Forty-four personal data breaches were reported to us in the two months up to 27 October 2019.
Twenty-four of the breaches were due to personal data being sent, via email or post, to the wrong person. The remaining twenty were through hacking, personal data being accessed inappropriately, the disclosure of personal data when not authorised to do so, system error, or personal data being lost. Overall, forty breaches were the result of human action, with just four resulting from system error.
The Bailiwick’s data protection commissioner, Emma Martins, commented on the role people play in personal data breaches.
‘Once again, this period’s statistics reinforces the trend we have seen for some time: that it’s what people, not systems, do that is the biggest factor in most data breaches reported to us. Protecting data well is first and foremost a human issue.’
This trend, where people’s awareness, attitudes, behaviour, and choice of actions often pose the biggest risk to the protection of personal data is observed not just locally, but also worldwide. In October 2019 the 41st International Conference of Data Protection and Privacy Commissioners (ICDPPC) passed a resolution for participating national authorities to ‘address the role of human error in personal data breaches’.
The resolution, sponsored by the Office of the Australian Information Commissioner, calls on all ICDPPC members (including the ODPA) to ‘promote appropriate security safeguards to prevent human error that can result in personal data breaches’. The resolution identifies the role of ‘building workplace cultures where privacy and personal data security are organisational priorities, including through the periodic implementation of training, education and awareness programs for employees on their privacy and security obligations and the detection and reporting of threats to the security of personal data.’
This echoes a statement made by Mrs Martins, in August this year on this subject: ‘Building a culture of honest and constructive learning can help us all to work towards higher standards of compliance.’ Recognising the crucial role workplace culture plays in looking after personal data well, the ODPA will be starting an initiative, called ‘Project Blue Tit’, in 2020 with the aim of effecting positive, measurable change in organisational culture locally. More details about this project will be announced soon.
This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.
Number of personal data breaches reported to ODPA:
|2 months to 27 October 2019||44|
|2 months to 26 August 2019||32|
|2 months to 25 June 2019||50|
|2 months to 22 April 2019||40|
|2 months to 22 February 2019||45|
|2 months to 18 December 2018||28|
|2 months to 18 October 2018||26|
PREVIOUS RELEASES: bi-monthly breach report statistics
- Human behaviour remains key risk to protecting data (2 months to 26 August 2019)
- Data Protection Commissioner cautions against a ‘culture of blame’ (2 months to 25 June 2019)
- Human error remains biggest risk in data protection locally (2 months to 22 April 2019)
- ODPA report further increase in local data breaches (2 months to 22 February 2019)
- Increase in local data breaches (2 months to 18 December 2018)
- ODPC offers advice after increase in local data breaches (2 months to 18 October 2018)
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.
However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.
‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.