Data Protection Commissioner

Breach Notification Guidance

The Data Protection Commissioner has approved a personal data security breach Code of Practice to help organisations to react appropriately when they become aware of breaches of security involving customer or employee personal information.  In the public sector, guidance from the Department of Finance on data security also advises departments and agencies to report data breaches immediately to this Office.   

Notification of data security breaches to the Office of the Data Protection Commissioner allows us to advise organisations, at an early stage, how best to deal with the aftermath of a disclosure and how to ensure that there is no repetition.  It also allows us to reassure members of the public that we are aware of the problem and that the organisation in question is taking the issue seriously.    

Organisations confronted with a breach of security affecting personal data should study the Code of Practice carefully.  Some key considerations in relation to the application of the terms of the Code are set out below.  The Office of the Data Protection Commissioner will be happy to offer further advice to organisations about how best to apply the terms of the Code.  Contact details for the Office are set out at the end of this guidance note.

Applying the Personal Data Security Breach Code of Practice

Paragraph one of the Code of Practice sets out the legal obligation to process personal data fairly and to take appropriate security measures to protect it.

Paragraph two refers to the need to focus on the rights of data subjects where their personal data has been put at risk.

Paragraph three states that data controllers who have experienced an incident giving rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data must give immediate consideration to notifying the affected data subjects.  As the Code states, "this permits data subjects to consider the consequences for each of them individually and to take appropriate measures."  The consequences may include the potential for fraud / identity theft, but it may also involve the potential for damage to reputation, public humiliation or even threats to physical safety.  The Data Protection Acts give individuals the right to exercise control over how their data is used. A breach of personal data security may compromise that right.  Notifying data subjects is a remedial measure intended to redress the balance and restore some measure of knowledge and control. 

The information communicated to data subjects should include information on the nature of the personal data breach and a contact point where more information can be obtained.  It should   recommend measures to mitigate the possible adverse effects of the personal data breach. If the affected data subjects are not immediately identifiable, public notification may be the most appropriate means of communication, for example through the media or through a website.  Data controllers should consider whether the method of notification adopted might increase the risk of harm to the data subjects. 

Paragraph three of the Code also advises that data controllers should notify organisations that may be in a position to assist in protecting data subjects and mentions An Garda Síochána and financial institutions.  Depending on the circumstances, other examples could include IT experts that can offer containment advice or internet companies that may assist in removing relevant cached links from their search engines.  As with all other aspects of the Code, the Office of the Data Protection Commissioner is happy to offer advice in this regard.

Paragraph four notes that there may be circumstances where the data controller may reasonably conclude that there is no risk to personal data due to the adoption of high-quality technological measures that effectively make the data inaccessible. For example, personal data stored on an encrypted laptop with secure access controls may be considered inaccessible in practice and the Office of the Data Protection Commissioner considers that the loss of such a device would not normally involve a risk to the personal data stored on it.  However the strongest encryption software[1] is useless if the access password is stored with the device or if the password is weak[2].  Other access controls (such as biometric identifiers, swipe cards, tokens etc) may further strengthen security, particularly when used in combination with a complex password. 

Paragraph five of the Code of Practice states that a data processor must report breaches of personal data security to the relevant data controller as soon as they become aware of the incident.  This duty should be reflected in appropriate contracts signed between data controllers and data processors. The data controller should then follow the steps set out in the Code.

Paragraph six of the Code of Practice states that all incidents  in which personal data has been put at risk should be reported to the Office of the Data Protection Commissioner.  The only exceptions are when the data subjects have already been informed and the loss affects no more than 100 data subjects and the loss involves only non-sensitive, non-financial personal data.  It should be noted that the fact that a data controller has notified the Office of the Data Protection Commissioner of a loss of control of personal data does not necessarily imply that a breach of the Data Protection Acts 1988 and 2003 has taken place.  The Code also makes clear that if a doubt exists - especially whether the technological measures protecting the data are such as to permit a reasonable conclusion that the personal data has not been put at risk - the matter should be reported to the Office of the Data Protection Commissioner.

Paragraph seven of the Code of Practice sets a timeframe of two days for a data controller to inform the Office of the Data Protection Commissioner once the data controller has become aware that personal data has been put at risk.   Complex personal data security breach incidents may take a considerable period of time to fully investigate and resolve.  All that is required is initial contact with the Office describing the facts as they are known and the steps being taken to address those facts.  Personal data should not be included in such reports to the Office of the Data Protection Commissioner and it is a matter for the data controller to decide the most secure method of contact, based on the nature of the information to be imparted. 

Paragraph eight of the Code of Practice sets out the elements to be included in any formal report that may be sought by the Office of the Data Protection Commissioner.  The elements set out in paragraph eight should also be considered when preparing to notify data subjects directly of a personal data security breach incident.  The Office may seek other documents in addition based on the circumstances surrounding the incident.  The Office will also set a timeframe for the delivery of a detailed report based on the nature of the incident and extent of the information required.

Paragraph nine of the Code of Practice states that the Data Protection Commissioner may launch a detailed investigation depending on the nature of the personal data security breach incident.  Such investigations may produce a list of recommendations for the attention of the relevant data controller.  Responsible data controllers cooperate willingly with the Commissioner's investigations and are happy to comply with any recommendations he may issue.  However, in rare cases in which such compliance is not forthcoming, the Commissioner may use his legal powers to compel appropriate actions.

Even if the Office of the Data Protection Commissioner is not notified, paragraph ten of the Code of Practice states that data controllers should keep centrally a brief summary record of each personal data security breach incident with an explanation of the basis for not informing the Office of the Data Protection Commissioner.  The purpose of this record is to allow the Office of the Data Protection Commissioner to check compliance with the Code of Practice during audits.  It also allows the Office to search for patterns indicating problems within particular organisations or sectors.

Paragraph eleven of the Code of Practice is self-explanatory, stating simply that the Code applies to all categories of data controllers and data processors to which the Data Protection Acts apply.

"Prevention is better than Cure"

Following the steps outlined in the Code of Practice following a data security breach is no substitute for the proper design of systems to secure personal data from accidental or deliberate disclosure.  Our general advice on data security is here.  But we accept that, even with the best-designed systems, mistakes can happen.  As part of a data security policy, an organisation should anticipate what it would do if there were a data breach.  Some questions you might ask yourself:

·         What would your organisation do if it had a data breach incident?

·         Have you a policy in place that specifies what a data breach is? (It is not just lost USB keys/disks/laptops.  It may include any loss of control over personal data entrusted to organisations, including inappropriate access to personal data on your systems or the sending of personal data to the wrong individuals).

·         How would you know that your organisation had suffered a data breach?  Does staff at all levels understand the implications of losing personal data?

·         Has your organisation specified whom staff tell if they have lost control of personal data?

·         Does your policy make clear who is responsible for dealing with an incident?

·         Does your policy meet the requirements of the Data Protection Commissioner's approved Personal Data Security Breach Code of Practice?

How to Notify Us

E-Mail - info@dataprotection.ie

Phone -  1890 252231(lo-call); 00 353 (0) 57 8684800

Fax     -   00 353 (0) 57 8684757



[1] the standard of encryption required to adequately secure data changes with advances in technology. Whole-disk encryption of 256-bit strength should meet the requirement at present.   

 

[2] a strong password  would typically be 14 characters long, contain a random selection of letters, numbers and symbols and be impossible to guess








» Permanent Link