Data Protection Animation Series: Personal Data Breaches
You can't assume that a data breach will not happen to your organisation. Anyone who makes a claim that their data is '100% secure' is either unaware of the level of threat that actually exists, or is not being honest.
It is therefore important that you take steps to protect your data, and that you know what to do when a breach occurs.
In GDPR, a 'personal data breach' means:
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
If you are collecting, storing or using personal data, it is important to be able to recognise a breach.
We can all think of some common examples of what this might include. Addressing an email to the wrong recipient, hacking, loss of USB drives, theft, break-in and stolen passwords can all lead to data breach. These sort of incidents can negatively affect data subjects (the people's whose personal data was breached).
There are some less-commonly recognised cases that constitute a breach. 'Unauthorised or unlawful destruction' could mean deleting some files by mistake or in contravention of the law. Consider the impact that destroying a person's medical records by accident would have on them. Undue 'alteration' could have a similar effect, where a person could suffer neglect or injustice as a result of the wrong information being recorded about them.
Often, we may hear about these in the news when a significant breach affecting a large number of people has happened. But breaches also happen at a much smaller scale.
The Information Commissioner's Office data security incident trends reports that there were a total of 4,056 incidents in the three months of July - September 2018 (Q2 2018/19). Many of these are 'low-level' incidents, such as the sending of someone's personal data to the wrong person, or losing information in the post.
When a breach does happen, there may be mitigating actions you can take to limit its extent and impact, such as informing the person or people who have been put at risk.
Gathering as much information about the breach as soon as possible is an important action. This includes establishing the facts, such as who exactly was affected, what types of data were included, what the cause of the breach was, and if it possible to recover any of the data. These facts are also required when it comes to reporting the breach.
You will need to assess the likely risks to the people affected. If people have been left vulnerable, it is only fair that they know about it. If financial information has been lost or accessed without authorisation, they may be at risk of fraud. Even something less detailed, such as donor contact information, could be used by criminals to defraud somebody. If special category data—such as medical information—is involved, people may be at risk of blackmail.
You must identify any actions that can be taken to reduce the risk of reoccurrence and act on them. For example, if a breach was caused by the loss of a USB drive, a mitigation action may be to review the use of USB drives and if there are alternative means or storing or transferring data, or to require that all USB drives used are encrypted.
The GDPR brings with it a responsibility to report a personal data breach to the relevant supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). The ICO has a dedicated helpline for reporting a breach.
There is an exception to the requirement to report. If the breach is 'unlikely to result in a risk to the rights and freedoms' of any person, then there is no need to report it. The likely risk will largely depend on the context of the information as well as the data itself. As an example, if the breach was limited to the loss of a list of 100 email addresses with no context, then there is no likely risk. But if a charity providing mental health services lost a list of its service users' email addresses (even just a small number), the level of risk to those people is much greater.
There is no clear-cut definition of what is a likely risk, and it is a call you will have to make yourself. If in doubt, it is best to call the ICO helpline to make a report.
A breach must be reported 'without undue delay and, where feasible, no later than 72 hours [3 days] after having become aware of it'. There is no exemption to this time-limit in respect of weekends, public holidays or anything else, so you may need to react quickly.
This responsibility to notify is that of that data controller (though the data processor has a duty to notify the controller as soon as possible). So, even if you use a service such as an online cloud storage server and that is breached, it is your responsibility—as the data controller—to report the incident.
Also, just because an organisation has been the victim of a deliberate attempt to steal information does not mean that there is no duty to notify. In these sort of instances it is even more important that the people whose data has been affected are made aware, as they may face risks from attempted fraud or blackmail.
Protecting yourself against data breaches
Part of the requirements of the GDPR is to have 'appropriate technical and organisational measures' (Article 32). This aims to preserve the availability, integrity and confidentiality (AIC) of the information, and goes hand-in-hand with protecting your computer systems from cyber attack.
It's also important that you can demonstrate that you have worked to identify and minimise risks as much as possible. Where the ICO has handed out fines for data breaches, the penalties have been proportionate to the level of negligence that the data controller has shown in not taking action to reduce risks.
Along with the myriad risks and threats to information security that exist, there are a wide range of measures that can be taken protect data. These can include:
- ensure that access to data is limited only to those who need it
- awareness of email and internet scams, such as phishing
- physical security of offices and manual record storage
- effective password policies and using two-factor authentication [PDF]
- encrypt removable drives and sensitive data being sent by email
- monitoring for suspicious activity, including intrusion attempts
- keeping software versions up to date (security patching)
There are many more ways to protect systems and information. An overall approach is to identify where you are most likely to be exposed to danger and start from there, making staff awareness and training part of the roll-out of these policies. You may also need to budget for new equipment or software.
It can be difficult to know where to start with so many approaches and A good starting point for small- and medium-sized charities is to look at the helpful guidance published by the UK's National Cyber Security Center (NCSC). There are a host of topics to read into, as well as a handy small charity guide.
You can find more practical information on How to Handle a Personal Data Breach in NICVA's Data Protection Toolkit.
You can find all the videos in our GDPR animation series here.