The Irish Data Protection Commissioner (DPC) has issued interim guidance on dealing with the loss of personal data. A Review Group, set up late last year by the Minister for Justice, Equality and Law Reform, is presently examining whether changes need to be made to the data protection legislation to deal with data protection breaches. The Group is expected to report to the Minister in the coming months. The interim guidance sets out what the DPC considers as best practice.
Currently there exists no explicit statutory obligation to notify the DPC or any data subject affected, of a security breach. Mixed views exist in relation to the benefits that a mandatory reporting system might offer.
The interim Guidance issued by the DPC recommends immediately notifying his Office of any unauthorised or accidental disclosure of customer or employee personal data. The DPC's Office will then liaise with the organisation responsible for the data breach in respect of whether to inform those persons affected by the breach. The Guidance states that the DPC may ask the organisation responsible for the breach to provide a detailed report of the incident, and the DPC will investigate the issues surrounding the breach. Such an investigation may include an inspection by the DPC of the organisation's data protection procedures and the use of the DPC's legal powers to enforce compliance with data protection laws.
The Department of Finance also recently issued a guidance note entitled "Protecting the Confidentiality of Personal Data". The document provides guidance to Government Departments, Offices and Agencies, on how personal data is to be stored, handled and protected. In relation to notification of data breaches, the guidance similarly encourages voluntary notification to the DPC's Office. The guidance does however warn Government Departments of the dangers of over-notifying, and suggests that not every incident will warrant notification to those individuals whose data it is.