Twenty six personal data breaches have been reported to The Office of the Data Protection Commissioner (ODPC) in the last two months up to 18 October 2018.
The number of breaches has increased slightly, when compared with the previous reporting period of 32 reported breaches over three months up to 18 August. The increase is likely due to organisations being more aware of their legal obligation to report breaches to the ODPC.
Most breaches received were low-level with no further action required. However, the ODPC has a heavy caseload of ongoing investigations into breaches and complaints that do require further action.
There has also been a specific increase in hacking-related incidents and in particular, hackers gaining control of email accounts.
Guernsey’s Data Protection Commissioner, Emma Martins commented on the role of breach reporting and its value in achieving regulatory compliance.
‘”he continued high levels of compliance by local organisations when reporting these incidents is to be welcomed. We recognise that it may not come naturally for organisations to inform regulators when thingsdon’t go to plan and we understand that having confidence in my Office and the way in which such matters are handled is vital. Taking a proactive approach in this area will help to enhance confidence in the organisations handling our personal data. It also provides my Office with extremely useful insight about the types and nature of breaches, which in turn enables us to target our education and compliance programme in a meaningful and effective way.”
The breach reports received suggest that organisations are exposed to the greatest risk of breach when personal data leaves their direct control, either by post or email.
The ODPC offers the following advice to local organisations.
When using postal or email systems for sending personal information:
- Regularly check your email security: update patches, and if you are making any significant changes
think about whether penetration testing is necessary.
- Pause – think and check before you send: remind all staff members who are posting or emailing
letters/documents that contain personal data to slow down, to always double check the recipients are
correct and appropriate.
- Avoid complacency: consider the potential implications of the information you are handling falling
into the wrong hands and take all reasonable precautions to prevent this from happening.
When letting ODPC know that your organisation has experienced a breach:
• Beware of the secondary breach: if you experience a breach and report it to the ODPC, take care not
to commit a secondary breach in the process. For instance, as part of an initial self-reported breachyou don’t need to send ODPC the specific evidence of the breach, you just need to disclose how it happened, what personal data has been put at risk, how many people’s data are affected, the category of person affected (i.e. staff members, customers, suppliers), and the category of personal information affected.
For example: (see infographic in Notes to Editors)
If you sent a breach report similar to the below, it would constitute a secondary breach, as it exposesthe data and individuals concerned.
“I’ve sent details related to Mrs A. Bloggs positive pregnancy test results to Mrs C. Bloggs.”Instead, you should submit a breach report in the below format, which protects the data and
“At 13:10 on 19 October 2018, I sent special category medical data related to a patient’s pregnancy to
an individual with a similar name in error.”
The Office of the Data Protection Commissioner is working to improve its online breach reporting mechanism and has asked for any comments to be submitted via email@example.com.