Data Protection Commissioner
Data Protection Commissioner

Data Protection Commissioner launches Consultation on development of a Data Security Breach Code of Practice

31 May 2010

The Data Protection Commissioner has published a draft Data Security Breach Code of Practice for public consultation in response to a recommendation in the recently published report of the Data Protection Review Group.  The draft Code of Practice has been placed on the website of the Office of the Data Protection Commissioner (www.dataprotection.ie) and the Commissioner has invited comments and observations in relation to the draft code from members of the public and organisations.

The Data Protection Review Group established by the Minister for Justice and Law Reform in 2008 considered, amongst other things, how to ensure that the reporting obligations of organisations in relation to data security breaches are sufficiently robust to protect the rights of data subjects.  Following a period of public consultation, the Review Group issued a report recommending that:

"The reporting obligations of data controllers in relation to data breaches should be set out in a statutory Code of Practice as provided for under the Data Protection Acts.  The Code, broadly based on the current guidelines from the DPC, should set out the circumstances in which disclosure of data breaches is mandatory.  Failure to comply with the disclosure obligations of the Code could lead to prosecution by the DPC."

The Commissioner publishing the Code stated, "I have sought to bring forward a draft Code as quickly as possible after the Review Group report to respond to public concern in relation to organisations losing personal data under their control while at the same time not imposing an undue burden on those organisations."

The draft Code provides that all instances of the loss of personal data (except where the data can be considered inaccessible due to proper security) must be reported to the Office of the Data Protection Commissioner where it affects more than a hundred individuals or where it involves any loss of sensitive personal data or personal financial data that could be used to carry out identity theft. 

In situations where one hundred or less individuals are affected there will be no need to report to the Office provided that those individuals are fully informed by the organisation and no sensitive personal data or personal financial data that could be used to carry out identity theft is involved.

For more information, contact Diarmuid Hallinan at 057 868 4791 or by email to media@dataprotection.ie