COVID-19 | Reporting data breaches

0:40
Hello, I'm Geraldine Swanton a legal director at Shakespeare Martineau know today's session will provide a very brief overview on the duty to report personal data breaches under the GDP or the GDP are is rooted in the right to privacy, which of course is not an absolute, right?
1:00
And can be interfered with for a legitimate purpose provided its proportionate and so the GDP or seeks to achieve a fair balance between individuals reasonable expectations of privacy and the need for businesses to process personal data people entrust their data to us and some of it is highly sensitive data.
1:23
So it is about honoring that trust and therefore to do that we are Wired to take both technical measures and organizational measures to protect security Now organizational measures refer to you know, firm-wide policies and procedures, but they also include measures we as individuals can take in our day-to-day handling of personal data to ensure that it is secure now the duty to promote security is not absolute.
1:57
It is appropriate that the Sweet take must be appropriate to the risk posed to the individual as a result of a breach. So to sum it up really it's about preventing breaches. But if they do occur it's about detecting them quickly and reacting in a timely manner. Now, one of the big challenges for all of us is knowing when a breach has actually occurred and it might be helpful to enable you to identify breaches by dividing them into three.
2:30
Simple categories the first is a confidentiality breach and that is any unauthorized or accidental disclosure of personal data or unauthorized accidental access to personal data. Now when we think of these breaches, we think of melodramatic cyber attacks, but actually these occur on a routine day-to-day business basis in our ordinary everyday activities.
3:00
For example sending emails to a non intended recipient forwarding very sensitive Health Data to colleagues when they have absolutely no legitimate interest in seeing that Health Data the second type of breach is an Integrity breach and that's any unauthorized or accidental or alteration of personal data. For example, it could mean when data becomes corrupted.
3:29
So we only have a partial record an in inadequate parcel records can have a detrimental impact on individuals. And finally there is an availability breach. That's when there is unauthorized or accidental loss of personal data or destruction of personal data. So it could mean we have encrypted data, but we lose the key. Therefore we can't get access to that data either temporarily.
4:00
Permanently now the duty to report occurs. First of all in relation to the Ico. If there is a risk to the individual, you must only report the breach to the individual where there is a high risk posed to them by the breach now again assessing risk can be quite a difficult activity quite a difficult challenge, but there are various factors we can take into account.
4:29
And when we are assessing risk, and the first is what type of breach has occurred, usually a confidentiality breach will post some risk to an individual but the type of risk will be a very valid consideration and assessing risk next the nature and the sensitivity of the data.
4:51
So if it's ID day sir, that's that could pose a risk if it's highly sensitive disability related data, you can assume That will pose some form of risk. But even where the individual days are not particularly sensitive the combination of the data inadvertently destroyed or disclosed could create a risk when considered in the round.
5:15
Then there's the volume of data involved the group The more likely it is that some risk will be posed.
5:24
Then How likely is it that the person can be like it might not be identified by the actual data inadvertently disclosed but they might be identified when that is cross-referenced with other data. Then we have to assess the severity of the impact and the likelihood of the risk materializing now likelihood is again a difficult exercise, but for example, if inadvertent disclosure was made to a trusted.
5:54
And the risk is minimum if it was disclosed to an unknown source, then you can assume there is some likelihood of risk, the severity of the consequences. The severity of the impact is very relevant in assessing risk for example is the person more vulnerable to identity theft or fraud leading to financial loss.
6:19
If for example, we inadvertently release contact details If it means that a person who's estranged violent partner can now locate them are they vulnerable to physical harm distress is a very real consequence particularly. If we disclose very sensitive data humiliation damage to reputation. These are all probable consequences which could result and following the breach then we take into account the special characteristics of the person.
6:54
This data has been breached. So if it is a child or somebody with a learning disability, they may be much more vulnerable to risk.
7:05
The special characteristics of your business will also be relevant. So if you're a prison an educational institution or a medical practice data breaches are much more likely to have adverse consequences that if your business is simply compiling and mailing lists for magazine distribution.
7:28
Also, the number of individuals involved may be irrelevant consideration the greater the number the greater the threat That may be involved now the to recap the juicy to report to the information commissioner arises where there is some risk to the individual and you must report the breach without delay and in any event within 72 hours of becoming aware of the breach. So what does it mean to say when we become aware of the breach?
8:01
Well aware means not that we think maybe possibly but where are you have a reasonable degree of certainty that a data breach has occurred. You must provide reasons to the information commissioner. If you fail to disclose within that time limit and I would say look if you are in doubt about whether the threshold for disclosure has been passed you should report any way. So if in doubt always report now when you report the information commissioner, you really have to have a hand.
8:35
On what has happened? So you've got to explain what the breach was how it happened? What information was concerned the categories and numbers of individuals the categories and numbers of Records.
8:51
The potential consequences the steps you have taken to mitigate risk in the interim in the short term and the steps you're taking to mitigate risk in the future if you have a data protection, An officer you must provide the details of that officer and again to be to be sure to be sure.
9:13
I've include if in doubt do report now reporting to the data subject is required where there is a high risk and you must do that without undue delay and the purpose of revealing your breach to the individual is so that they can take steps to Don't think sounds if there is a vulnerability to Identity fraud then they can tell their bank. They can tell other they can they can take steps to diminish the risks themselves.
9:49
And as a very minimum the report must include again details of the breach the likely consequences the steps you've taken to protect the individual and details of the data Protection Officer if you have one Now you don't have to tell the individual where the information that has been inadvertently disclosed for example is unintelligible to anybody outside of your organization. So for example, if the data disclosed is encrypted, but you haven't disclosed the encryption key, then the risk is minimal and there's no need to tell the individual.
10:32
You don't also have to report if you've taken clear steps to ensure that the risk does not materialize. So remember there has to be a Nexus between reporting and high risk, but if you've taken steps in the interim to mitigate the high risk than there's no need to report now. You don't have to report to the data subject where it would involve disproportionate effort. Now that's a set of circumstances.
11:02
Stances may arise when the breach relates to a large number of individuals and it would you know be impossible or very very very burdensome to do to notify each and every individual but that doesn't mean you can do nothing. You may instead have to put a notice on your website detailing the breach so that those who are affected can protect themselves finally a theme that permeates the entire.
11:32
Rarity of the GDP or is accountability or transparency and that requires amongst other things that you must document all personal data breaches, even if there's no duty to report them to the information commissioner and the record must be pretty comprehensive.
11:51
It must include again the facts the house or what the when the effects any remedial action you've taken in the wake of Reach and in the long term and that record will enable the information commissioner to assess whether as an organization, you're complying with the GDP or if complaints are made and it's also very useful to include in that record any explanation as to why you haven't reported a breach to the information commissioner. It provides a justification in the face of the complaint.
12:29
In summary there for a remember. This is about honoring the trust that individuals have placed in us when they provide us with their personal data. It's about also creating a culture where our staff feel free to report a breach and ultimately it is about preventing greeters. But if they do happen it's about quick detection and prompt reaction.
12:59
Thank you. And please do remember we offer a free legal help line where we provide 20 minutes of free legal guidance. That's the end of this session. Thank you very much for your attention. I hope you found it useful.