Lowest number of breaches in more than a year

Print

Twenty-eight personal data breaches were reported to the Office of the Data Protection Authority (ODPA) in the two months leading up to 29 February 2020, the lowest figure in more than a year and the majority were accidental.

Since the last report the ODPA has enhanced the categories to allow greater detail to be drawn from them which results in breaches falling into one of eleven possible groups. Overall, in the latest statistics, 19 breaches were deemed accidental, three deliberate and six not specified.

Data sent to the wrong recipient is the most common error which has now been separated into three groups to specify whether by post, email or fax. In the latest reporting period, 9 breaches fell into this category, three were from email errors and three postal. Inappropriate disclosure of data led to six breaches whilst other self-reported breaches included three each of inappropriate access, unauthorised disclosure and cyber incidents.

The 28 breaches in total were from a range of sectors, including five from public authorities, four from healthcare organisations, three from fiduciary entities and the remaining 16 spread across 10 other sectors.

The Bailiwick’s Data Protection Commissioner, Emma Martins, observed that the obligation to report data breaches is still a relatively new requirement and that all parties have something to learn.

‘We publish the self-reported figures so that everyone can benefit from a better understanding of how and why breaches happen and therefore, how we can avoid them in future. We hope the new categories will deepen understanding of this.’

The ODPA’s Strategic Plan focuses on predicting, preventing and detecting data harms along with enforcing the local data protection law.

Mrs Martins commented on how the breach statistics help these activities.

‘As the regulator we can ensure our advice and guidance is relevant and helpful. By learning more about the origin of these breaches we can better educate organisations and in turn they can put in place practices that should ultimately reduce future breaches. Our overall goal is to protect people from the harms that data breaches can cause, as they often cannot be undone.’

 


Notes

This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.

New breach categories explained
The ODPA individually assess each breach reported to them and assign them to one of the eleven categories listed below. Nine of the eleven categories specify whether a breach in that category would normally be considered ‘accidental’ or ‘deliberate’. One of the eleven categories (‘cyber incidents’) can be either accidental or deliberate. It should be noted that breaches categorised as ‘deliberate’ are not necessarily considered to be malicious.

1 Loss of data/paperwork/device accidental
2 Data sent to incorrect recipient – email accidental
3 Data sent to incorrect recipient – post accidental
4 Data sent to incorrect recipient – fax accidental
5 Inappropriate access accidental
6 Inappropriate disclosure accidental
7 System error accidental
8 Cyber incidents accidental or deliberate
9 Unauthorised access deliberate
10 Unauthorised disclosure deliberate
11 Other accidental or deliberate

  

 Number of personal data breaches reported to ODPA:

 

2 months to 29 February 2020 (details above)  28
Data Protection Commissioner calls for a culture of improvement
2 months to 28 December 2019
48
Data breaches: workplace culture change needed (2 months to 27 Oct 2019) 44
Human behaviour remains key risk to protecting data (2 months to 26 Aug 2019) 32
Data Protection Commissioner cautions against a ‘culture of blame’ (2 months to 25 Jun 2019) 50
Human error remains biggest risk in data protection locally (2 months to 22 Apr 2019) 40
ODPA report further increase in local data breaches (2 months to 22 Feb 2019) 45
Increase in local data breaches (2 months to 18 Dec 2018) 28
ODPC offers advice after increase in local data breaches (2 months to 18 Oct 2018) 26

 

Breach criteria
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

‘Significant interests’ explained
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.