Learning and improvement the route to a culture of compliance

Print

The Office of the Data Protection Authority (ODPA) has published its latest breach statistics and emphasised the need for learning and improvement to better safeguard personal data handled in the Bailiwick and build a culture of compliance.

Figure: 34 personal data breaches reported to ODPA between 1 May 2020 – 30 June 2020 by category. (Click to enlarge)

Thirty-four personal data breaches were reported to the ODPA in the two months leading up to 30 June 2020. Just under three-quarters of these (22) happened when personal data was accidentally sent to the wrong person by email. There were two instances where data was sent to the incorrect recipient by post.

Other self-reported breaches for the two-month period included three of inappropriate access, three cyber incidents, two unauthorised disclosure, one unauthorised access and one loss of data/paperwork/device.

The 34 breaches were split across a variety of sectors, five from public authorities, four from fiduciary entities and three each from banking, insurance and retail/wholesale establishments. Charities/not for profits, education/training organisations, investment organisations and legal practices all reported two each with the remaining eight split across five other sectors.

This is the second group of statistics covering the Covid-19 lockdown period and again, the figures show a similar number of breaches reported since collation of the data began two years ago.

The Bailiwick’s Data Protection Commissioner, Emma Martins, commented on the continuing trend.

‘We would like to offer our thanks to those businesses and organisations that have managed to continue to fulfil their statutory duties under the recent challenging circumstances. Whilst it’s largely reassuring that the number of reported breaches is remaining consistent, perhaps it’s time to ask organisations that don’t routinely report to us to have another look at their procedures to ensure that there aren’t breaches occurring that we should be advised of.’

Mrs Martins continued by highlighting that the Authority’s mandate is to educate and engage not just enforce.

‘Our aim is to help and empower all organisations, large or small, to handle personal data correctly because first and foremost we want to prevent breaches from happening in the first place. If we are going to do that effectively we need to have good knowledge and understanding of the nature of incidents and how often they are occurring. That in turn will enable us to provide more relevant and targeted support and guidance to those most at risk. Now that lockdown has eased, our fortnightly drop-in sessions to support our local regulated community are starting again on 22 July so local businesses and organisations can visit our offices and meet with a member of staff for advice. We are committed to building a culture of compliance for the Bailiwick; one that recognises that we’re all only human and we all make mistakes, but by learning from those mistakes and improving how we work, we can strive for better levels of data protection, benefitting our community and our economy.’

 

NOTES:

  • Fortnightly drop-ins
    Anyone representing an organisation can come along to the ODPA’s fortnightly drop-in sessions which are normally held between 09:00 – 12:00 every other Wednesday morning.
  • Breach reporting
    One of the key changes to the local data protection law that came into force in May 2018 is that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it. Organisations can report breaches to the ODPA via odpa.gg/breach-reporting.
  • Why does the ODPA publish breach statistics?
    The ODPA has published statistics of the number of breach reports it receives, every 2 months since June 2018. Publishing this information allows everyone to benefit from a better understanding of how and why breaches happen and how they can be avoided in future.
  • Number of personal data breaches reported to ODPA (June 2018 – present):
 

2 months to 30 June 2020 – details above  34
Commissioner ‘encouraged’ by consistent breach reporting trend (2 months to 30 April 2020) 30
Lowest number of breaches in more than a year (2 months to 29 February 2020) 28
Data Protection Commissioner calls for a culture of improvement
2 months to 28 December 2019
48
Data breaches: workplace culture change needed (2 months to 27 Oct 2019) 44
Human behaviour remains key risk to protecting data (2 months to 26 Aug 2019) 32
Data Protection Commissioner cautions against a ‘culture of blame’ (2 months to 25 Jun 2019) 50
Human error remains biggest risk in data protection locally (2 months to 22 Apr 2019) 40
ODPA report further increase in local data breaches (2 months to 22 Feb 2019) 45
Increase in local data breaches (2 months to 18 Dec 2018) 28
ODPC offers advice after increase in local data breaches (2 months to 18 Oct 2018) 26

 

  • How are personal data breaches categorised?
    The ODPA individually assess each breach reported to them and assign them to one of the eleven categories listed below. Nine of the eleven categories specify whether a breach in that category would normally be considered ‘accidental’ or ‘deliberate’. One of the eleven categories (‘cyber incidents’) can be either accidental or deliberate. It should be noted that breaches categorised as ‘deliberate’ are not necessarily considered to be malicious.
1 Loss of data/paperwork/device accidental
2 Data sent to incorrect recipient – email accidental
3 Data sent to incorrect recipient – post accidental
4 Data sent to incorrect recipient – fax accidental
5 Inappropriate access accidental
6 Inappropriate disclosure accidental
7 System error accidental
8 Cyber incidents accidental or deliberate
9 Unauthorised access deliberate
10 Unauthorised disclosure deliberate
11 Other accidental or deliberate
  • What is a personal data breach?
    A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so. However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

 

  • What are a person’s ‘significant interests’?
    A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.