News and Insights

Print this page

Search News & Insights

Interim guidance on data breaches issued by the Data Protection Commissioner

PRACTICE AREA GROUP: Regulatory Risk Management and Compliance
DATE: 20.06.2011

In April 2009 the Irish Data Protection Commissioner issued interim guidance on how organisations should deal with unauthorised or accidental disclosures or loss of personal data that they manage.

The Data Protection Commissioner recommends that the organisation immediately notify his office by phone or by email, and that the first issue that his office will consider with the organisation is the question of informing those persons who are directly affected by the loss of the data if this has not already been done, and how this might be best done.

  1. The organisation may be required to provide a detailed report of the incident including:
  2. The amount and nature of the data that has been compromised;
  3. What action (if any) has been taken to inform those affected?
  4. A chronology of the events leading up to the disclosure;A description of measures being undertaken to prevent a repetition of the incident 

The Office of the Data Protection Commissioner will investigate the issues surrounding the breach. This may include an on-site examination of systems and procedures, and could lead to the use of the Commissioner’s legal powers.

The Interim Guidance refers to the Data Protection Commissioner’s existing general advice on data security.  It also outlines a number of questions that organisations should ask themselves:

  1. What would the organisation do if it had a data breach incident?
  2. Has it a policy in place that specifies what a data breach is?  (It is not just lost USB keys / discs / laptops.  It is also inappropriate access to personal data on your systems or the sending of personal data to the wrong individuals).
  3. How would one know that the organisation has had a data breach?  Do staff at all levels understand what the implications are of losing personal data?
  4. Has the organisation specified whom staff tell if they have lost equipment concerning personal data?
  5. Does its policy make clear who is responsible for dealing with an incident?
  6. Does its policy include informing affected customers?  How would the organisation do this?  What information would it give them?  Has a point of contact been designated for the public should a data security breach occur?
  7. Does its policy include informing the Office of the Data Protection Commissioner and, if appropriate, other regulatory bodies?

In the meantime, the Working Group that was specifically convened by the Minister for Justice, Equality and Law Reform to advise him on issues relating to data breach incidents is expected to report to the Minister in the coming months.  It is expected that this report will indicate whether changes in our data protection legislation are necessary.


About cookies on our website

Following a revised EU directive on website cookies, each company based, or doing business, in the EU is required to notify users about the cookies used on their website.

Our site uses cookies to improve your experience of certain areas of the site and to allow the use of specific functionality like social media page sharing. You may delete and block all cookies from this site, but as a result parts of the site may not work as intended.

To find out more about what cookies are, which cookies we use on this website and how to delete and block cookies, please see our Which cookies we use page.

Click on the button below to accept the use of cookies on this website (this will prevent the dialogue box from appearing on future visits)