There has been an increased demand for Government action on protecting the security of personal data following the recent thefts of non-encrypted laptops. The Data Protection Commissioner, in his recently published Annual Report for 2008, listed the failure of organisations to have even the most basic protocols in place to minimise the loss of customer and employee data, as no.1 of the top ten threats to individual privacy.
There is currently no explicit legal obligation to notify the Data Protection Commissioner or any data subject affected, of a security breach*. However security breach notification is arguably embedded in the Data Protection Acts 1988 & 2003 ("the Acts"). The Acts require any organisation processing personal data to take security measures appropriate to the level of harm that may result from unauthorised processing, destruction or loss of data, which would include risk assessment and encryption. The Acts do not detail the specific security measures that an organisation must have in place, but provide that factors to be taken into account include: the nature of the data concerned, the cost of implementing security measures, and the availability of appropriate technology. The data controller must also take reasonable steps to ensure that employees comply with the security measures in place.
A Review Group was established in late 2008 to examine whether legislative change is required to deal with data security breaches, including mandatory reporting of data security breach incidents. The Review Group is expected to report to the Minister for Justice, Equality & Law Reform in the coming months.
On April 14 2009, the Data Protection Commissioner ("the DPC") issued interim Guidance on dealing with the loss of personal data. The Guidance recommends voluntary notification of any unauthorised or accidental disclosure of customer or employee personal data, and liaising with the DPC in considering the question of informing those persons directly affected by the breach. The DPC will investigate the issues surrounding the breach, and depending on the circumstances, may ask the organisation responsible for the breach to provide a detailed report of the incident.
The Department of Finance also issued guidance in December 2008 to Government departments, offices and agencies on "Protecting the Confidentiality of Personal Data". The guidance aims to assist Government bodies to put in place data security breach management plans to follow in the event of a breach incident. It identifies & explains the five key elements to any breach management plan, including:-
- Identification & classification
- Containment & Recovery
- Risk Assessment
- Notification of Breach
- Evaluation & Response
The Guidance should assist all organisations, both public and private, in deciding on an appropriate course of action if a breach occurs.
* Only telecommunications providers have a specific statutory obligation to inform subscribers of any particular risk of a breach of security under Reg. 4(2) SI 535 of 2003