Data Protection Toolkit - Personal Data Breaches: are you prepared?
You need to know how to recognise, report and respond to a breach. While it's possible to do all of this in the event of one occuring, it'll be much more difficult to take the right steps when you consider the relatively short deadline to inform the regulator if you haven't prepared your procedure in advance.
It is mandatory to report certain breaches to the regulator - the Information Commissioner's Office - within 72 hours.
You also need to keep records of breaches and take action to reduce the risk of them happening again.
The GDPR also requires you to have appropriate security measures in place. Demonstrating that you've done this will not only help to avoid breaches, but will show that you've not been negligent in your approach.
If you need to report a breach after reading this guidance, visit the ICO's reporting page. Please don't email the details to NICVA! (though you can of course ask for more advice)
You will need to be able to recognise that a breach has happened before you decide what to do next.
A breach of personal data as defined by the GDPR means:
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. (Article 4 GDPR)
Examples of a breach might include:
- loss or theft of hard copy notes, USB drives, computers or mobile devices
- an unauthorised person gaining access to your laptop, email account or computer network
- sending an email with personal data to the wrong person
- a bulk email using 'to' or 'cc', but where 'bcc' (blind carbon-copy) should have been used
- a disgruntled employee copying a list of contacts for their personal use
- a break-in at the office where personnel files are kept in unlocked storage
Some of these incidents may happen through human error and honest mistakes. They could also occur through carelessness and a lack of procedure or guidance. It is therefore crucial that your organisation has a suitable data protection policy in place, and that all of your staff, including any volunteers, are aware of their responsibilities.
Even when a crime has been committed against you it is your responsibility to follow the necessary procedures, as the breach involves personal data under your control.
All staff must know how to recognise a breach and that they have a duty to make the organisation aware. Let them know that they should report a suspected breach to an identified member of staff (possibly a Data Protection Officer) who handles the rest of the procedure.
Often, this might be difficult for a member of staff to admit if they feel that they're at fault. It would be much worse if a breach is not reported for fear of sanction. It's important that you foster a culture of openness in your organisation to help meet your responsibility under the law.
Where a breach occurs, the organisation should first establish:
- the facts of what happened
- what personal data was involved
- the number of people likely to be affected
- the likelihood and severity of impact on the people affected
After a breach has been escalated within your organisation, you must decide if you need to report it to the Information Commissioner's Office. If you fail to notify a reportable breach it can result in a significant fine.
When should a breach be reported?
Not all breaches need to be reported to the ICO, but if the breach is likely to involve a 'risk to people's rights and freedoms', it must be (Article 33).
Such a risk would be one where the people involved could suffer adverse effects as a result of the breach. This depends on what was in the data and how it might be used to damage them, as well as the scale of the breach. The inappropriate disclosure of sensitive or confidential information could be a reportable if it would have a negative impact on someone's sense of privacy. Identify theft, fraud, financial loss and damage to reputation are other risks to rights and freedoms that could result.
You should therefore establish the facts and assess the likelihood and severity of risks in deciding whether to report. The Article 29 Working Party Guidelines contain some scenarios of what is and what isn't reportable. For example, if the data were appropriately encrypted it would not be necessary to report as there is no risk involved (so long as the key or password weren't compromised).
For more on encryption, see NICVA's guide on GDPR and Encryption.
The context, scale and level of sensitivity are more important than the nature of the breach. The same type of breach could be reportable or not, depending on the likely effect on individuals. For example, accidentally sending a bulk email to invite a small number of people to a community event using the 'to' and not the 'bcc' field is unlikely to be a reportable breach. But sending a similar email to a group of people who are receiving mental health counselling from you would be, as the context identifies health information about those people.
If you are satisfied that there is no risk to anyone's rights or freedoms, then the breach does not need reported. In coming to this conclusion, you should make clear the reasons for this decision.
How is a breach reported?
A breach must be reported to the ICO without undue delay and within 72 hours from when you became aware that a breach had occurred, where feasible.
This 3-day limit applies whether the incident happens over weekends or holidays. So expect it to happen at 5 o'clock on a Friday afternoon!
You need to report to the ICO by phone and give details of the incident. Even if you haven't established all of the facts you should still report within 72 hours. Don't delay, as you will have the opportunity to provide follow up information. The helpline staff can assist with what to do next, whether you need to inform the individuals, and how to take measures to prevent reoccurrence.
