Twenty-eight personal data breaches were reported to Guernsey’s Office of the Data Protection Authority (ODPA) in the two months leading up to 29 February 2020, the lowest figure in more than a year and the majority were accidental.
Since the last report the ODPA has enhanced the categories to allow greater detail to be drawn from them which results in breaches falling into one of eleven possible groups. Overall, in the latest statistics, 19 breaches were deemed accidental, three deliberate and six not specified.
Data sent to the wrong recipient is the most common error which has now been separated into three groups to specify whether by post, email or fax. In the latest reporting period, 9 breaches fell into this category, three were from email errors and three postal. Inappropriate disclosure of data led to six breaches whilst other self- reported breaches included three each of inappropriate access, unauthorised disclosure and cyber incidents.
The 28 breaches in total were from a range of sectors, including five from public authorities, four from healthcare organisations, three from fiduciary entities and the remaining 16 spread across 10 other sectors.
The Bailiwick’s Data Protection Commissioner, Emma Martins, observed that the obligation to report data breaches is still a relatively new requirement and that all parties have something to learn.
“We publish the self-reported figures so that everyone can benefit from a better understanding of how and why breaches happen and therefore, how we can avoid them in future. We hope the new categories will deepen understanding of this.”
The ODPA’s Strategic Plan focuses on predicting, preventing and detecting data harms along with enforcing the local data protection law.
Mrs Martins commented on how the breach statistics help these activities.
“As the regulator we can ensure our advice and guidance is relevant and helpful. By learning more about the origin of these breaches we can better educate organisations and in turn they can put in place practices that should ultimately reduce future breaches. Our overall goal is to protect people from the harms that data breaches can cause, as they often cannot be undone.”