Nearly 10 million people were reported to be affected by the 38 personal data breaches reported to the ODPA from 1 January – 31 March 2023.
The majority of those were customers of a UK-based company which was the victim of a large cyber-attack, involving the details of millions of their customers. Although the company is not based locally, it reported the breach to data protection regulators in all jurisdictions where its customers are based.
The Office of the Data Protection Authority (ODPA) has changed the frequency it publishes breach statistics from bi-monthly to quarterly. It is also now publishing two new criteria: the severity of the reported breaches and the total number of people affected. This shift in focus to include the number affected reveals how relatively few incidents can impact a huge number of people.
The ODPA is also now publishing breach severity, which organisations designate themselves when reporting an incident.
The Law requires organisations to report breaches where there is a risk to the ‘significant interests’ of any person whose data has been affected by the incident.
When an organisation reports a breach it is asked to provide an indication as to how serious they consider the breach to be. The ODPA takes this into account when reviewing the report. The ODPA encourages breaches to be reported where the severity may not be immediately known or clear as this helps build a picture of the issues organisations face and feeds into communications and regulatory work.
The Bailiwick’s Data Protection Commissioner Emma Martins (pictured) commented: “We have always been clear that the reporting of breaches to us is more than a collection and publication of statistics. It is an invaluable tool we use to better understand the nature of the breaches experienced by our local regulated community. That understanding then helps us to deliver relevant and meaningful support and education around the areas where there are vulnerabilities. We can all learn from things that have gone wrong and we must all do everything we can to minimise the likelihood of recurrences. We must always remember that behind each statistic is a human being. Including the numbers of individuals affected in our breach report data encourages us to consider these issues from that perspective.”
The most striking examples of personal data breaches this year to date involve people using personal email accounts to send work-related information.
This is a problem for several reasons. Firstly, personal email providers are outside the control of the organisation meaning usual security policies do not apply and the organisation does not know what its data is being used for.
Secondly, access is likely to be less tightly controlled (accounts shared by couples or devices given to children), which means information could fall into the wrong hands.
Thirdly, as illustrated by recent events involving UK politicians, using personal messaging to conduct your work can blur where the boundaries of your personal life and your job are in a way that is not helpful for you or your workplace.
