Reporting personal data breaches
Personal data breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Obligation to report
Data protection laws oblige the data controller to notify the ICO of a personal data breach without undue delay and within 72 hours after having become aware of it. This means you have a reasonable degree of certainty that a security incident has occurred and that personal data has been compromised. You do not need to report the personal data breach if it is unlikely to result in a risk to the rights and freedoms of individuals. If the notification is not made within 72 hours, then there must be a reasoned justification for that delay to accompany the notification.
Three types of breaches are identified and all three may take place at the same time:
‘Confidentiality breach’ – where there is an unauthorised or accidental disclosure of, or access to, personal data i.e. email to the wrong person with personal data attached.
‘Availability breach’ – where there is an accidental or unauthorised loss of access to, or destruction of, personal data, which could be permanent or temporary i.e. your system is encrypted by ransomware and you cannot access your files.
‘Integrity breach’ – where there is an unauthorised or accidental alteration of personal data i.e. someone has changed information when they should not have.
Not all of these incidents require to be reported. In considering whether there is an obligation to report an incident, you should look at the likelihood for there to be an impact on the data subject’s physical wellbeing, property and finances or reputation. Potential damage could include a loss of control over their personal data, or an impact on them in terms of discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of data protected by professional confidentiality or any other economic or social disadvantage to the individual concerned.
Contracts with processors must contain a requirement for personal data breaches which they suffered to be reported to the controller without undue delay which has been interpreted as immediately.
What information must be provided to the ICO?
The notification to the ICO should include:
- A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of data records concerned
- The name and contact details of the data protection officer or other contact point where more information can be obtained
- The likely consequences of the personal data breach
- The measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, to mitigate its possible adverse effects
It may not be possible to provide all this information at the time of notification, but it should then be provided without undue delay. We would recommend that information is only provided to the ICO after legal advice has been sought and once there is a clear indication of what has taken place. It will often not be possible to provide all of this information within 72 hours but every organisation should have a process in place to respond to breaches and professional advisers to call on to ensure that an immediate and effective investigation is carried out in response to a breach in order to fulfil the obligations under the GDPR.
The controller is under an obligation to document any personal data breaches, whether they are reported or not, in a personal data breach register. This should detail the facts surrounding the breach, its effects and the remedial action taken. It should be reviewed to identify any recurring security or other issues. The documentation must enable the ICO to verify compliance with the notification obligations and so must contain information about why a decision was taken not to report a breach if applicable. This decision can change over time.
Reporting data breaches to the data subject
If a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the controller is obliged to advise them without undue delay. In some cases this may allow data subjects to take precautions against their bank account being compromised, for example. The loss of, or unauthorised access to, any special category data is likely to require to be reported to the data subject, as would the loss of, or unauthorised access to, financial data, particularly if it can be used to access an individual’s bank account and/or commit identity fraud.
The ICO may also be involved at this stage and can advise how this notification is done and guidance issued by them should be followed. It may be responsible to advise data subjects before advising the ICO in cases where prompt action on the part of the data subject could avoid any potential damage.
Anyone affected, should be advised of the breach in plain language and the notification should describe the nature of the personal data breach, a description of the likely consequences and the steps taken to address the breach, including recommendations to the individual concerned to take action which may mitigate potential adverse effects. There should also be a point of contact where more information can be obtained from the controller. It is important to keep the data subject advised of any developments such as the individual who received the email has deleted it and has advised that they did not read it. This will keep any distress to a minimum.
Again, an assessment will be required about whether the breach requires to be notified to data subjects. If you have implemented appropriate technical and organisational measures and, for example, all the electronic data compromised was encrypted, then you may not require to notify the data subjects concerned as it is very unlikely that anyone will be able to access any personal data about them. Steps taken following the breach could also mean that any identified risks are no longer likely to materialise.
You need to take into account: the nature, sensitivity and volume of personal data; the ease of identification of individuals; the severity of the consequences for individuals; any special characteristics of the individuals; the number of individuals affected; and any special characteristics of the data controller i.e. they owe a duty of confidentiality to the data subject over and above their obligations under data protection laws.
The ICO can insist that the controller notifies data subjects if it believes that there is a likelihood of a high risk.
For more information see the ICO website on personal data breaches.
Case study - data breach
Our high street firm has created a simple incident log to record any personal data breaches, whether reported or not.
Contact: Joan Smith, Data Protection Lead at High St Firm, joansmith@highstreet.co.uk
Nature of incident/breach | Potential consequences of the breach | Data subject informed | ICO informed (72hrs) | Actions taken/ changes made as a result of the breach |
---|---|---|---|---|