Forty four personal data breaches were reported to Guernsey’s Office of the Data Protection Authority (ODPA) in the two months up to 27 October 2019.
Twenty-four of the breaches were due to personal data being sent, via email or post, to the wrong person. The remaining twenty were through hacking, personal data being accessed inappropriately, the disclosure of personal data when not authorised to do so, system error, or personal data being lost. Overall, forty breaches were the result of human action, with just four resulting from system error.
The Bailiwick’s data protection commissioner, Emma Martins, commented on the role people play in personal data breaches.
“Once again, this period’s statistics reinforces the trend we have seen for some time: that it’s what people, not systems, do that is the biggest factor in most data breaches reported to us. Protecting data well is first and foremost a human issue.”
This trend, where people’s awareness, attitudes, behaviour, and choice of actions often pose the biggest risk to the protection of personal data is observed not just locally, but also worldwide. In October 2019 the 41st International Conference of Data Protection and Privacy Commissioners (ICDPPC) passed a resolution for participating national authorities to ‘address the role of human error in personal data breaches.’
The resolution, sponsored by the Office of the Australian Information Commissioner, calls on all ICDPPC members (including the ODPA) to ‘promote appropriate security safeguards to prevent human
error that can result in personal data breaches’. The resolution identifies the role of ‘building workplace cultures where privacy and personal data security are organisational priorities, including through the periodic implementation of training, education and awareness programs for employees on their privacy and security obligations and the detection and reporting of threats to the security of personal data.’
This echoes a statement made by Mrs Martins, in August this year on this subject: ‘Building a culture of honest and constructive learning can help us all to work towards higher standards of compliance.’ Recognising the crucial role workplace culture plays in looking after personal data well, the ODPA will be starting an initiative, called ‘Project Blue Tit’, in 2020 with the aim of effecting positive, measurable change in organisational culture locally. More details about this project will be announced soon.