Search News & Insights
Interim guidance on data breaches issued by the Data Protection Commissioner
PRACTICE AREA GROUP: Regulatory Risk Management and Compliance
In April 2009 the Irish Data Protection Commissioner issued interim guidance on how organisations should deal with unauthorised or accidental disclosures or loss of personal data that they manage.
The Data Protection Commissioner recommends that the organisation immediately notify his office by phone or by email, and that the first issue that his office will consider with the organisation is the question of informing those persons who are directly affected by the loss of the data if this has not already been done, and how this might be best done.
- The organisation may be required to provide a detailed report of the incident including:
- The amount and nature of the data that has been compromised;
- What action (if any) has been taken to inform those affected?
- A chronology of the events leading up to the disclosure;A description of measures being undertaken to prevent a repetition of the incident
The Office of the Data Protection Commissioner will investigate the issues surrounding the breach. This may include an on-site examination of systems and procedures, and could lead to the use of the Commissioner’s legal powers.
The Interim Guidance refers to the Data Protection Commissioner’s existing general advice on data security. It also outlines a number of questions that organisations should ask themselves:
- What would the organisation do if it had a data breach incident?
- Has it a policy in place that specifies what a data breach is? (It is not just lost USB keys / discs / laptops. It is also inappropriate access to personal data on your systems or the sending of personal data to the wrong individuals).
- How would one know that the organisation has had a data breach? Do staff at all levels understand what the implications are of losing personal data?
- Has the organisation specified whom staff tell if they have lost equipment concerning personal data?
- Does its policy make clear who is responsible for dealing with an incident?
- Does its policy include informing affected customers? How would the organisation do this? What information would it give them? Has a point of contact been designated for the public should a data security breach occur?
- Does its policy include informing the Office of the Data Protection Commissioner and, if appropriate, other regulatory bodies?
In the meantime, the Working Group that was specifically convened by the Minister for Justice, Equality and Law Reform to advise him on issues relating to data breach incidents is expected to report to the Minister in the coming months. It is expected that this report will indicate whether changes in our data protection legislation are necessary.