There is no specific statutory obligation to notify a breach under the Data Protection Acts 1988 & 2003. However, the DPC recently issued the Data Security Breach Code of Practice (the Code) which governs this area in Ireland. This Code does not yet have the force of law.
The Code does not apply to providers of publicly available communications networks or services, which are governed by the 2011 Regulations.
Under the Code, the data controller is responsible for making the notification. The Code provides that the DPC is entitled to request a data controller to provide a detailed written report of the incident. This should include the following elements:
- the amount and nature of the personal data that have been compromised;
- the action being taken to secure and/or recover the personal data that have been compromised;
- the action being taken to inform those affected by the incident or reasons for the decision not to do so;
- the action being taken to limit damage or distress to those affected by the incident;
- a chronology of the events leading up to the loss of control of the personal data; and
- the measures being taken to prevent repetition of the incident.
The Code states that where there is risk of unauthorised disclosure as a result of the breach, the data controller must give ‘immediate consideration’ to informing the data subject and any other relevant authority (e.g. the police force in Ireland) including the DPC himself.
The DPC does not have to be informed if:
- the data subjects have been notified;
- the breach affects no more than 100 data subjects; and
- the breach does not involve information of a sensitive or financial nature.
Under the Code, the DPC will specify a timeframe for the delivery of the report based on the nature of the incident and the information required.
The Code does not prescribe a format for the breach notification. Under the 2011 Regulations, the DPC can prosecute companies for failure to take appropriate security measures or failing to report data security breaches, with fines of up to EUR 250,000. Failure to notify the data subject can lead to fines of up to EUR 5,000 per breach.
Practical Advise
The first port of call when dealing with a breach of data protection rights in your organisation is to refer to the Data Protection Commissioner’s Guidelines in relation to same, see below link to guidelines,
www.dataprotection.ie/docs/Data-Breach-Handling/901.htm
The best way to avoid any breaches occurring is to have a proper secure system of data protection in place in your organisation in line with the 8 principles of data protection;
- Obtain and process information fairly.
- The data must be kept for a specified, lawful purpose.
- The data should be used and disclosed only for the specified purpose.
- The data must be kept safe and secure.
- The data must be up to date, accurate and complete.
- The data must be relevant, adequate but not excessive.
- The date must be retained for no longer than is necessary.
- A copy of the data must be made available to the data subject, on request.
The organisation should also nominate as data protection officer who is informed and up to date on the obligations of the organisation in relation to data protection.
The Office of the Data Protection Commissioner advises that organisations bear the following in mind;
- What would your organisation do if it had a data breach incident?
- Have you a policy in place that specifies what a data breach is? (It is not just lost USB keys/disks/laptops. It may include any loss of control over personal data entrusted to organisations, including inappropriate access to personal data on your systems or the sending of personal data to the wrong individuals).
- How would you know that your organisation had suffered a data breach? Does staff at all levels understand the implications of losing personal data?
- Has your organisation specified whom staff tell if they have lost control of personal data?
- Does your policy make clear who is responsible for dealing with an incident?
- Does your policy meet the requirements of the Data Protection Commissioner’s approved Personal Data Security Breach Code of Practice?