The Information Commissioner's Office (ICO) has issued guidance on whether data breaches should be notified to the ICO. This will be of concern to associations holding personal data relating to their residents, employees or contractors.
There is no legal obligation to report data security breaches to the ICO under the Data Protection Act 1998 (DPA) (although specific reporting obligations outside the DPA may apply to certain public sector bodies). The ICO recommends that serious breaches should be notified.
The ICO advises that the overriding consideration in deciding whether to report a breach is the potential harm to individuals, such as risk of identity theft or a person's financial circumstances becoming public. The extent of harm is dependent on both the volume of personal data involved and the sensitivity of the data disclosed.
There is a presumption to report where a large volume of personal data is concerned. As a rule of thumb, this is if more than 1000 individuals are affected. A presumption to report may also arise where smaller amounts of personal data are involved but the information disclosed is particularly sensitive. For example, the loss of as few as 10 records containing health related information could trigger a presumption to report.
In deciding the most appropriate course of action following a data breach, the ICO will consider whether a breach has been reported voluntarily. The ICO may decide to take no further action, require remedial steps to be taken or take regulatory action. In the case of serious, deliberate or reckless breaches of the DPA, the ICO can impose fines of up to £500,000.
Where the ICO takes regulatory action, such actions are publicised as a matter of policy. This negative publicity can cause reputational damage and lack of public confidence in an organisation. This is a serious consequence of a data security breach.
In light of the above, organisations in the social housing sector would be well-advised to consider the following preventative measures:
- keep data protection policies under review;
- ensure suitable technical measures for data security are in place;
- ensure staff receive data protection training;
- include appropriate protections in agreements with contractors to whom personal data may be transferred. For example, providers of meals or other care related services to elderly residents.