ARTICLES
Data Protection Update (June 2010) – Mandatory Reporting of Data Breaches
by Robert Haniver
Irish data controllers are not specifically compelled by law to report the loss or improper disclosure of personal information of the public to either the Data Protection Commissioner ('the Commissioner') or the affected data subject(s).
Report of the Data Protection Review Group
The Minister for Justice, Equality and Law Reform established the Data Protection Review Group ('the Review Group') in November 2008 to make recommendations on whether Irish Data Protection legislation should be amended to provide for the mandatory notification of data breaches and penalties.
While the Review Group was formulating its public consultation on the issue, the Commissioner issued interim guidance for organisations on how best to deal with detected data breaches. The Commissioner recommended that part of an organisation's response to a discovered breach should be to immediately notify the Commissioner so an assessment could be made of how best to inform affected individuals and how to prevent a reoccurrence.
The Review Group's consultation document followed in September 2009. This sought public feedback to assist the Review Group's recommendations for an appropriate regulatory response to data breaches. The Review Group later published its recommendations.
The Review Group did not consider a self-regulating regime, where organisations decide for themselves whether or not to report data breaches, as desirable or practical. While the Group recommended there should be a requirement for breach reporting to the Commissioner, it did not extend this to require breach reporting to affected individuals. The Group thought this would be best moderated by the Commissioner, as he already has adequate powers to compel organisations to inform individuals when their personal information has been compromised and is likely to give rise to substantial damage or distress.
The Review Group concluded that the duty of care requirement of data controllers under the Data Protection Acts 1988 to 2003 does not go far enough to police the data protection principles and called for meaningful criminal sanctions.
A statutory Code of Practice was recommended, based on the Commissioner's earlier guidance, which would set out the circumstances in which disclosure of data breaches is mandatory. The Review Group proposed that non-compliance would be an offence. In addition, it recommended a separate statutory offence related to deliberate or reckless acts or omissions concerning the data protection principles.
The Review Group sought to keep its recommendations in line with recent EU developments. It noted that the pace of the developments at EU level would influence the timing of any proposed domestic legislation on the issue. The Group noted that the review of the existing Data Protection Directive currently underway by the European Commission may ultimately lead to a new or amending Directive including provisions for the mandatory notification of data breaches to data subjects.
The Review Group's report is available to download:- http://www.justice.ie/en/jelr/dprgfinalwithcover.pdf/Files/dprgfinalwithcover.pdf
Draft Data Security Breach Code of Practice
The Commissioner has published a draft Data Security Breach Code of Practice in response to the Review Group's recommendations.
The draft Code provides that data controllers confronted with a breach of their data security obligations must give immediate consideration to informing affected data subjects. Furthermore, organisations that may be in a position to assist in the protection of data subjects' interests should be notified, including (where relevant) the Gardaí, financial institutions etc.
All incidents of loss of control of personal data by a data controller (except where the data can be considered inaccessible due to proper encryption, remote memory wipe or password security) must be reported to the Commissioner where it affects more than 100 individuals or where the breach involves sensitive personal data or personal financial data that could lead to identity theft.
In situations where 100 or less individuals are affected there will be no need to report the breach to the Commissioner provided those individuals are fully informed by the organisation and the breach does not involve sensitive personal data or personal financial data carrying the threat of identity theft.
A data controller must, in all situations, keep a record of each data breach incident and the steps taken in response to it. This record must be made available to the Commissioner on request.
Mandatory notifications must be made to the Commissioner within two working days of the data controller becoming aware of the security breach. A comprehensive report will be required reflecting the following considerations:-
- amount and nature of personal information disclosed;
- steps taken to secure and/or recover the compromised data;
- action taken to inform affected individuals or reasons for not doing so;
- action taken (if any) to limit damage or distress to those affected by the incident; and
- a chronology of events leading up to the security breach.
The data controller is required to provide a further report setting out the measures being taken by the organisation to avoid a reoccurrence of the incident. The Commissioner will investigate reported data breaches, which may include on-site inspections of systems and procedures. This could lead to the use of the Commissioner's powers to compel certain actions including a recommendation or requirement to inform affected persons about a security breach where the data controller has not already done so.
The draft Code is open for consultation until 18 June 2010 and can be reviewed at
http://www.dataprotection.ie/viewdoc.asp?DocID=1077&m=f
For further information please contact our Corporate Law Department on (01) 240 1218 or lex@orourkereid.com.