ODPA confirms data breaches still at low levels, mostly accidental

Print

Number of personal data breaches reported to ODPA by category. Date range: 1 Sep – 31 Oct 2020 (CLICK TO ENLARGE)

THIRTY-FOUR personal data breaches were reported to the Office of the Data Protection Authority (ODPA) in the two months leading up to 31 October 2020, the vast majority of which were classified as accidental.

Overall, from the latest statistics, 26, or 75% of the breaches related either to data sent to the incorrect recipient by email or post and the total is consistent with previous reporting periods. Of the 11 possible categories devised by the ODPA, the remaining eight were classified as cyber incidents, inappropriate access or inappropriate disclosure.

The 34 were from a range of sectors, including six from retail/wholesale, a similar number from fiduciary entities, three from charities/not for profit and the remaining 19 spread across 11 other sectors.

The Bailiwick’s Data Protection Commissioner, Emma Martins, observed that although the number of errors remains relatively low, all parties still have something to learn.

‘The publication of information relating to the number and nature of personal data breaches is important. It ensures that we are all part of an honest approach when things go wrong and it also helps us to better understand the areas of risk which in turn can help us focus on preventing them in the future. It continues to be the case that accidental sending of data to the wrong person is the most common type of breach reported to us. What we can take from that is the knowledge that it is absolutely something we can all play a positive and important role in reducing. We will never eliminate human error, but we should not underestimate the impact having robust systems and processes, together with comprehensive staff awareness and training programmes can have in mitigating those risks.’

Mrs Martins added:

‘It is also important to remember that for each of these breaches, the personal information of one or more individuals is likely to have been compromised. Our aim in raising awareness and encouraging a focus on making improvements is to ensure we all do as much as we can to protect people from those harms. I would take this opportunity to once again thank our local regulated community for their engagement in this breach reporting requirement; it continues to have a direct and meaningful impact on raising the standards of data governance for the Bailiwick.’

NOTES

This release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018. Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018. The Data Protection (Bailiwick of Guernsey) Law, 2017 (section 42) states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.

Breach reporting
One of the key changes to the local data protection law that came into force in May 2018 is that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it (see section 42 (2) of the Law). Organisations can report breaches to the ODPA via odpa.gg/breach-reporting.

Why does the ODPA publish breach statistics?
The ODPA has published statistics of the number of breach reports it receives, every 2 months since October 2018. Publishing this information allows everyone to benefit from a better understanding of how and why breaches happen and how they can be avoided in future.

 Number of personal data breaches reported to ODPA (2018 – present):

 

ODPA confirms data breaches still at low levels, mostly accidental
2 months to 31 October 2020 – details above 
34
Lowest number of data breaches: less data harms, or less engagement?
2 months to 31 August 2020 
21
Learning and improvement the route to a culture of compliance 
(2 months to 30 June 2020)
34
Commissioner ‘encouraged’ by consistent breach reporting trend
(2 months to 30 April 2020)
30
Lowest number of breaches in more than a year
(2 months to 29 February 2020)
28
Data Protection Commissioner calls for a culture of improvement
2 months to 28 December 2019
48
Data breaches: workplace culture change needed
(2 months to 27 Oct 2019)
44
Human behaviour remains key risk to protecting data
(2 months to 26 Aug 2019)
32
Data Protection Commissioner cautions against a ‘culture of blame’
(2 months to 25 Jun 2019)
50
Human error remains biggest risk in data protection locally
(2 months to 22 Apr 2019)
40
ODPA report further increase in local data breaches
(2 months to 22 Feb 2019)
45
Increase in local data breaches
(2 months to 18 Dec 2018)
28
ODPC offers advice after increase in local data breaches
(2 months to 18 Oct 2018)
26

 

How are personal data breaches categorised?
The ODPA individually assess each breach reported to them and assign them to one of the eleven categories listed below. Nine of the eleven categories specify whether a breach in that category would normally be considered ‘accidental’ or ‘deliberate’. One of the eleven categories (‘cyber incidents’) can be either accidental or deliberate. It should be noted that breaches categorised as ‘deliberate’ are not necessarily considered to be malicious. 

1 Loss of data/paperwork/device accidental
2 Data sent to incorrect recipient – email accidental
3 Data sent to incorrect recipient – post accidental
4 Data sent to incorrect recipient – fax accidental
5 Inappropriate access accidental
6 Inappropriate disclosure accidental
7 System error accidental
8 Cyber incidents accidental or deliberate
9 Unauthorised access deliberate
10 Unauthorised disclosure deliberate
11 Other accidental or deliberate

What is a personal data breach?
A personal data breach is defined in section 111(1) of the Law as any incident that meets the following criteria: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.  There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

What is the threshold for reporting a data breach to the ODPA?
Organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident (see section 42 (5) of the Law). It can be difficult, and sometimes inappropriate, for organisations themselves to judge whether there is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.

What are a person’s ‘significant interests’?
A person’s ‘significant interests’ are defined in the local Law as any aspect of their life that could be put at risk due to their personal data being breached. This could include their physical safety, their reputation, and could extend to placing them at risk of identity theft, fraud, financial loss, psychological distress or humiliation.