Inquiry into the Personal Injuries Assessment Board

(IN-20-4-7)

Date of Decision: 24 January 2022

This inquiry was commenced in respect of a personal data breach that the Personal Injuries Assessment Board (‘PIAB’) notified to the DPC on 10 December 2019. PIAB is an independent statutory body that deals with personal injury claims. The personal data breach occurred when a third party organisation (‘the Third Party’) contracted by PIAB returned materials containing personal data to PIAB on an unencrypted USB key in a paper envelope, which USB key was ultimately lost in the post with only a ripped envelope delivered to PIAB.

The Inquiry considered whether the PIAB had complied with its obligation to implement an appropriate level of security under Article 32 GDPR. The Inquiry established that PIAB had requested in advance that the Third Party not send the personal data to PIAB. In those circumstances, the Decision found that PIAB could not possibly have foreseen that without consultation with it, the Third Party would post an unencrypted USB storage device in an unpadded envelope by ordinary (not registered) post.

The corrective powers exercised:

• No corrective powers were exercised by the Data Protection Commission in this instance because no provision of the GDPR was found to have been infringed by PIAB.

For more information, you can download a copy of the full decision at this link: Personal Injuries Assessment Board January 2022 (PDF, 628 KB).