We have released the local results of the seventh Global Privacy Enforcement Network‘s (GPEN) annual Privacy Sweep.
During September and October 2019, the ODPA contacted 62 Bailiwick healthcare providers, requesting information about:
- how they were prepared for handling data breaches
- their internal procedures and framework
- the processes in place for preventing future breaches.
Both large and small organisations indicated a desire to operate effective procedures, understood how to report breaches and found the ODPA’s web-based guidance on breach reporting helpful. Around one in eight providers contacted supplied feedback to the Privacy Sweep.
Bailiwick Data Protection Commissioner, Emma Martins, emphasised the importance of effective engagement.
“We welcome every opportunity to connect with our regulated community and although uptake was a little disappointing, the Privacy Sweep enabled us to gauge the level of understanding of breach reporting and was a useful intelligence gathering exercise, rather than part of any enforcement activities. Our office continues to support all local organisations with their data privacy activities, ensuring they are clear about expectations and understand how to prevent breaches as well as respond to them if they occur.”
Guernsey was one of 16 jurisdictions that took part and the sweep provided an opportunity to gather useful information and help guide future education and outreach. Globally, out of 1,145 entities that were approached, 258 provided meaningful responses.
Commenting on the local results gathered, Mrs Martins added,
“We are very grateful to the organisations that responded to the sweep. They trusted us with their information and took the time to reply, enabling us to form a view of the local landscape with respect to breach reporting and responses.
“Looking ahead, we hope to be involved in other international initiatives as there is much to learn from cooperation with data protection authorities around the globe. Hopefully these activities that aim to improve how we all engage and interact with personal data will be received more positively in the future both locally and worldwide.”
- About the GPEN Privacy Sweep
The GPEN Privacy Sweep is an international initiative that aims to increase awareness of privacy rights and responsibilities, to encourage active compliance with privacy legislation and enhance cooperation between privacy authorities worldwide. Participating authorities asked organisations, from a sector of their choice, questions about current systems for recording, reporting and preventing data breaches.
- 2019 was the first time the ODPA contributed to this international intelligence-gathering exercise and out of the 16 jurisdictions that took part in the sweep the Bailiwick of Guernsey is one of 12 with mandatory breach reporting. Although taking part in the sweep was voluntary, a common reason given globally for not contributing was concern over follow-up enforcement action where mandatory reporting is in place.
- Mandatory breach reporting
- READ: guidance for controllers on breach reporting and further information on the statutory requirements locally.
- According to section 42 of the Law, personal data breaches must be reported to the ODPA no later than 72 hours after the controller becomes aware of the breach. Controllers can report a breach here.
- Breach criteria
- A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.
- However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.
- ‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.