News

  • Data breaches: workplace culture change needed

    Forty-four personal data breaches were reported to us in the two months up to 27 October 2019.

    Number of personal data breaches reported to ODPA

    Twenty-four of the breaches were due to personal data being sent, via email or post, to the wrong person. The remaining twenty were through hacking, personal data being accessed inappropriately, the disclosure of personal data when not authorised to do so, system error, or personal data being lost. Overall, forty breaches were the result of human action, with just four resulting from system error.

    The Bailiwick’s data protection commissioner, Emma Martins, commented on the role people play in personal data breaches.

    ‘Once again, this period’s statistics reinforces the trend we have seen for some time: that it’s what people, not systems, do that is the biggest factor in most data breaches reported to us. Protecting data well is first and foremost a human issue.’

    This trend, where people’s awareness, attitudes, behaviour, and choice of actions often pose the biggest risk to the protection of personal data is observed not just locally, but also worldwide. In October 2019 the 41st International Conference of Data Protection and Privacy Commissioners (ICDPPC) passed a resolution for participating national authorities to ‘address the role of human error in personal data breaches’.

    The resolution, sponsored by the Office of the Australian Information Commissioner, calls on all ICDPPC members (including the ODPA) to ‘promote appropriate security safeguards to prevent human error that can result in personal data breaches’. The resolution identifies the role of ‘building workplace cultures where privacy and personal data security are organisational priorities, including through the periodic implementation of training, education and awareness programs for employees on their privacy and security obligations and the detection and reporting of threats to the security of personal data.’

    This echoes a statement made by Mrs Martins, in August this year on this subject: ‘Building a culture of honest and constructive learning can help us all to work towards higher standards of compliance.’ Recognising the crucial role workplace culture plays in looking after personal data well, the ODPA will be starting an initiative, called ‘Project Blue Tit’, in 2020 with the aim of effecting positive, measurable change in organisational culture locally. More details about this project will be announced soon.

     

    NOTES 

    This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.

    Number of personal data breaches reported to ODPA:

    2 months to 27 October 2019 44
    2 months to 26 August 2019 32
    2 months to 25 June 2019 50
    2 months to 22 April 2019 40
    2 months to 22 February 2019 45
    2 months to 18 December 2018 28
    2 months to 18 October 2018 26

    PREVIOUS RELEASES: bi-monthly breach report statistics

    Breach criteria
    A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

    However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

    ‘Significant interests’ explained
    A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.

    Read more >
  • ODPA registration exemptions extended

    Anyone who is currently exempt from the legal requirement to register with the Office of the Data Protection Authority (ODPA) will now continue to be exempt until January 2021.

    This means that any local entity (such as small businesses and sole traders) who currently meet the exemption criteria (find out what these are here) will not need to register with the ODPA until the beginning of 2021.

    From 1 January 2021 all exemptions to registering with the ODPA will end, and any local entity doing anything with personal data will be legally obliged to register with the ODPA and pay a small annual fee that will contribute towards the ODPA’s operational costs.

    The ODPA is an independent regulator and as such must be financially independent. It is working with the States of Guernsey towards agreeing a self-funding model which meets its operational costs mostly from annual fees paid by registered entities, rather than taxpayers.

    It has taken longer than expected for the States of Guernsey and the ODPA to agree and implement a self-funding model. Because of this delay the Committee for Home Affairs will shortly be extending the current registration exemptions. They were due to end on 31 December this year, but will now continue until 31 December 2020.

    Emma Martins, the Bailiwick’s Data Protection Commissioner commented on the extension.

    ‘For the past year we have been working hard to try to reach agreement with the States of Guernsey on how the ODPA’s operational activities are funded. Above all else, we want to ensure that we agree on a fair, low-cost, low-admin model that allows local businesses to concentrate their efforts on running their businesses well, rather than filling in bureaucratic forms. We continue to pursue that goal.’

     

    Below are some Q&As around what this means for local businesses and other entities:    

    Q: I’m confused – what exactly does this mean for local organisations and other entities who process personal data?
    A: If you are a currently registered entity, everything stays the same as it is now. Just carry on renewing your annual registration as you always have done. You will be automatically notified if anything changes.

    A: If you are currently exempt from registration, you will continue to be exempt until January 2021. But please remember: you are only exempt from registration, you are not exempt from complying with the local data protection law. Access advice, guidance, and resources on compliance here.

