1,000 breaches of people’s personal information have been reported to the Information Commissioner’s Office (ICO). But this is the tip of the iceberg; there will be many more data security breaches that have not be notified to the ICO and which have gone unnoticed.
Many data security breaches are a result of human or technical error. Common mistakes include losing laptops or other data storage devices such as tapes, CDs or data sticks, staff disclosing personal details to the wrong people and automated machines which send letters out to the wrong addresses. For example, in December 2009 documents containing mental health records relating to 1,970 patients were reported missing. It appeared they were lost during transit with an external courier. In another example, a memory stick containing social services information concerning 40 children was found in a public street in Stoke-on-Trent. Marks & Spencer was found to have failed to protect data when an unencrypted laptop containing the personal pension details of around 26,000 M&S employees was stolen.
Data Protection Act obligation
One of the central principles of data management under the Data Protection Act is that you must take “appropriate technical and organisational security measures” to prevent accidental loss of personal data. Breach of this principle can lead to enforcement action. From 6 April 2010 the ICO can order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act.
However, a most important consequence of a data breach incident is the reputational damage and possible loss of confidence in the organisation which can result from any publicity given to the incident. It can then be a difficult decision as to whether or not to notify anyone that there has been a data security breach, as the interests of the organisation have to be balanced against the interests of others, and legal obligations taken into account.
Should you tell ?
Informing people about a data security breach is not an end in itself. Notification should have a clear purpose, whether this is to enable individuals who may have been affected to take steps to protect themselves or to allow the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints.
Answering the following questions will assist you in deciding whether to notify:
Who should you tell ?
The ICO
There is no express obligation in the Data Protection Act 1998 to notify the Information Commissioner in the event of a data security breach. However, the ICO’s Good Practice Note: Guidance on data security breach management (Data Breach GPN), recommends that serious data security breaches are notified.
A serious data security breach is described in the Data Breach GPN as a breach:
The ICO has also said that the overriding consideration in deciding whether a breach should be reported is the potential harm to individuals. But bear in mind that even if you do not notify the ICO, a third party may do so.
Data subjects
In the Data Breach GPN, the ICO cautions that data subjects should not be notified of a data security breach unless there is a reason for doing so. Data controllers should instead consider whether the data subject will benefit from knowing about the data security breach, involving their personal data, for example, by being able to change passwords or bank accounts to help prevent potential fraudulent use of the data. The Information Commissioner also suggests that data controllers may wish to consider providing data subjects, whose personal data security is at risk, with assistance in dealing with practical issues, such as identity fraud checking services.
Others
Notification of potential claims may be an insurance policy requirement. You might also need to consider notifying third parties such as the police, sector specific regulatory or professional bodies, bank or credit card companies who can assist in reducing the risk of financial loss to individuals, and trade unions.
Prevention better than cure
The ICO maintains it is essential that the protection of people’s personal information is part of organisations’ culture and DNA. Here are some top tips for protecting personal information from wrongful disclosure: