In this article, we provide a refresher for HR practitioners on what should happen when data breaches occur.
A breach may occur if personal data is destroyed, lost, altered or if there is unauthorised disclosure of (or access to) personal data as a result of a breach of security.
This is a very wide definition, and it clearly goes beyond a simple loss of data (for example where a hard drive containing a database of your employees’ data is left on a train). It will also encompass situations such as where the lack of security controls on an employer’s IT system has enabled data to be accessed by people that are not authorised to do so.
When an employer becomes aware of a personal data breach, what are the key things that it must do without delay?
- Secure the breach:
Initial steps should be taken to immediately secure the breach and undertake any remedial action to prevent further breaches of that personal data. For example, if sensitive information was sent to the wrong individual, ask them to delete it, return it securely, or hold it safely for you to collect. The employer should then consider whether any notifications need to be made to the Information Commissioners Office (‘ICO’) or to the individual impacted by the breach.
- Consider whether it must notify the ICO and any impacted data subjects:
Not all breaches will need to be notified but the exercise to ascertain whether this obligation is triggered must be undertaken as early as possible.
The ICO website provides a self-assessment tool to help with this: Self-assessment for data breaches | ICO
- Record and investigate the breach:
Whether the employer is required to notify the ICO or not, it must keep an internal record of any personal data breaches. The internal record should document the facts of the breach, its effects, and the remedial action taken by the employer.
In addition, the employer should investigate whether the breach was down to human error or a systemic issue and consider how a recurrence of the event can be avoided.
If notification is required, what information must the employer give to the ICO?
The obligation to notify is only triggered where the breach places data subjects at some kind of risk (such as where sensitive personal data or financial details are compromised).
Where a notification is necessary, the ICO must be provided as a minimum with the following details:
- The nature of the breach, including the approximate number of individuals and personal data records affected, and the categories of data that have been breached;
- Contact information for the employer’s data protection officer, or other contact point where more information can be obtained;
- The likely consequences of the personal data breach; and
- The measures taken or proposed to be taken by the employer to address the breach and mitigate any possible adverse effects.
Breaches can be reported over the phone to the ICO helpline, or online via the ICO form. In any event, employers should keep an internal written record that the breach was reported.
What is the timeframe for making a notification?
Employers must report notifiable breaches “without undue delay” and where feasible, within 72 hours of becoming aware of them. The fact an employer will rarely have concluded its internal investigation into relevant matters within this initial 72 hour period, must not, however, deter the notification being made. The information that is available by the 72-hour deadline must be provided in any case, with the remainder being provided as soon as possible thereafter.
Do affected data subjects need to be told about the breach?
When there is a ‘high risk’ to the rights and freedoms of data subjects, the affected individuals must be notified ‘without undue delay’.
When determining whether the breach is ‘high risk’, consider the severity of the potential or actual impact on the individual data subjects. If the impact of the breach or likelihood of consequences is severe, this increases the level of risk.
If notification is required, the employer must provide data subjects with information regarding the breach in plain and simple language. This must include likely consequences of the breach, the measures taken or proposed to address the breach and mitigate possible adverse effects, as well as contact information for the employer’s data protection officer or other relevant data contact.
In addition, best practice suggests employers should provide data subjects with steps they can take to safeguard themselves, and what the employer is willing to do to help, for example, password resets.
Employers should bear in mind, however, that notifying individuals will not be required if:
- The employer has applied appropriate technical and organisational protection measures to the affected personal data, such as encryption or other means of making the data unintelligible to any unauthorised access;
- Measures have been taken after the breach to ensure that the high risk to the individual’s rights and freedoms is unlikely to materialise; or
- It would involve disproportionate effort to notify individual data subjects. In this circumstance, a public announcement may be more appropriate.
What are the consequences of failure to notify a personal data breach?
Employers could face a fine of up to £8.7 million or 2% of the employer’s global turnover (if higher) as well as having to deal with any potential reputational damage. However, the notification obligations are not particularly onerous and provided that employers have an appropriate internal breach reporting procedure in place, then compliance should be achievable by all employers.
What other personal data breach obligations should employers be aware of?
All companies must keep an internal data breach register. This must record certain details of all data breaches and it is vital therefore that employees are informed (for example in a policy or staff handbook) and trained on what a personal data breach may look like in practice and the steps they have to take to report the breach internally. The register must be available for inspection by the ICO, upon request. Keeping and maintaining the breach register is therefore a key way in which employers can demonstrate their ability to comply with the overarching principle of accountability.
What should HR’s role be in connection with personal data breaches?
We recommend that as part of any wider GDPR compliance programme, HR practitioners consider the following measures:
- A HR resource is designated as being the person to whom employees may direct any queries regarding personal data breaches.
- Have input into developing and updating the employer’s internal data breach reporting policy and procedure to ensure that it makes sufficiently clear what the obligations of employees are in the event of a personal data breach.
- HR should have a key role in ensuring that all employees are made aware (for example, by providing training) of the procedure (and any accompanying policy) and what their obligations are, should they suspect a data breach.
- Thought should be given to whether there are any measures that can be taken to foster an internal culture, in which those that report personal data breaches do not fear that they will face repercussions from reporting such a breach. For example, comprehensive data breach training, support and supervision, and accessible data protection contacts.
- HR will have to perform a balancing act between, on the one hand, creating an open culture, and on the other hand ensuring that employees who deliberately breach personal data obligations are dealt with in accordance with employer disciplinary procedures.
- HR should specifically consider whether the technical and organisational protection measures that are currently in place to ensure the security of HR data (especially in relation to special category data such as medical/healthcare data), are adequate. For example, are there any measures that can be taken to enhance this security, such as encryption and other ways of anonymising data?
- In some cases, employers may need to consider if further action should be taken against employees that were involved in the data breach. In doing so, employers should follow any relevant internal policies and seek specific advice where necessary.