    Q: How do I know if I’m exempt or not?
    A: The following three groups of entities are exempt from registration until January 2021:

    1. entities who only process data for accounts and record-keeping for core business purposes, for staff administration and to market their own goods or services;
    2. entities who only process data under instructions given by another entity;
    3. entities who have charity or not-for-profit

    If you’re still not sure if any of the above exemptions apply to you, please read our guidance document: Exemptions to Registration.

    Q: Why are the exemptions being extended?
    A: It has taken longer than expected for The States of Guernsey and The Data Protection Authority to reach agreement on a self-funding model.

    In November 2018 The Data Protection Authority and the Committee for Home Affairs submitted a joint proposal to the Policy & Resources Committee outlining an innovative, low-cost, low-admin, equitable self-funding model that would involve automatically tacking on a ‘data protection fee’ to Guernsey Registry’s annual validation process. The proposed fee was 10% of any given entity’s annual validation fee (i.e. £25 – £50 per entity, per year).

    This model was supported by the Policy & Resources Committee, but the Committee for Economic Development could not support it.

    All parties continue to work closely with the aim of developing a model that everyone can support, and that works for local businesses. Whilst the details of the model are being worked out it makes sense to maintain the status quo (i.e. keep exemptions in place) to minimise disruption to Bailiwick organisations.

    Q: What is going to happen in January 2021?
    A: On the 1 January 2021 (or perhaps earlier, if a workable self-funding model can be implemented) all exemptions to registration will cease. Any entity who is doing anything with personal data will be legally obliged to register with the ODPA for the first time. There is an annual fee associated with this registration, which each entity must pay. This annual fee goes toward funding the ODPA’s operational activity. It is not yet clear what the annual fee will be, but The Data Protection Authority would like it to be low (between £25-£50/year per entity).

    Q: 1 January 2021 is a public holiday and my office will be closed. Do I need to register on that specific day?
    A: No, you can register at any point in the normal working days leading up to 1 January 2021 if you wish. The ODPA are exploring the possibility of an amnesty period for the month of January 2021 to give local organisations more time to register, details on whether this is possible will be announced in due course.

    Q: The ODPA annual registration fee is currently £50, will I have to pay more from 2021?
    A: Hopefully not, but it’s not yet clear what the fee will be. What is clear is that The Data Protection Authority is committed to keeping the fee as low as possible in order to maintain the Bailiwick’s competitiveness as a place to set-up, and operate successful businesses. It is also committed to a fair, low-admin approach to collecting its fee.

    Q: Why do I need to pay at all?
    A: Anyone doing anything with personal data in the Bailiwick has a legal obligation under The Data Protection (Bailiwick of Guernsey), Law 2017 to pay an annual fee to the ODPA. This law also states that the ODPA must be self-funded, to allow itself to be independent of The States of Guernsey. This independence is essential as the ODPA regulates the States in the same way it regulates all other local entities.

    Q: Why can’t the ODPA just fund itself by giving out large fines?
    A: Any fines issued by The Data Protection Authority are payable to The States of Guernsey’s general revenue fund and are not used to fund the ODPA. To maintain its independence and neutrality the ODPA cannot be seen to be financially benefitting from any fines it issues: large or frequent fines could be misinterpreted as being based on a funding need rather than a levy for wrongdoing.

    Q: How much funding is The States of Guernsey giving the ODPA for 2020?
    A: £1.1 million has been requested to meet the ODPA’s 2020 operating costs. This will enable the ODPA to fulfil its statutory duties, and includes the cost of staff, premises, casework, public awareness activities, maintaining secure IT systems etc. The ODPA provides full financial information in its Annual Report (see all previous reports here).

    Q: How much annual funding will The States of Guernsey give the ODPA from 2021 onwards?
    A: This isn’t clear yet. Hopefully the ODPA will not have to rely too heavily on taxpayers’ money from 2021 as by then the self-funding model should be in place. However, the States are legally obliged to meet any shortfall between what the ODPA raises in fee income and what its operational budget is in any given year.

    Q: What is personal data? 
    A: It is any information that relates to an identified or identifiable living person. Things like: your name, your address, your medical records, CCTV footage of you, your social media activity, your internet browsing history, what your boss once said in an email about you, your political views, your sexuality etc.

