180 personal data breaches were reported to Guernsey’s Office of the Data Protection Authority (ODPA) during 2020, a 30% reduction on the 259 reported in 2019.
The ODPA release details every two months of the number and category of data breaches reported to them by local organisations who use people’s data. This is to raise awareness in local organisations that they all have a legal obligation to notify the ODPA within 72 hours if they become aware of a breach. Publishing this information also allows everyone to benefit from a better understanding of how and why breaches happen and how they can be avoided in future.
Organisations have a legal obligation to notify the ODPA within 72 hours if they become aware of a data breach
During November and December 2020, 33 breaches were reported. 16 were due to personal data being sent to the wrong person via email, and a further 11 breaches occurred via post. The remaining were due to ‘inappropriate disclosure’ (4), ‘loss of data/paperwork/device’ (1), and ‘cyber incidents’ (1).
It is important to remember that breaches can occur in a broad range of circumstances, this is not just about sending emails to the wrong person. Wherever information about, or related to, people is compromised there is a potential risk to people.
The Bailiwick’s Data Protection Commissioner, Emma Martins, commented: “I have been extremely impressed at our regulated community’s engagement and conduct since these new reporting requirements came into force in 2018. Whilst the statistics are very important and can help us better understand and respond to certain trends and areas of risk, the real prize is positive and constructive engagement. As a jurisdiction we are maturing into a community which is increasingly accountable and intelligent in its handling of data, including when things go wrong. We have all learned a great deal about how some key risks are often hidden in plain sight. Talking openly and maturely about those risks allows us to tackle them and reduce them.”