Yesterday, on 14 April 2009, the Irish Data Protection Commissioner issued interim guidelines setting out how the Commissioner wished organisations to deal with loss of personal data. The main thrust of the guidance is to encourage organisations to engage in “voluntary disclosure” of data loss. Voluntary disclosure involves notifying the Data Protection Commissioner’s Office of details of the data security breach or loss. Although notification of data breaches is not a requirement currently contained in the Data Protection Acts 1988 to 2003, the Data Protection Commissioner recommends this as being good practice.
In late 2008 the Minister for Justice Equality and Law Reform established a Data Protection Review Group that is charged with a “review of Data Protection legislation following recent data breaches in Ireland and elsewhere”. The Minister indicated, when introducing the working group, that the legislative regime that he is intending to introduce will extend to both public and private bodies. He also indicated that he was considering compelling disclosure to the public in "major cases". This working group’s review is ongoing.
The Data Protection Commissioner’s guidance should also be seen against the backdrop of the recent Guidance Note from the Department of Finance entitled “Protecting the Confidentiality of Personal Data”. This Guidance Note was issued by the Department to government departments and agencies. The Department of Finance Guidance Note deals with a number of areas involving personal data. Under the heading “Notification of Breaches” in the Guidance Note it states: “[t]herefore, if inappropriate release/loss of personal data occurs it should be reported immediately, both internally and to the Data Protection Commissioner’s Office and, if appropriate in the circumstances, to the persons whose data it is”.
It is interesting to note that the Data Protection Commissioner’s guidance recommends notification of all data losses or data security breaches to his office, regardless of the amount or quality of the personal data at issue, or the nature of the event giving rise to the data being compromised. There is now increasing pressure on organisations to notify data breaches. It will be interesting to see whether momentum will see this interim voluntary disclosure regime converted into a compulsory disclosure regime. To answer this question we must wait for the working group to report to the Minister, who has said he will introduce legislative change following their report. The Data Protection Commissioner has said that the working group is expected to report in the next few months.