1,000 breaches of people’s personal information have been reported to the Information Commissioner’s Office (ICO). But this is the tip of the iceberg; there will be many more data security breaches that have not be notified to the ICO and which have gone unnoticed.
Many data security breaches are a result of human or technical error. Common mistakes include losing laptops or other data storage devices such as tapes, CDs or data sticks, staff disclosing personal details to the wrong people and automated machines which send letters out to the wrong addresses. For example, in December 2009 documents containing mental health records relating to 1,970 patients were reported missing. It appeared they were lost during transit with an external courier. In another example, a memory stick containing social services information concerning 40 children was found in a public street in Stoke-on-Trent. Marks & Spencer was found to have failed to protect data when an unencrypted laptop containing the personal pension details of around 26,000 M&S employees was stolen.
Data Protection Act obligation
One of the central principles of data management under the Data Protection Act is that you must take “appropriate technical and organisational security measures” to prevent accidental loss of personal data. Breach of this principle can lead to enforcement action. From 6 April 2010 the ICO can order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act.
However, a most important consequence of a data breach incident is the reputational damage and possible loss of confidence in the organisation which can result from any publicity given to the incident. It can then be a difficult decision as to whether or not to notify anyone that there has been a data security breach, as the interests of the organisation have to be balanced against the interests of others, and legal obligations taken into account.
Should you tell ?
Informing people about a data security breach is not an end in itself. Notification should have a clear purpose, whether this is to enable individuals who may have been affected to take steps to protect themselves or to allow the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints.
Answering the following questions will assist you in deciding whether to notify:
- Are there any legal or contractual requirements? At present, there is no law expressly requiring you to notify a breach but sector specific rules may lead you towards issuing a notification.
- Can notification help the individuals affected? Bearing in mind the potential effects of the breach, could individuals act on the information you provide to mitigate risks, for example by cancelling a credit card or changing a password?
- Are a large number of people affected, or could there be serious consequences of the data breach?
- Would notification be appropriate, for example, where the data involves children.
- Is there a danger of ‘over notifying’. Not every incident will warrant notification and notifying 2 million customers of an issue affecting only 2,000 customers will cause disproportionate enquiries and work.
Who should you tell ?
There is no express obligation in the Data Protection Act 1998 to notify the Information Commissioner in the event of a data security breach. However, the ICO’s Good Practice Note: Guidance on data security breach management (Data Breach GPN), recommends that serious data security breaches are notified.
A serious data security breach is described in the Data Breach GPN as a breach:
- that could cause significant threat of harm to individuals;
- where large volumes of data are involved (generally 1,000 people);
- where sensitive data are involved, such as financial or medical records or unencrypted personal data.
The ICO has also said that the overriding consideration in deciding whether a breach should be reported is the potential harm to individuals. But bear in mind that even if you do not notify the ICO, a third party may do so.
In the Data Breach GPN, the ICO cautions that data subjects should not be notified of a data security breach unless there is a reason for doing so. Data controllers should instead consider whether the data subject will benefit from knowing about the data security breach, involving their personal data, for example, by being able to change passwords or bank accounts to help prevent potential fraudulent use of the data. The Information Commissioner also suggests that data controllers may wish to consider providing data subjects, whose personal data security is at risk, with assistance in dealing with practical issues, such as identity fraud checking services.
Notification of potential claims may be an insurance policy requirement. You might also need to consider notifying third parties such as the police, sector specific regulatory or professional bodies, bank or credit card companies who can assist in reducing the risk of financial loss to individuals, and trade unions.
Prevention better than cure
The ICO maintains it is essential that the protection of people’s personal information is part of organisations’ culture and DNA. Here are some top tips for protecting personal information from wrongful disclosure:
- review your data protection policies;
- review your technical and organisational security measures (such as password policies and physical security of IT systems);
- ensure appropriate contracts and guarantees are in place with third parties to whom data may be transferred for processing;
- ensure you know who you are disclosing personal information to – are they genuine and are they entitled to the personal details they are asking for?. This will help prevent ‘blagging’ (where information is obtained by deceiving the organisation who holds it);
- encrypt important or sensitive data;
- ensure staff receive adequate training in the risks of wrongful disclosure;
- review ISO standards 27001 and 27002 which are relevant to information security management and information security.