In response to the recommendation of the Data Protection Review Group that the reporting obligations of data controllers in relation to data breaches should be set out in a statutory code of practice as provided for under the Data Protection Acts, the Irish Data Protection Commissioner (“DPC”) published a draft Security Breach Code of Practice on 31 May 2010 for public consultation. The main features of the draft Data Security Breach Code of Practice are:
- Data controllers confronted with a breach of their data security obligations must give immediate consideration to informing those affected (this permits data subjects to consider the consequences for each of them individually and to take appropriate measures);
- Data controllers should also notify organisations that may be in a position to assist in protecting data subjects, including, where relevant, the police, financial institutions etc.;
- All incidents of loss of control of personal data by a data controller must be reported to the Office of the Data Protection Commissioner (“ODPC”) as soon as the data controller becomes aware of the incident except:
- where the personal data was inaccessible in practice due to being stored on encrypted equipment secured to a high standard with a strong password and the password was not accessible to unauthorised individuals;
- where the personal data was stored on equipment with a strong password and a remote memory wipe feature that was activated immediately after the incident and there is no reason to believe that the personal data was likely to have been accessed before such deletion took place;
- where the full extent and consequences of the incident has been reported without delay directly to the affected data subject(s) and it affects no more than 100 data subjects and it does not include sensitive personal data or personal financial data that could be used to carry out identity theft.
- Even where no requirement to notify the ODPC arises, the data controller must keep a record of each such incident and the steps taken in response to it. This record is to be made available to the ODPC on request;
- Data controllers who are required to report must do so within two working days of becoming aware of the incident. They are required to provide a detailed report of the incident reflecting careful consideration of the following elements:
- the amount and nature of the personal data that has been compromised;
- what action has been taken to secure and/or recover the personal data that has been compromised;
- what actions are being taken to inform those affected by the incident or reasons for the decision not to do so;
- what actions (if any) are being taken to limit damage or distress to those affected by the incident;
- a chronology of the events leading up to the disclosure.
- A further report will be required which describes the measure being undertaken to prevent repetition of the incident;
- The ODPC will investigate the issues surrounding the data breach. This may include onsite examination of the systems and procedures. This could lead to the use of the DPC’s legal powers to compel certain actions including a recommendation or requirement to inform data subjects about a security breach incident where a controller has not already done so.
The DPC has invited the public to send comments and observations on the draft Code by Friday 18 June 2010.