    Q: What is ‘processing’ personal data? 
    A: ‘Processing’ refers to pretty much anything an entity* does with personal data. It includes activities like: collecting, storing, organising, using, altering, disclosing, erasing and destroying personal data. Profiling is also considered to be processing.
    *An ‘entity’ could be: your bank, a school, your plumber, the States of Guernsey, an online retailer, a social media platform, your employer, a politician acting in their official capacity, the supermarket you shop at, your GP’s practice, your insurer, in short: anyone who is deciding how your personal data is used. These sorts of entities are called ‘controllers’ in data protection law.

    Q: What does the ODPA do?
    A: The ODPA is the operational body that carries out the regulatory functions of the Law delegated by The Data Protection Authority. The ODPA records data breaches, investigates complaints, runs education programmes and examines proposed legislation and how it may affect individual privacy. The ODPA empowers individuals to exercise their rights, as well as supporting organisations to meet their compliance requirements and take action if they fall short.

    Q: What happens next?
    A: There is still some uncertainty as to when the self-funding model will be in place, and how this will affect local entities. The ODPA expects a decision on its self-funding model from The States of Guernsey by the end of 2019. It is committed to providing a workable lead-in-time and will provide regular updates through its website, newsletter and the usual media channels.

    Please ensure you subscribe to the ODPA’s monthly newsletter so that you are kept up to date.

    ————————————————————————————————————————————————————————————————

    Below is an extract from Deputy Mary Lowe’s statement regarding the ODPA’s 2020 funding position: Statement by the President of the Committee for Home Affairs (Wednesday 16 October 2019) 

    I move on to Data Protection[.]

    As Members may be aware discussions are continuing with the Data Protection Authority and the Policy and Resources Committee to find the best way to introduce a universal annual data protection licence fee which is modest and unbureaucratic.

    Apart from very small businesses and charities, most of those who will need to have a licence will be Guernsey registered companies. We therefore need to help business owners and managers to pay the fee with the minimum of fuss. We had explored the possibility of it becoming part and parcel of the annual validation process of the Company Registry but it became apparent from our colleagues at Economic Development that this could have unforeseen complications.

    We have therefore moved to exploring an alternative which preserves the independence of the Company Registry but seamlessly allows company owners to continue, after having completed their Annual Validation, through to the Data Protection Office website to pay their licence fee, unless they declare they are exempt.

    All this is taking time to develop and will probably require some legislation.

    This does mean that for 2020 the States, as required under the Law, will have to continue to fund the Data Protection Authority from General Revenue as part of the budget.”

    Read more >
  • Chris Docksey gives keynote at international conference

    Our board member Chris Docksey was the keynote speaker for the second day of the 41st International Conference of Data Protection and Privacy Commissioners open session.

    He spoke about the blossoming of data protection accountability across the globe, the philosophy behind accountability and the toolbox that can be used to demonstrate it.

    Chris emphasised the inclusion of the accountability principle in data protection legislation, including our own 2017 Law, and the need for controllers and regulators to embrace this fundamental principle to ‘give life’ to data protection compliance and regulations.

    Chris closed with this quote:

    “Not everything that is legally compliant and technically feasible is morally sustainable”
    – Giovanni Buttarelli (1957 – 2019 ) of EDPS – European Data Protection Supervisor

    READ: transcript of Chris Docksey’s keynote

    READ: our guidance note on Accountability and Governance.

    READ: the ICDPPC 2019 resolutions, as adopted

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    Read more >
  • Emma Martins speaks at international data protection summit

    The Bailiwick’s Data Protection Commissioner, Emma Martins, was an invited speaker at a recent international data protection conference.

    PrivSec’ took place in Dublin on 23 and 24 September and the two day summit brought together over 700 worldwide delegates in privacy and data protection to hear an international line-up of expert speakers. Alongside Mrs Martins, representatives from Google, Hewlett Packard, Etihad Airways, Aviva and the Bank of Ireland explored a range of conference topics covering data protection, security and governance and how successful data protection and security programmes need to be interdependent.

    Mrs Martins commented on how data protection has shifted from being merely tolerated to actively embraced.

