Commissioner ‘encouraged’ by consistent breach reporting trend

Print

Figure: 30 personal data breaches reported to ODPA between 1 March 2020 – 30 April 2020 by category. (Click to enlarge)

Thirty personal data breaches were reported to the Office of the Data Protection Authority (ODPA) in the two months leading up to 30 April 2020, with the majority occurring through people accidentally sending personal data to the wrong person either by post or email.

Personal data being sent to the incorrect recipient remains the most common incident. In the latest reporting period, 21 of the 30 breaches fell into this category with 12 due to email errors and 9 to postal errors. Cyber incidents led to four, inappropriate disclosure of data led to three whilst other self-reported breaches also included one of inappropriate access.

The 30 in total were from a range of sectors, including eight from public authorities, six from healthcare, four from investment, three from fiduciaries, three from retail/wholesale and the remaining six spread across five other sectors.

The Bailiwick’s Data Protection Commissioner, Emma Martins, observed that this period’s statistics covers the period before Covid-19 had reached Guernsey, as well as the lockdown period.

‘I am encouraged to see that this period’s statistics are broadly consistent with the trends we have been reporting since 2018. This indicates that despite the unprecedented pressures local organisations have faced over past two months, it has not impacted their attention to their legal requirements to look after people’s data, and to report to us when things have gone wrong. I would like to thank our regulated community for not neglecting their statutory duties at this time.’

Mrs Martins also reiterated comments made back in March regarding the ODPA’s approach to its enforcement role during the Bailiwick’s lockdown period.

‘These are not normal times and I want to make it clear that we will not take enforcement action against any organisation who is trying to do the right thing. We know that everyone’s focus is understandably diverted to dealing with new ways of working and the associated challenges for us all, as employers, employees and citizens. We also understand and are realistic about the impact the current disruption will have on compliance and governance, especially in sectors which are now instrumental in the Bailiwick’s response to the unfolding public health situation. Members of the public will also, we hope, understand that organisations may not be able to respond as quickly as usual to requests relating to their personal data. We are part of a community that is pulling together at an extraordinary time and want to ensure we carry out our duties in a responsible and practical manner in the interests of that whole community.’

The ODPA has also published Q&As related to the pandemic.

NOTES:

  • Breach reporting

One of the key changes to the local data protection law that came into force in May 2018 is that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it. Organisations can report breaches to the ODPA via odpa.gg/breach-reporting.

  • Why does the ODPA publish breach statistics?

The ODPA has published statistics of the number of breach reports it receives, every 2 months since June 2018. Publishing this information allows everyone to benefit from a better understanding of how and why breaches happen and how they can be avoided in future.

  • Number of personal data breaches reported to ODPA (June 2018 – present):
 

 2 months to 30 April 2020 – details above  30
Lowest number of breaches in more than a year (2 months to 29 February 2020) 28
Data Protection Commissioner calls for a culture of improvement
2 months to 28 December 2019
48
Data breaches: workplace culture change needed (2 months to 27 Oct 2019) 44
Human behaviour remains key risk to protecting data (2 months to 26 Aug 2019) 32
Data Protection Commissioner cautions against a ‘culture of blame’ (2 months to 25 Jun 2019) 50
Human error remains biggest risk in data protection locally (2 months to 22 Apr 2019) 40
ODPA report further increase in local data breaches (2 months to 22 Feb 2019) 45
Increase in local data breaches (2 months to 18 Dec 2018) 28
ODPC offers advice after increase in local data breaches (2 months to 18 Oct 2018) 26

 

  • How are personal data breaches categorised?

The ODPA individually assess each breach reported to them and assign them to one of the eleven categories listed below. Nine of the eleven categories specify whether a breach in that category would normally be considered ‘accidental’ or ‘deliberate’. One of the eleven categories (‘cyber incidents’) can be either accidental or deliberate. It should be noted that breaches categorised as ‘deliberate’ are not necessarily considered to be malicious.

1 Loss of data/paperwork/device accidental
2 Data sent to incorrect recipient – email accidental
3 Data sent to incorrect recipient – post accidental
4 Data sent to incorrect recipient – fax accidental
5 Inappropriate access accidental
6 Inappropriate disclosure accidental
7 System error accidental
8 Cyber incidents accidental or deliberate
9 Unauthorised access deliberate
10 Unauthorised disclosure deliberate
11 Other accidental or deliberate

  

  • What is a personal data breach?
    A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so. However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.
  • What are a person’s ‘significant interests’?
    A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.