Breach Notification Guidance Under The Data Protection Acts 1988-2003
If your organisation has experienced a personal data breach that occurred prior to 25th May 2018, and where the breach is not still ongoing after 25th May 2018, it is likely to be dealt with under the previous legislative regime. The relevant pieces of primary legislation in this regard are the Data Protection Acts 1988-2003 ("the Acts").
Under the provisions of the Acts, the DPC approved a personal data security breach Code of Practice to help organisations to react appropriately when they become aware of breaches of security involving customer or employee personal information. The Code of Practice does not apply to providers of publicly available electronic communications networks or services. This is because the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (SI 336 of 2011) place specific obligations on providers of publicly available electronic communications networks or services to safeguard the security of their services.
Applying the Personal Data Security Breach Code of Practice
Data controllers confronted with a breach of security affecting personal data should study the Code of Practice carefully. Some key considerations in relation to the application of the terms of the Code are set out below.
Paragraph one of the Code of Practice sets out the legal obligation to process personal data fairly and to take appropriate security measures to protect it.
Paragraph two refers to the need to focus on the rights of individuals where their personal data has been put at risk.
Paragraph three states that data controllers which have experienced an incident giving rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data must give immediate consideration to notifying the affected individuals. As the Code states, "this permits data subjects to consider the consequences for each of them individually and to take appropriate measures." The consequences may include the potential for fraud / identity theft, but it may also involve the potential for damage to reputation, public humiliation or even threats to physical safety. The Data Protection Acts give individuals the right to exercise control over how their data is used. A breach of personal data security may compromise that right. Notifying individuals is a remedial measure intended to redress the balance and restore some measure of knowledge and control. The information communicated to individuals should include information on the nature of the personal data breach and a contact point where more information can be obtained. It should recommend measures to mitigate the possible adverse effects of the personal data breach. If the affected individuals are not immediately identifiable, public notification may be the most appropriate means of communication, for example through the media or through a website. Data controllers should consider whether the method of notification adopted might increase the risk of harm to the data subjects.
Paragraph three of the Code also advises that data controllers should provide affected individuals with details of bodies that may be in a position to assist them, for example An Garda and financial institutions. Depending on the circumstances, other examples could include IT experts that can offer containment advice or internet companies that may assist in removing relevant cached links from their search engines. As with all other aspects of the Code, the DPC is happy to offer advice in this regard.
Paragraph four notes that there may be circumstances where a data controller may reasonably conclude that there is no risk to personal data due to the adoption of high-quality technological measures that effectively make the data inaccessible. For example, personal data stored on an encrypted laptop with secure access controls may be considered inaccessible in practice and the DPC considers that the loss of such a device would not normally involve a risk to the personal data stored on it. However the strongest encryption software[1] is useless if the access password is stored with the device or if the password is weak[2]. Other access controls (such as biometric identifiers, swipe cards, tokens etc) may further strengthen security, particularly when used in combination with a complex password.
Paragraph five of the Code of Practice states that a data processor must report breaches of personal data security to the relevant data controller as soon as they become aware of the incident. This duty should be reflected in appropriate contracts signed between data controllers and data processors. The data controller should then follow the steps set out in the Code.
Paragraph six of the Code of Practice states that all incidents in which personal data has been put at risk should be reported to the DPC. The only exceptions are when the individuals have already been informed and the loss affects no more than 100 data subjects and the loss involves only non-sensitive, non-financial personal data. It should be noted that the fact that a data controller has notified the DPC of a loss of control of personal data does not necessarily imply that a breach of the Data Protection Acts 1988 and 2003 has taken place. The Code also makes clear that if a doubt exists - especially whether the technological measures protecting the data are such as to permit a reasonable conclusion that the personal data has not been put at risk - the matter should be reported to the DPC.
Paragraph seven of the Code of Practice sets a timeframe of two days for a data controller to inform the DPC once the data controller has become aware that personal data has been put at risk. Complex personal data security breach incidents may take a considerable period of time to fully investigate and resolve. All that is required is initial contact with the Office describing the facts as they are known and the steps being taken to address those facts. Personal data should not be included in such reports to the DPC and it is a matter for the data controller to decide the most secure method of contact, based on the nature of the information to be imparted.
Paragraph eight of the Code of Practice sets out the elements to be included in any formal report that may be sought by the DPC. The elements set out in paragraph eight should also be considered when preparing to notify data subjects directly of a personal data security breach incident. The Office may seek other documents in addition based on the circumstances surrounding the incident. The Office will also set a timeframe for the delivery of a detailed report based on the nature of the incident and extent of the information required.
Paragraph nine of the Code of Practice states that the DPC may launch a detailed investigation depending on the nature of the personal data security breach incident. Such investigations may produce a list of recommendations for the attention of the relevant data controller. Responsible data controllers cooperate willingly with the DPC's investigations and are happy to comply with any recommendations he may issue. However, in rare cases in which such compliance is not forthcoming, the DPC may use its legal powers to compel appropriate actions.
Even if the DPC is not notified, paragraph ten of the Code of Practice states that data controllers should keep centrally a brief summary record of each personal data security breach incident with an explanation of the basis for not informing the DPC.
Paragraph eleven of the Code of Practice is self-explanatory, stating simply that the Code applies to all categories of data controllers and data processors to which the Data Protection Acts apply.
"Prevention is better than Cure"
Complying with the relevant reporting requirements following a data security breach is no substitute for the proper design of systems to secure personal data from accidental or deliberate disclosure. Our general advice on data security is here. But we accept that, even with the best-designed systems, mistakes can happen. As part of a data security policy, an organisation should anticipate what it would do if there were a data breach.
Some questions you might ask yourself:
- What would your organisation do if it had a data breach incident?
- Have you a policy in place that specifies what a data breach is? (It is not just lost USB keys/disks/laptops. It may include any loss of control over personal data entrusted to organisations, including inappropriate access to personal data on your systems or the sending of personal data to the wrong individuals).
- How would you know that your organisation had suffered a data breach? Does staff at all levels understand the implications of losing personal data?
- Has your organisation specified whom staff tell if they have lost control of personal data?
- Does your policy make clear who is responsible for dealing with an incident?
- Does your policy meet the requirements of the Data Protection Commissioner's approved Personal Data Security Breach Code of Practice?
If you wish to notify us that your organisation has experienced a breach of personal data that occurred prior to 25th May 2018, please click here to access the Breach Notification Form.
[1] The standard of encryption required to adequately secure data changes with advances in technology. Whole-disk encryption of 256-bit strength should meet the requirement at present.
[2] A strong password would typically be 14 characters long, contain a random selection of letters, numbers and symbols and be impossible to guess