    ‘It was thrilling to be part of PrivSec this year, there was genuine excitement in the room when privacy activists Max Schrems and David Carroll took the stage, and I’m so grateful to have witnessed that. It was humbling to represent our Bailiwick alongside global heavyweight organisations. We should be proud, as a jurisdiction, that the international community is aware of the approach we’re taking towards effective, independent regulation that encourages our regulated community towards excellence, and protects individuals’ rights.’

    Mrs Martins spoke on four key areas of regulation: prediction, prevention, detection and enforcement. Central to her presentation was how regulators should aim for balance across these four areas by describing The Office of the Data Protection Authority’s (ODPA) approach, the implications for regulated entities and how it can secure better outcomes.

    Read more >
  • ODPA start investigation into Sure Directory issues

    On 1 October 2019, the Office of the Data Protection Authority (ODPA) began an investigation in relation to how Sure handled personal data for the 2019 Sure Directory.

    Sure have been notified of the start of this investigation. The ODPA welcomes Sure’s constructive engagement and their full co-operation is anticipated.

    The ODPA will be investigating Sure under section 69 of The Data Protection (Bailiwick of Guernsey) Law, 2017. The investigation will cover the processing of personal data for, and publication of, the 2019/2020 telephone directory. Concerns raised by several members of the public will also be taken into account to determine whether any aspects of the Law have been breached.

    The outcome of the ODPA’s investigation should not be speculated on, or its conclusion pre-judged. No further comment will be made at this time.

    Whilst as previously advised individuals should speak to Sure in the first instance if they are concerned about their personal data, ongoing issues can be reported to the ODPA.

    Read more >
  • ‘Data protection’ does not explain Sure directory changes

    The Office of the Data Protection Authority (ODPA) is aware of several inaccuracies, omissions, and previously ex-directory entries in the 2019 Sure Directory with data protection being cited, it would appear, as a reason for some of these issues.

    The legal requirement for personal data to be accurate and, where necessary, kept up to date has been a feature of data protection legislation since the Bailiwick’s first data protection law in 1986. The GDPR-equivalent local law that came into effect in 2018 does not require Sure to alter their previous practice of allowing customers to specify how their entry appears in the directory and it is not clear why the new law has been cited as a reason for the change in approach.

    Sure, along with several of their concerned customers, have made the ODPA aware that previously ex-directory numbers have been included in the 2019 directory. This is contrary, it would seem, to customers’ previously advised instructions to Sure.

    Emma Martins, the Bailiwick’s Data Protection Commissioner commented on the risk this potentially poses to people.

    ‘Data protection is entirely about protecting people. I am very concerned that it would appear a number of ex-directory phone numbers have been published in error. Some people rely on ex-directory status for their personal safety so exposing their personal data in this way can be very distressing, and potentially puts them at risk.’

    Any Sure customers affected are asked to contact Sure in the first instance.


    NOTES 

    Data protection is often, wrongly, cited as a reason why something is or is not done. Read ‘Six data protection myths busted’ at: www.odpa.gg/myths

    The ODPA was disappointed to see that its own listing, on page 42 of the Sure Directory is incorrect. However, the listing in the ‘A-Z of Public Services’ is correct.

     

    Read more >
  • Bailiwick takes part in global ‘Privacy Sweep’ for first time

    The Bailiwick is, for the first time, participating in the Global Privacy Enforcement Network Privacy Sweep which takes place in September and October 2019.

    The Global Privacy Enforcement Network (GPEN) was established to foster cross-border cooperation among privacy authorities. This, the seventh Sweep, will focus on how organisations in each jurisdiction are prepared for handling data breaches, their internal procedures and framework, how they respond and the processes in place for preventing future breaches.

    Guernsey’s Office of the Data Protection Authority (ODPA) is one of 18 privacy enforcement authorities from around the world taking part. The ODPA is focusing solely on healthcare providers and has already contacted a select number locally to respond to GPEN’s set questionnaire.

    ODPA Case and Compliance Investigator, Edward Chapman, is coordinating the Sweep locally.

    ‘The theme for this year is data breach notifications so this presents a great opportunity for the Bailiwick organisations we have contacted to be a part of this important, international project. I would like to assure everyone that their responses to the GPEN questionnaire are for information purposes rather than enforcement.’

    Guernsey is one of a growing number of jurisdictions around the world where data breach reporting is mandatory. Other jurisdictions, such as New Zealand, Hong Kong and Singapore, are in the process of considering the feasibility of adopting a mandatory regime, or are in the process of doing so.

