Consultation on development of a data security breach code of practice
The Data Protection Review Group established by the Minister for Justice and Law Reform considered, amongst other things, how to ensure that the reporting obligations of organisations in relation to data security breaches are sufficiently robust to protect the rights of data subjects. Following a period of public consultation, the Review Group issued a report recommending that:
"The reporting obligations of data controllers in relation to data breaches should be set out in a statutory Code of Practice as provided for under the Data Protection Acts. The Code, broadly based on the current guidelines from the DPC, should set out the circumstances in which disclosure of data breaches is mandatory. Failure to comply with the disclosure obligations of the Code could lead to prosecution by the DPC."
The following draft Code of Practice has been prepared in response to this recommendation of the Data Protection Review Group. As a follow-up to the consultation exercise mentioned above, members of the public are invited to send comments and observations in relation to the draft Code by email to:
or by post to:
Office of the Data Protection Commissioner
All comments and observations should be received before on
Draft Data Security Breach Code of Practice
Section 2(1)(d) as elaborated upon in Section 2C of the Data Protection Acts 1988 and 2003 requires that appropriate security measures be taken to prevent unauthorised access to or unlawful processing of personal data. Any loss of control of personal data by a data controller1 leading to or that may lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data constitutes a breach of this requirement.
The focus of the Office of the Data Protection Commissioner in such cases is on the rights of data subjects affected by a data security breach incident. Data controllers confronted with a breach of their data security obligations must give immediate consideration to informing those affected. This permits data subjects to consider the consequences for each of them individually and to take appropriate measures. Data controllers should also notify organisations that may be in a position to assist in protecting data subjects including, where relevant, An Garda Síochána, financial institutions etc.
All incidents of loss of control of personal data by a data controller must be reported to the Office of the Data Protection Commissioner as soon as the data controller becomes aware of the incident, except:
(i) where the personal data was inaccessible in practice due to being stored on encrypted equipment secured to a high standard with a strong password and the password was not accessible to unauthorised individuals;
(ii) where the personal data was stored on equipment with a strong password and a remote memory wipe feature that was activated immediately after the incident and there is no reason to believe that the personal data was likely to have been accessed before such deletion took place;
(iii) where the full extent and consequences of the incident has been reported without delay directly to the affected data subject(s) and it affects no more than 100 data subjects and it does not include sensitive personal data2 or personal financial data that could be used to carry out identity theft.
Even where no requirement to notify the Office of the Data Protection Commissioner arises, the data controller must keep a record of each such incident and the steps taken in response to it. This record is to be made available to the Office of the Data Protection Commissioner upon request.
Data controllers who are required to report to the Office of the Data Protection Commissioner in accordance with this Code must do so within two working days of becoming aware of the incident. Such data controllers are required to provide a detailed report of the incident reflecting careful consideration of the following elements:
? the amount and nature of the personal data that has been compromised;
? what action is being taken to secure and / or recover the personal data that has been compromised;
? what actions are being taken to inform those affected by the incident or reasons for the decision not to do so;
? what actions (if any) are being taken to limit damage or distress to those affected by the incident; and
? a chronology of the events leading up to the disclosure.
A further report will be required that describes the measures being undertaken to prevent repetition of the incident.
The Office of the Data Protection Commissioner will investigate the issues surrounding the data breach. Investigations may include on-site examination of systems and procedures and could lead to the use of the Commissioner's legal powers to compel certain actions. Such actions may include a recommendation or requirement to inform data subjects about a security breach incident where a data controller has not already done so.
1 'Data controllers' are organisations that collect and hold personal data on individuals ('data subjects')
2 as defined in Section 1(1) of the Data Protection Acts: racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade-union, physical or mental health, sexual life, commission or alleged commission of an offence or proceedings for an offence