Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

New: Breach Notification Process Under GDPR

From 25th May 2018, the General Data Protection Regulation (GDPR) introduces a requirement for organisations to report personal data breaches to the relevant supervisory authority, where the breach presents a risk to the affected individuals. Organisations must do this within72 hours of becoming aware of the breach.

Where a breach is likely to result in a high risk to the affected individuals, organisations must also inform those individuals without undue delay.

Please see guidance below in relation to notifying this Office of a breach. Please note the separate reporting requirements that is applicable to providers of publicly available electronic communications networks or services, under the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (SI 336 of 2011).

To facilitate decision-making and determine whether or not your organisation needs to notify the relevant supervisory authority and affected individuals, you should have a high-quality risk management process and robust breach detection, investigation and reporting processes.

Please note even where you determine there is no risk to affected individuals following a personal data breach, you need to keep an internal record of the details, the means for deciding there was no risk, who decided there was no risk and the risk rating that was recorded.

Initial notification of a breach

  • All breach notification forms must be emailed to: breaches@dataprotection.ie
  • All national breach notifications must be notified using the 'National Breach Notification Form'.
  • All cross-border personal data breaches must be notified using the 'Cross-Border Breach Notification Form'.
    Cross-border processing means either:
    • Processing of personal data which takes place in the context of the activities of establishments in more than one Member State of an organisation; or
    • Processing of personal data which takes place in the context of the activities of a single establishment of an organisation that substantially affects or is likely to substantially affect data subjects in more than one Member State
  • Note for providers of publicly available electronic communications networks or services: Because the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (SI 336 of 2011) place specific obligations on providers of publicly available electronic communications networks or services to safeguard the security of their services, to report a breach on behalf of any organisation in this sector, please complete our Telecoms/ISP providers Data Security Breach Notification Form, available at the dataprotection.ie/secur-breach/
  • In the subject line of the email please include the following information:
    • Whether the breach you wish to notify DPC of is 'new' or an 'update' to a previous breach notification
    • Your organisation name
    • Your self-declared risk rating for the breach

An example of an email subject line is provided below:
Subject: New Breach Report, [organisation name], High Risk

Self-Declared Risk Rating

  • In determining how serious you consider the breach to be for affected individuals, you should take into account the impact the breach could potentially have on individuals whose data has been exposed. In assessing this potential impact you should consider the nature of the breach, the cause of the breach, the type of data exposed, mitigating factors in place and whether the personal data of vulnerable individuals has been exposed. The levels of risk are further defined below:
    • Low Risk: The breach is unlikely to have an impact on individuals, or the impact is likely to be minimal
    • Medium Risk: The breach may have an impact on individuals, but the impact is unlikely to be substantial
    • High Risk: The breach may have a considerable impact on affected individuals
    • Severe Risk: The breach may have a critical, extensive or dangerous impact on affected individuals.
    • .
  • Updating an existing notification

    • If your notification was incomplete for any reason, you should submit further information when it becomes available. In this case, please submit a new version of the appropriate form with the relevant fields of the form completed.
    • For updated notifications please include the following information in the subject line of the email:
      • Updated Breach Notification
      • Organisation Name
      • DPC reference number (if one has been provided)
      • The self-declared risk rating for the breach
    • An example of an email subject line is provided below:

      Subject: Update Breach Report, [Organisation Name], [Reference Number], High Risk

      Please do not include the personal information of affected individuals in your notification.

      BREACH NOTIFICATION GUIDANCE UNDER THE DATA PROTECTION ACTS 1988-2003

      If your organisation has experienced a personal data breach that occurred prior to 25th May 2018, and where the breach is not still ongoing after 25th May 2018, it is likely to be dealt with under the previous legislative regime. The relevant pieces of primary legislation in this regard are the Data Protection Acts 1988-2003 ("the Acts").

      Under the provisions of the Acts, the DPC approved a personal data security breach Code of Practice to help organisations to react appropriately when they become aware of breaches of security involving customer or employee personal information. The Code of Practice does not apply to providers of publicly available electronic communications networks or services. This is because the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (SI 336 of 2011) place specific obligations on providers of publicly available electronic communications networks or services to safeguard the security of their services.

      Applying the Personal Data Security Breach Code of Practice

      Data controllers confronted with a breach of security affecting personal data should study the Code of Practice carefully. Some key considerations in relation to the application of the terms of the Code are set out below.

      Paragraph one of the Code of Practice sets out the legal obligation to process personal data fairly and to take appropriate security measures to protect it.

      Paragraph two refers to the need to focus on the rights of individuals where their personal data has been put at risk.

      Paragraph three states that data controllers which have experienced an incident giving rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data must give immediate consideration to notifying the affected individuals. As the Code states, "this permits data subjects to consider the consequences for each of them individually and to take appropriate measures." The consequences may include the potential for fraud / identity theft, but it may also involve the potential for damage to reputation, public humiliation or even threats to physical safety. The Data Protection Acts give individuals the right to exercise control over how their data is used. A breach of personal data security may compromise that right. Notifying individuals is a remedial measure intended to redress the balance and restore some measure of knowledge and control. The information communicated to individuals should include information on the nature of the personal data breach and a contact point where more information can be obtained. It should recommend measures to mitigate the possible adverse effects of the personal data breach. If the affected individuals are not immediately identifiable, public notification may be the most appropriate means of communication, for example through the media or through a website. Data controllers should consider whether the method of notification adopted might increase the risk of harm to the data subjects.

