Guernsey’s Office of the Data Protection Authority (ODPA) has published its latest breach statistics with 28 personal data breaches reported during May and June 2022.
Of these, 13 breaches occurred via email, which remains the most common cause for the breaches reported. The chart below helps illustrate the complexity of circumstances surrounding the incidents where information about people is compromised.
One incident reported by the commercial sector involved a poorly redacted digital document sent to another client. The ‘redaction’ had used drawing objects to block out content, but could easily be selected and removed, revealing details which should not have been visible. This example emphasises the importance of effective redaction on documents.
In the healthcare sector meanwhile, over 30 documents intended for a pharmacy were incorrectly faxed to a non-medical premises over the course of a month. The error with the fax number was subsequently discovered and rectified but it was only when another organisation contacted them to ask about documents they had received in error that the surgery realised the extent of the breach. This was a particularly concerning incident because it involved several individuals’ special category data*.
Another reported incident involved a letter sent via post with details about an appointment for a support group meeting. The person it was intended for has the same name as a relative and they had requested that all communication be sent via email to avoid the relative inadvertently accessing this personal information. A note was added to the individual’s record on the computer system to that effect, however, it was not seen due to a system outage, resulting in communication being conducted instead via post.
The Bailiwick’s Data Protection Commissioner Emma Martins (pictured) explains why data breach reporting is so important: “The types of breaches we have seen in this period highlight the role that open and transparent reporting plays.
“We are not seeing organisations setting out to deliberately compromise data but we are seeing mistakes being made. Of course we will never eliminate human error entirely but we must always learn from mistakes that have been made. We want to encourage the whole community to have an honest conversation about where the risks are and then to take meaningful steps to reduce those risks. This is not about naming and shaming, this is about learning and improving.”