understands the need for and the benefits of, regulation, we can continue to build a culture of good governance and reputation. If organisations get data protection right from the outset, the risks of harm to individuals are greatly reduced which in turn reduces the resources needed to investigate complaints.

That may sound obvious and straightforward and the reality is that it could be, but we need to create the right environment and as the regulator we recognise the responsibility we have in supporting and enabling this to happen.

We are clear about where we see the opportunities for the Bailiwick in this modern era. In striving to be a centre of excellence for data, we aim to encourage organisations to build the protection of data into everything they do. We also aim to help them do that by listening, engaging and providing them with relevant information and tools. Equally, we want each and every citizen to benefit from the protections and rights the law gives them and feel empowered to demand that those rights be respected.

The way in which we do that goes beyond looking at sections of law, it is also informed by the culture and values of our organisation. Our new strategic plan sets out the detail of what we want to achieve and how we think we can do that effectively. Strategy is only ever going to be effective when it actively, purposefully and deliberately shapes events, behaviours and outcomes in the real world.

The impact of poor data protection practice is significant; for individuals because their data risks being misused; for businesses because their efficiency and reputation will be compromised; and the Bailiwick because jurisdictions that do not step up will fall behind in this fast moving and data-driven era.

Data protection is an objective of a successful economy, not an obstacle to it. In setting out our strategic direction, we want to demonstrate that we are committed to doing all we can to build on and enhance the work already done. But the publication of our plan is just the beginning, because strategy is something that needs to be done, not just written.

READ: ODPA Strategic Plan (2019-2022)

Next steps

Our Strategic Plan is a live document borne out of months of considered effort from the Commissioner and The Data Protection Authority Members and Chair.
We have listened to feedback received from our regulated community during this process, and continue to invite feedback, which will be taken into consideration when we update this
Strategic Plan in 2020. If you would like to give us feedback please send your comments to communications@odpa.gg.

Emma Martins to speak at European data protection summit

The Bailiwick’s Data Protection Commissioner, Emma Martins, has been invited to speak at an international data protection conference next month.

The European Data Protection Summit and Dinner will take place in London on 3 June 2019 and brings together an international line-up of expert speakers, including representatives from the Bank of England, Google and Mastercard, to explore the latest insights and findings in data protection, governance and security.

Mrs Martins considers her attendance shows how, despite being a small jurisdiction, the Bailiwick’s approach to data protection legislation is of interest internationally.

‘I am delighted to be able to represent the Bailiwick alongside some of Europe’s major organisations. Our presence illustrates just how far we have come as a jurisdiction in providing effective data protection regulation – independently from government – and ensuring high standards within our community.’

Mrs Martins will speak on the important role played by the Office of Data Protection Authority (ODPA), highlighting how it is developing a forward-looking and thoughtful approach to compliance within the Island’s regulated community for the benefit of individuals, organisations and society as a whole.

Mrs Martins added,

‘The approach regulators take in this data-driven world has the ability to influence outcomes in very real ways. At my office, we are working hard to develop an intelligent, inclusive and ethical regulatory environment that supports good outcomes for everybody. Small jurisdictions like ours are able to contribute meaningfully and positively in this area and I am very much looking forward to the opportunity to talk about our approach with such a wide community of data professionals.’

The sold-out event takes place at ETC Venues in the City of London with 700 attendees from around Europe.

Data protection law turns one year old

TWELVE months on from the introduction of new data protection legislation, the Office of the Data Protection Authority (ODPA) is focused on ensuring Islanders’ rights are protected.

25 May 2019 marks the first anniversary of The Data Protection (Bailiwick of Guernsey) Law, 2017, and also the end of ‘transitional relief’, the grace period permitted for certain aspects of the law that did not come into force last year. The new law is now in full force and gives local citizens ten rights. Citizens gain the new right to data portability from 25 May 2019, which makes it much easier to move personal data from one organisation to another.

The Data Protection Authority (L-R): Simon Entwistle, Jennifer Strachan, Richard Thomas CBE, Emma Martins, Chris Docksey, John Curran. Authority member, Mark Lempriere, is not pictured.

Emma Martins, the Bailiwick’s Data Protection Commissioner, commented on the cultural shift that has moved data protection into the mainstream.

‘A year on from the frenzied build-up to GDPR, it feels good to be well on the path towards a more thoughtful approach to compliance with our regulated community. We are encouraged to see more organisations moving towards a state of enlightened compliance, where they understand and believe in the object of our local data protection law. This approach leads to much better outcomes for everyone, transforming compliance from a box-ticking exercise, to an environment that puts the human beings whose rights are at the heart of the legislation centre stage.’

The ODPA’s mission is to provide effective data protection regulation – independently from government – and ensure high standards of data protection in the community. This is achieved through education and information, preventing poor handling of personal data and taking appropriate enforcement action where necessary against non-compliance. This mission aims to benefit individuals, organisations, and society as a whole.

‘How we use our regulatory powers fundamentally affects the nature and quality of compliance, so we operate with appropriate governance mechanisms, and the highest standards of ethics embedded into everything we do. We know that our effectiveness as a regulator plays a major role in ensuring data protection standards are met in our regulated community. We are lucky to have a positive relationship with our regulated community, and we appreciate the trust they place in us,’ added Mrs Martins.

The ODPA has been running a series of events, including fortnightly drop-in sessions, public and industry consultations on its future events programme, published guidance literature and also provided speakers at industry seminars.


Notes: 

Object of The Data Protection (Bailiwick of Guernsey) Law, 2017

The Law exists to:

  1. protect the rights of individuals in relation to their personal data, and provide for the free movement of personal data, in a manner equivalent to the GDPR and the Law Enforcement Directive, and
  2. make other provisions considered appropriate in relation to the processing of personal data.

Citizens’ rights

Citizens have the following 10 rights under The Data Protection (Bailiwick of Guernsey) Law, 2017:

  1. Right to information for personal data collected from data subject
  2. Right of access
  3. Right to object to processing for direct marketing purposes
  4. Right to object to processing on grounds of public interest
  5. Right to object to processing for historical or scientific purposes
  6. Right to rectification
  7. Right to erasure
  8. Right to restriction of processing
  9. Right not to be subject to decisions based on automated processing
  10. Right to data portability (can be exercised from 25 May 2019)

The ODPA’s five strategic objectives for 2019-2022 are:

  1. To develop the ODPA’s capabilities to deliver on their enhanced statutory duties.
  2. To be a relevant, responsive and effective regulator
  3. To support organisations in delivering their obligations and empower individuals to exercise their rights.
  4. To develop and maintain effective relationships.
  5. To elevate discussions around the protection of data to engage the community and individuals in a relevant and positive way, recognising the personal, social, and economic opportunities and threats that the data economy poses.