Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Data security and breach notification
Are there specific security obligations that must be complied with?
Yes. The Data Protection Act sets out technical and organisational measures that data controllers must undertake to secure personal data against:
- unauthorised access;
- accidental or unlawful destruction, manipulation, disclosure and transfer; and
- other unlawful processing.
Data controllers must also comply with data confidentiality rules and ensure that personnel who process personal data are bound by confidentiality obligations.
The Data Protection Act does not expressly stipulate which data security measures must be taken, but provides that any such measures should reflect the current state of technological capabilities and be economically tenable. Thus, good industry practices have become crucial in determining the necessary data security measures to take in the event of a breach of the act or internal control systems. Such practices are particularly relevant in the context of an internal control systems breach, where the courts will examine the potential liability of persons responsible for the breach (eg, managing directors). Liability for lack of sufficient data security seldom arises when good industry practices are followed.
Are data owners/processors required to notify individuals in the event of a breach?
Yes. The data controller must inform the data subjects concerned in an appropriate manner as soon as it becomes aware that data under its control has been systematically and seriously misused and such misuse may cause the data subjects to suffer damages. The disclosure obligation does not apply if only minor damage is likely to occur and the costs of disclosure would require disproportionate effort.
Are data owners/processors required to notify the regulator in the event of a breach?
No. The data controller must inform only the natural and legal persons whose data is affected by the breach; there is no general obligation to notify the Data Protection Authority. However, telecommunications operators are obliged to directly inform the Data Protection Authority in such event.
However, the new EU General Data Protection Regulation will significantly change regulations and establish an obligation to report data breaches to the Data Protection Authority.
Click here to view the full article.