7. Data Breach Reporting
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of or access to, personal data. This means that a breach is more than just losing personal data.
Duty to Report
Data protection legislation requires data controllers to report certain types of data breach to the Information Commissioners Office and in some cases to the individuals affected.
Data processors will usually have a contractual obligation to report a data breach to the data controller. Sub-processors may instead have an obligation to inform the lead data processor (who in turn informs the data controller). Under the terms of our Data Processing Agreement, a data processor must inform the data controller of a data breach ‘without undue delay’. A shorter period may apply if the data controller has used their own form of Data Processing Agreement and this should be checked.
If you become aware of a breach you must immediately report this to the responsible person in your organisation. This will typically be your Data Protection Officer (if you have one).
If unaddressed such a breach could have a significant detrimental effect on the individuals concerned – for example, it would result in discrimination, damage to reputation, financial loss, loss of confidentiality or other significant economic or social disadvantage. Without reviewing the breach, steps cannot be taken to prevent it from reoccurring.
The data controller must report a notifiable breach to the ICO within 72 hours of becoming aware of it. Data protection legislation recognises that it will often be impossible to investigate a breach fully within that time-period and allows the data controller to provide information in phases, as it becomes available.
A breach does not need to be reported to the ICO if it is unlikely to result in a risk to the rights and freedoms of the data subject. This will need careful analysis. The ICO has a self-assessment tool which can help with the decision making process:
The individual(s) whose data has been breached will need to be notified of the data breach if there is a high risk to their rights and freedoms. We recommend taking specialist advice on this point.
Failing to notify a breach when required to do so can result in a significant financial penalty, reputational damage and exposure to legal claims brought by the affected data subjects. A data processor (or Sub-processor) who fails to report a breach to the data controller (or lead data processor) has potentially breached the terms of their Data Processing Agreement.
Personal Data Breach Example
A security operative responsible for CCTV surveillance notices a high profile individual obviously the worse for drink behaving badly, he replays the footage and records it on his smartphone and posts this on social media. This is a personal data breach.
It would be good practice to ban the use of personal smartphones and other personal computer devices in a control room environment.