Data Breaches – What to do if you find personal data in a public place

Data controllers in the private and public sectors hold increasing amounts of personal data on individuals.

Many organisations also continue to hold large quantities of personal data in paper form – often in on-site locations like offices, businesses, hospitals or other facilities. This large increase in the quantity of personal data processed and held gives rise to security challenges for the organisations that collect the data.

Occasionally, incidents will arise where personal data stored or maintained in paper form or in digital form on portable storage devices such as laptops, smartphones, or USB drives, may be lost or stolen.

In the unlikely event that a member of the public should find personal data or come into possession of documents or devices containing personal data that is not their own, it is important not to compound any personal data breach by further disclosing or transferring the data to any additional third parties.

If the source of the data is identifiable, by a company logo, or the name and details of the organisation, then the recommended course of action is to immediately return the data to its source.

While the temptation may arise to read or otherwise examine the personal data, the Data Protection Commission would respectfully request that members of the public would not do this, as it may represent a further breach of confidentiality.

Onward disclosure or processing of the personal data may result on a loss of confidentiality for the data subjects, and may infringe on their rights and freedoms.

In the event that the source of the personal data cannot be identified, members of the public are invited to contact the Data Protection Commission, and we will endeavor to assist you to identify the rightful owner with a view to returning the documents to them, and the Data Protection Commission will notify the owner of its obligations under Article 33 of the General Data Protection Regulation.