Introduction
This briefing is part of a Walkers series on the Data Protection (Bailiwick of Guernsey) Law, 2017 (the "DPL"), and provides an overview on personal data breaches. It describes some key points which organisations may want to consider when handling/managing a personal data breach.
A related briefing on the object of the DPL, some of the key concepts used in the DPL, what the data principles are and the rights of data subjects is available here.
What is a breach?
A personal data breach is defined in the DPL as a breach of security leading to accidental or unlawful destruction, loss or alteration of personal data, or unauthorised disclosure of, or access to, personal data. Examples of personal data breaches can include (but are not limited to):
- inappropriate access or disclosure of personal data;
- loss of personal data;
- data sent to the incorrect recipient (by e-mail or post etc.);
- system error resulting in the loss, alteration or access to personal data; and
- cyber incidents.
What should a controller / processor do if they experience a personal data breach?
The approach to handling a personal data breach depends on whether the breach is experienced by a controller or processor. Where a controller becomes aware of a personal data breach, the controller must, unless the personal data breach is not likely to result in any risk to the significant interests of the data subject, give the Office of the Data Protection Authority (the "ODPA") written notice of it as soon as practicable. In any event, notice should be given no later than 72 hours after becoming aware, unless this is not practicable. The written notice must include:
- a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach;
- a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects; and
- if the notice is given more than 72 hours after the controller becomes aware of the personal data breach, an explanation of the reasons for the delay.
If the aforementioned information cannot be provided to the ODPA at the time of the written notice, the DPL allows the controller to provide the information in phases as soon as practicable.
Where a processor becomes aware of a personal data breach, the processor must give the controller notice of it as soon as practicable, and where oral notice is given, the processor must follow up the oral notice with a written notice to the controller at the first available opportunity.
Where an event is initially suspected to be a personal data breach but does not fall within the scope of the definition (above), a controller should retain a written record of their assessment. It may also be appropriate for the controller to conduct a review of such an event to assess whether any improvements to technical or organisational measures could be put in place to mitigate any possible future similar "near miss"' event.
Do I need to notify the affected data subject(s)?
Where a controller becomes aware of a personal data breach that is likely to pose a high risk to the "significant interests" of a data subject, the controller must give the data subject written notice of the breach as soon as practicable. The notice must include:
- a description of the nature of the breach;
- the name and contact details of the data protection officer or other source where more information can be obtained;
- a description of the likely consequences of the breach; and
- a description of the measures taken, or proposed to be taken, by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
A controller is not required to give notice to a data subject in circumstances where:
- the personal data involved in the breach is unintelligible as a result of use of technical and organisational measures such as encryption.
- the controller has taken subsequent sufficient mitigating measures which ensure that the risk is no longer likely to materialise.
- notifying the data subject would require disproportionate effort.
The ODPA may also require that a controller notifies a data subject if it considers that the controller is obliged to do so under the DPL.
When assessing whether there is a high risk to the significant interests of data subjects, the controller must consider the nature, scope, context and purpose of the processing. The controller must consider any possible impact on the data subject resulting from the breach, as well as the likelihood of each possible impact occurring. This is an assessment that a controller must make and be able to justify if questioned. As such, it is recommended by the ODPA that a controller record its rationale for decision taken, particularly if you conclude that a breach does not amount to a high risk to the significant interests of data subjects.
Record keeping
A controller must keep a written record of each personal data breach of which they are aware, including the facts relating to the breach, the effects of the breach, the remedial action taken, and any steps taken by the controller to comply with the DPL. This includes whether the controller gave notice to the ODPA of a personal data breach, and if so, a copy of the notice.
This information must be recorded and retained by the controller regardless of whether the personal data breach is reported to the ODPA or not. This record must be retained for a period of 6 years from the day when the controller or processor first became aware of the breach.
Failure to notify the ODPA of a personal data breach
Where a controller fails to notify the ODPA of a personal data breach, the ODPA may, following a breach determination, impose all or any of the following sanctions against that controller:
- a reprimand;
- a warning that any proposed processing or other act or omission is likely to breach an operative provision; or
- an order against the person concerned requiring that person to do all or any of certain tasks described in the DPL, including requiring the controller to pay a civil penalty by way of an administrative fine ordered by the ODPA.
What happens when a breach is reported to the ODPA?
The ODPA has recently explained that the main purpose of reporting personal data breaches is to ensure that such events are handled appropriately in order to mitigate further risk to data subjects and to ensure steps are taken to prevent future incidents. When a personal data breach is reported, the ODPA will complete an assessment of the circumstances and identify whether there is any further action that should be taken by the controller in response to the breach. This will include ensuring that appropriate consideration has been made as to whether any affected data subject should be notified.
Walkers' comments
When considering personal data breach events, it is important for an organisation to ensure that it has a defined response plan to deal with a data breach. It is recommended that the plan be tested regularly and rigorously in order to ensure all the relevant individuals within the organisation are well aware of the response plan.
Once an organisation has established the facts of the breach, it should try and contain it, minimise the harm that could be caused to the people whose information has been breached, and take all reasonable steps to preserve evidence for any potential forensic investigations that may become necessary.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