    The Sweep is an opportunity for jurisdictions with mandatory data breach reporting regimes, such as the Bailiwick, to reflect on how their local organisations are performing compared to other parts of the world and identify trends which could guide future education and outreach.

    The overall results of this year’s Sweep will be compiled and made public towards the end of 2019.


    NOTES

    The ODPA have already contacted a small number of local healthcare providers to take part. It is not mandatory for these selected organisations to respond, and no other organisations are required to take part.

    The Global Privacy Enforcement Network (GPEN) is a network of privacy enforcement authorities, of which the ODPA is a member.

    GPEN: https://www.privacyenforcement.net

    More information: https://odpa.gg/gpen/

     

     

     

     

     

     

     

     

     

     

     

     

     

    Read more >
  • ODPA mentor programme success

    The Office of the Data Protection Authority’s (ODPA) inaugural summer mentor programme saw a local student make a successful contribution to the regulator’s activities.

    Brailen Carey, who is studying a BTEC Level 3 Extended Diploma in Business at Guernsey’s College of Further Education, spent eight weeks with the Office of the Data Protection Authority. Her role over the period included translating aspects of the Bailiwick’s Data Protection Law into a more visual and understandable format and participating in a behavioural assessment activity as part of staff training.

    Emma Martins, the Bailiwick’s Data Protection Commissioner, highlighted the mutual benefit of the programme and how important it is for islanders to take an interest in protecting their data.

    ‘The opportunity to have a student working with us over the summer was hugely positive for both Brailen and the office. We are all generating more data than ever before and the younger generation is often portrayed as uninterested and disengaged with questions of data privacy. Brailen proved that to be very far from the truth; she was able to contribute meaningfully to discussions around what good regulation looks like and how we can work to improve awareness of rights and responsibilities across our whole community.’

    ‘We learnt as much from her as she did from us. Data protection is increasingly important for all sectors and generations and how we ensure our jurisdiction is well regulated is not just a matter for us as the regulator, it is a matter for us all.’

    Brailen found her experience at the ODPA educational and full of opportunity.

    ‘I was given numerous tasks to complete over the summer and the behavioural assessment was particularly interesting; it explained the different aspects of your personality and behaviours and the best way of using your traits within the workplace. I feel that all the experience and training gained during my time with the ODPA will be beneficial to my studies and future career.’

    The ODPA’s mentor programme allows the regulator to gain a better understanding of the younger generation’s views and habits regarding privacy and their data while also fulfilling an important role in providing training and employment. It is also committed to connecting with all the Bailiwick’s residents and is embarking on an outreach programme aimed at engaging young people, to listen to them and learn from their views and experiences.

    Louise Misselke, Principal of Guernsey’s College of Further Education, emphasised the importance of schemes including the ODPA’s mentoring programme.

    ‘Work placement is vital for our full-time students as it enables them to gain specific skills related to their course which really support assessment and achievement in their qualifications. Placement is central to enabling students to gain confidence and can support progression on to their chosen career. I am so pleased that the ODPA was able to offer a placement opportunity, a really interesting experience which is relevant to every area of employment.’

    Read more >
  • Why do we need data ethics?

    To continue our series of posts focused on data ethics, our commissioner Emma Martins, explains why data ethics is essential if we are to avoid a ‘race to the bottom’ by focusing solely on what is legal, not what is right.    


     

    In the first of our articles on data ethics, we talked about why it is that the question of ethics now has a much higher profile in conversations around data protection.

    Why is it even necessary to have to think beyond what the data protection law says? It is, after all, a very comprehensive piece of legislation that covers the processing of personal data in nearly all its forms.

    I think that at least some of the answer lies in the nature of data in this modern era.

    Put simply, we are immersed in it. Technology has become embedded into our everyday lives, shaping us and our society. Even our bodies are becoming increasingly connected so technology is no longer something apart from us, it is a part of us.

    We produce and consume data as part of huge data ecosystems that span almost every aspect of our work and home lives. Whether we are aware of it or not, our lives are influenced by the processing that goes on, mostly behind the scenes.