      Paragraph three of the Code also advises that data controllers should provide affected individuals with details of bodies that may be in a position to assist them, for example An Garda S?h? and financial institutions. Depending on the circumstances, other examples could include IT experts that can offer containment advice or internet companies that may assist in removing relevant cached links from their search engines. As with all other aspects of the Code, the DPC is happy to offer advice in this regard.

      Paragraph four notes that there may be circumstances where a data controller may reasonably conclude that there is no risk to personal data due to the adoption of high-quality technological measures that effectively make the data inaccessible. For example, personal data stored on an encrypted laptop with secure access controls may be considered inaccessible in practice and the DPC considers that the loss of such a device would not normally involve a risk to the personal data stored on it. However the strongest encryption software [1] is useless if the access password is stored with the device or if the password is weak [2]. Other access controls (such as biometric identifiers, swipe cards, tokens etc) may further strengthen security, particularly when used in combination with a complex password.

      Paragraph five of the Code of Practice states that a data processor must report breaches of personal data security to the relevant data controller as soon as they become aware of the incident. This duty should be reflected in appropriate contracts signed between data controllers and data processors. The data controller should then follow the steps set out in the Code.

      Paragraph six of the Code of Practice states that all incidents in which personal data has been put at risk should be reported to the DPC. The only exceptions are when the individuals have already been informed and the loss affects no more than 100 data subjects and the loss involves only non-sensitive, non-financial personal data. It should be noted that the fact that a data controller has notified the DPC of a loss of control of personal data does not necessarily imply that a breach of the Data Protection Acts 1988 and 2003 has taken place. The Code also makes clear that if a doubt exists - especially whether the technological measures protecting the data are such as to permit a reasonable conclusion that the personal data has not been put at risk - the matter should be reported to the DPC.

      Paragraph seven of the Code of Practice sets a timeframe of two days for a data controller to inform the DPC once the data controller has become aware that personal data has been put at risk. Complex personal data security breach incidents may take a considerable period of time to fully investigate and resolve. All that is required is initial contact with the Office describing the facts as they are known and the steps being taken to address those facts. Personal data should not be included in such reports to the DPC and it is a matter for the data controller to decide the most secure method of contact, based on the nature of the information to be imparted.

      Paragraph eight of the Code of Practice sets out the elements to be included in any formal report that may be sought by the DPC. The elements set out in paragraph eight should also be considered when preparing to notify data subjects directly of a personal data security breach incident. The Office may seek other documents in addition based on the circumstances surrounding the incident. The Office will also set a timeframe for the delivery of a detailed report based on the nature of the incident and extent of the information required.

      Paragraph nine of the Code of Practice states that the DPC may launch a detailed investigation depending on the nature of the personal data security breach incident. Such investigations may produce a list of recommendations for the attention of the relevant data controller. Responsible data controllers cooperate willingly with the DPC's investigations and are happy to comply with any recommendations he may issue. However, in rare cases in which such compliance is not forthcoming, the DPC may use its legal powers to compel appropriate actions.

      Even if the DPC is not notified, paragraph ten of the Code of Practice states that data controllers should keep centrally a brief summary record of each personal data security breach incident with an explanation of the basis for not informing the DPC.

      Paragraph eleven of the Code of Practice is self-explanatory, stating simply that the Code applies to all categories of data controllers and data processors to which the Data Protection Acts apply.

      "Prevention is better than Cure"

      Complying with the relevant reporting requirements following a data security breach is no substitute for the proper design of systems to secure personal data from accidental or deliberate disclosure. Our general advice on data security is here. But we accept that, even with the best-designed systems, mistakes can happen. As part of a data security policy, an organisation should anticipate what it would do if there were a data breach.
      Some questions you might ask yourself:
      • What would your organisation do if it had a data breach incident?
      • Have you a policy in place that specifies what a data breach is? (It is not just lost USB keys/disks/laptops. It may include any loss of control over personal data entrusted to organisations, including inappropriate access to personal data on your systems or the sending of personal data to the wrong individuals).
      • How would you know that your organisation had suffered a data breach? Does staff at all levels understand the implications of losing personal data?
      • Has your organisation specified whom staff tell if they have lost control of personal data?
      • Does your policy make clear who is responsible for dealing with an incident?
      • Does your policy meet the requirements of the Data Protection Commissioner's approved Personal Data Security Breach Code of Practice?
      • If you wish to notify us that your organisation has experienced a breach of personal data that occurred prior to 25th May 2018, please also do so using the relevant breach notification form provided above.

        [1] the standard of encryption required to adequately secure data changes with advances in technology. Whole-disk encryption of 256-bit strength should meet the requirement at present.

        [2] a strong password would typically be 14 characters long, contain a random selection of letters, numbers and symbols and be impossible to guess