What do we have to do in relation to data security?
Principle 7 of the Data Protection Act (DPA) requires data controllers to put in place appropriate technical and organisational security measures to prevent:
- unauthorised or unlawful access to personal data;
- accidental loss of personal data;
- destruction or damage to personal data.
Is there a legal requirement to notify data security breaches?
There is presently no general legal requirement to notify data security breaches although in certain serious cases it may be good practice to do so for legal risk management and damage limitation. See also under “Future changes” below.
However, as from May 2011, the Privacy and Electronic Communications Regulations were amended to require that in certain circumstances “public electronic communications service providers” must notify the Information Commissioner (ICO), and possibly also the affected users, if a “personal data breach” occurs.
What is a personal data breach?
A personal data breach means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.”
What do public electronic communications service providers need to do?
1) Keep a log of personal data breaches
The first requirement of the new Regulations is that you must keep a record of all security breaches in an inventory or log of personal data breaches. It must contain:
- the facts surrounding the breach;
- the effects of that breach; and
- remedial action taken.
2) Notify breaches to the ICO
The second requirement is that you must notify the ICO of any security breaches. This notification must include at least a description of:
- the nature of the breach;
- the consequences of the breach; and
- the measures taken or proposed to be taken by the provider to address the breach.
To make this process easier, the ICO suggests that you send your log to the ICO on a monthly basis. This means you won’t have to record the information twice and will meet your requirement to notify any security breaches without unnecessary delay.
However, if the breach is of a particularly serious nature you need to notify the ICO about the breach as soon as possible to firstname.lastname@example.org.
In deciding whether a breach is of a serious nature, you should consider:
- the type and sensitivity of the data involved;
- the impact it could have on the individual, such as distress or embarrassment; and
- the potential harm, such as financial loss, fraud, theft of identity.
Failure to comply with the requirement to submit breach notifications can incur a £1,000 fine.
3) Notify breaches to your subscribers
Thirdly, you may need to tell your subscribers. If the breach is likely to adversely affect their personal data or privacy you need to, without unnecessary delay, notify them of the breach. You need to tell them:
- the nature of the breach;
- contact details for your organisation where they can get more information; and
- how they can mitigate any possible adverse impact of the breach.
You do not need to tell your subscribers about a breach if you can demonstrate that you have measures in place which would render the data unintelligible and that those measures were applied to the data concerned in the breach.
If you don’t tell subscribers, the ICO can require you do so, if it considers the breach is likely to have an adverse effect on them.
The proposed new EU Regulation on Data Protection (the new Data Protection Framework) to be introduced in 2012 is expected to impose a general requirement on all data controllers (with the support of their data processors) to notify an EU data protection authority of data breaches within 24 hours.
Data controllers may also have to notify individuals if the breach is likely to have adversely affected them unless the controller has demonstrated to the authority that it has implemented appropriate security measures.
Please contact us if you require further information about your legal responsibilities in the event of a data security breach.