As the report helpline is only available from 9am to 4.30pm Monday to Friday, you should report through their online facility if you need to do so at other times.
What happens next?
The ICO decides what happens next. Breaches are not routinely made public by the ICO. In some cases they will simply record the incident. In other cases they can investigate the circumstances that led to the breach. The outcome can range from no further action through to a monetary penalty in the rarer case of a serious breach involving negligent or deliberate action.
Once you have identified or reported a data breach, you should let your board or trustees know the details, as they may need to report a serious incident to the Charity Commission (see below).
There is also a requirement in the GDPR to inform individuals affected as soon as possible (Article 34). This will allow them to take precaution and protect themselves against any negative effects, such as identify fraud.
The requirement to inform individuals is slightly higher than the need to report to the ICO. Compared to a "likely risk to individuals' rights and freedoms", you need to inform people if there is a "high risk". This difference can be hard to judge. It's best to take the view that if you need to report to the ICO you probably need to also tell the individuals. The ICO can tell you if you need to inform individuals, or require you to do so.
You need to clearly communicate to the people involved:
- what happened
- what personal information was involved
- what risks are likely or possible
- measures you're taken or proposing to address the breach
- your contact details where they can get more information
Whether you need to report a breach to the ICO or not, you should keep a clear record of every breach incident.
The GDPR requires controllers to:
document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken
The GDPR also requires organisations to be accountable and transparent. Under the security of processing, controllers and processors must put in place appropriate measures "to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services" (Article 32).
Keeping a clear record of breaches will help you to meet accountability requirements and is an appropriate measure to ensure the security of processing.
These records also allow the ICO to verify that compliance with the reporting of relevant breaches is happening.
You will also need to act on any breach to reduce the risk of reoccurrence. Identifying patterns or gaps in your practice is important, and keeping records shows that you're taking responsibility for what happened.
You can choose how you keep this record. It could be a long-form written document, or on a spreadsheet. It is advisable to record:
- the date that the breach happened
- when it was identified and by whom
- if and when the ICO were notified (include a case number if given one)
- the nature and circumstances of the breach
- what types of personal information was involved
- how many people were affected
- likely effects of the breach, especially if there is evidence of effects
- if a breach was not reported to the ICO, the reasons for this decision
- remedial action taken to remedy the breach and prevent reoccurance
- any other information you think relevant
Under charity law, trustees are required to report any serious incident to the Charity Commission for Northern Ireland (or other charity regulators where relevant) and explain how it is being managed.
A serious incident is an adverse event (either actual or alledged) which risks or results in a significant loss of charity money or assets, damage to charity property, or harm to the work of the charity its beneficiaries or reputation.
In the case of a data breach that has involved criminality such as fraud, hacking, or the theft or loss of data or equipment, it is almost certain that a serious incident also exists.
The Charity Commission's guidance on serious incident reports highlights examples of data breaches or loss that would be reportable to them as a serious incident:
|Examples of incidents to report to the Charity Commission||Examples of incidents which do not need to be reported to the Charity Commission|
|Charity's data has been accessed by an unknown person; this data was accessed and deleted, including the charity's email account, donor names and addresses||A single laptop or mobile phone belonging to the charity is reported missing and it does not contain confidential data – it has been reported to the PSNI.|
|A charity’s laptop, containing the personal details of beneficiaries or staff, has been stolen.|
|Charity funds lost due to an online or telephone ‘phishing scam’, where trustees were conned into giving out bank account details.|
|A Data Protection Act breach, reported to the ICO.|
If a data breach has been reported to the ICO, then it should also be reported to the Charity Commission. In cases where the breach has not been reported to the ICO, a serious incident may still need to be reported to the Charity Commission.
Responsibility for making the decision on whether a serious incident report needs to be made—and following the required procedure—will fall to the charity's trustees.
If you as a member of staff have identified a data breach, you should inform your trustees about it so they can make an informed decision on reporting it to the Charity Commission.
ICO, Guide to the GDPR: Security
ICO, Guide to the GDPR: Accountability and Governance
ICO, Practical guide to IT security
National Cyber Security Centre
NICVA, GDPR and Encryption
ICO, Guide to Data Protection: Encryption
Article 29 Working Party Guidelines on Personal Data Breaches