    And it is the fact that data is now integral to our lives and interwoven into them that the question of regulation rears its head. Few disagree that regulation providing protections and remedies is important when data harms are so real. But if we think of law as being the only arbiter, we essentially consider all conduct except the illegal to be allowed. Doing ethics means that we seek to live our best lives, not see how low we can sink, because If we look only to law, we risk a race to the bottom. We need to aspire to be better than that. How we treat each other and would wish others to treat us is more than law. And much of culture – our attitudes, values, aspirations, starts from a question of ethics. What sort of place do we want to live in and what do we want our lives and the lives of others to be like?

    In the lead up to GDPR there is an argument that in the rush to the 25 May 2018 deadline, compliance became about checklists and tick boxes. Checklists have value but can be counterproductive if we do not engage with the underlying spirit.

    Real respect for data rights can only be delivered in part by law. Regulators and legislation cannot on their own deliver outcomes that truly protect individuals and allow businesses to flourish by ensuring their most important asset – data – is properly looked after. Where you have a culture that understands, engages and respects data protection, organisations will operate that way because there is a cultural and social as well as legal pressure for them to do so.

    Just recently on the radio I heard an item which highlighted how a UK company had hidden a tick box away during an online application process. Affected individuals were shocked and angry at the subsequent way in which their data was used. It was clear that the company concerned had done everything it could to obfuscate the message, trying to get consent from individuals without them even being aware of having given it. This is no accident. Every organisation will make decisions about the layout and wording of webpages and forms. Whilst the law may take a dim view of this sort of deceptive practice, perhaps as important is the fact that it became a news story. This serves to shine a light on organisations that do not engage with their responsibilities legally or ethically which in turn can be very effective in prompting positive change.

    Ethics is not something that stops at the front door of your office. Organisations are made up of people – of us. How we approach all aspects of our lives has the potential to underpin a common foundation for our jurisdiction that we can all benefit from.

    So, to be interested in ethics is to be interested in life. With our lives so completely wrapped up in the data choices we and others make, to be interested in life is also to be interested in data protection.

    More than ever before, data protection requires personal engagement, not just a run through of a check list. In requiring personal engagement it necessarily means that you will bring your personal values to that engagement. Ethics must become a custom, a way of thinking, a set of values held by us all. It is the conversations and the outcomes that matter and we want to play our part in making sure conversations continue and outcomes improve.

    Read more >
  • Human behaviour remains key risk to protecting data

    THIRTY-TWO personal data breaches were reported to The Office of the Data Protection Authority (ODPA) in the two months up to 26 August 2019.

    Eighteen of the breaches were due to personal data being sent, via email or post, to the wrong person. The remaining fourteen were through criminal activity, hacking, personal data being accessed inappropriately, the disclosure of personal data when not authorised to do so, or personal data being lost.

    Emma Martins commented on the human aspect of personal data breaches.

    ‘What is striking from this period’s statistics is that all the breaches reported to us were due to human action, whether deliberate or accidental. There was not a single incidence of system error.  We must all recognise that it is people’s awareness, attitudes, behaviour and choices that often pose the biggest risk to the protection of personal data, rather than our IT systems. Because of this, my office is laser-focused on raising everyone’s appreciation and awareness of data protection, in the hope that we can create positive cultural change around how people think, and feel, about taking care of personal data.’

    Part of this awareness-raising is the ODPA’s decision to take part in this year’s Global Privacy Enforcement Network (GPEN) ‘Privacy Sweep’ for the first time. This international intelligence-gathering exercise examines a different theme each year and in 2019, the focus is on how data breach notifications are handled.

    Mrs Martins said,

    ‘We will be contacting a sample of local organisations directly, asking them to respond to a short survey from GPEN later this month. Honest responses to the survey are encouraged, as it is only through honesty that an accurate snapshot of the challenges organisations face can be taken, from which we can all learn lessons. Building a culture of honest and constructive learning can help us all to work towards higher standards of compliance.’

    NOTES

    This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018 (previous releases are listed below). Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.

    Number of personal data breaches reported to ODPA:

    2 months to 26 August 2019 32
    2 months to 25 June 2019 50
    2 months to 22 April 2019 40
    2 months to 22 February 2019 45
    2 months to 18 December 2018 28
    2 months to 18 October 2018 26

    PREVIOUS RELEASES: bi-monthly breach report statistics

    Breach criteria
    A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

    However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

    ‘Significant interests’ explained
    A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.

    Read more >