Matt Sanders
Managing Partner
Guernsey
KEY TAKEAWAYS:
This briefing is part of a Walkers series on the Data Protection (Bailiwick of Guernsey) Law, 2017 (the "DPL"), and provides an overview on personal data breaches. It describes some key points which organisations may want to consider when handling/managing a personal data breach.
A related briefing on the object of the DPL, some of the key concepts used in the DPL, what the data principles are and the rights of data subjects is available here.
What is a breach?
A personal data breach is defined in the DPL as a breach of security leading to accidental or unlawful destruction, loss or alteration of personal data, or unauthorised disclosure of, or access to, personal data. Examples of personal data breaches can include (but are not limited to):
What should a controller / processor do if they experience a personal data breach?
The approach to handling a personal data breach depends on whether the breach is experienced by a controller or processor. Where a controller becomes aware of a personal data breach, the controller must, unless the personal data breach is not likely to result in any risk to the significant interests of the data subject, give the Office of the Data Protection Authority (the "ODPA") written notice of it as soon as practicable. In any event, notice should be given no later than 72 hours after becoming aware, unless this is not practicable. The written notice must include:
If the aforementioned information cannot be provided to the ODPA at the time of the written notice, the DPL allows the controller to provide the information in phases as soon as practicable.
Where a processor becomes aware of a personal data breach, the processor must give the controller notice of it as soon as practicable, and where oral notice is given, the processor must follow up the oral notice with a written notice to the controller at the first available opportunity.
Where an event is initially suspected to be a personal data breach but does not fall within the scope of the definition (above), a controller should retain a written record of their assessment. It may also be appropriate for the controller to conduct a review of such an event to assess whether any improvements to technical or organisational measures could be put in place to mitigate any possible future similar "near miss"’ event.
Do I need to notify the affected data subject(s)?
Where a controller becomes aware of a personal data breach that is likely to pose a high risk to the "significant interests" of a data subject, the controller must give the data subject written notice of the breach as soon as practicable. The notice must include:
A controller is not required to give notice to a data subject in circumstances where:
The ODPA may also require that a controller notifies a data subject if it considers that the controller is obliged to do so under the DPL.
When assessing whether there is a high risk to the significant interests of data subjects, the controller must consider the nature, scope, context and purpose of the processing. The controller must consider any possible impact on the data subject resulting from the breach, as well as the likelihood of each possible impact occurring. This is an assessment that a controller must make and be able to justify if questioned. As such, it is recommended by the ODPA that a controller record its rationale for decision taken, particularly if you conclude that a breach does not amount to a high risk to the significant interests of data subjects.
Record keeping
A controller must keep a written record of each personal data breach of which they are aware, including the facts relating to the breach, the effects of the breach, the remedial action taken, and any steps taken by the controller to comply with the DPL. This includes whether the controller gave notice to the ODPA of a personal data breach, and if so, a copy of the notice.
This information must be recorded and retained by the controller regardless of whether the personal data breach is reported to the ODPA or not. This record must be retained for a period of 6 years from the day when the controller or processor first became aware of the breach.
Failure to notify the ODPA of a personal data breach
Where a controller fails to notify the ODPA of a personal data breach, the ODPA may, following a breach determination, impose all or any of the following sanctions against that controller:
What happens when a breach is reported to the ODPA?
The ODPA has recently explained that the main purpose of reporting personal data breaches is to ensure that such events are handled appropriately in order to mitigate further risk to data subjects and to ensure steps are taken to prevent future incidents. When a personal data breach is reported, the ODPA will complete an assessment of the circumstances and identify whether there is any further action that should be taken by the controller in response to the breach. This will include ensuring that appropriate consideration has been made as to whether any affected data subject should be notified.
Walkers' comments
When considering personal data breach events, it is important for an organisation to ensure that it has a defined response plan to deal with a data breach. It is recommended that the plan be tested regularly and rigorously in order to ensure all the relevant individuals within the organisation are well aware of the response plan.
Once an organisation has established the facts of the breach, it should try and contain it, minimise the harm that could be caused to the people whose information has been breached, and take all reasonable steps to preserve evidence for any potential forensic investigations that may become necessary.
Authors
Managing Partner/Guernsey
Senior Counsel/Guernsey
Senior Associate/Guernsey
Senior Associate/Guernsey
Key Contacts
Managing Partner
Guernsey
Senior Counsel
Guernsey
Senior Associate
Guernsey
Senior Associate
Guernsey