The Office of the Data Protection Commissioner has this week made informal contact with The National Maternity Hospital over a potential personal data security breach. An earlier media publication had reported that the hospital has carried out the first termination under the Protection of Life During Pregnancy Bill 2013.

The Data Protection Acts 1988 and 2003 impose obligations on all data controllers to process personal data entrusted to them in a manner that respects the rights of data subjects. Where personal data has been put at risk of unauthorised disclosure, loss, destruction or alteration, data controllers must give immediate consideration to inform those that have been affected.

The Data Protection Commissioner approved a Personal Data Security Breach Code of Practice in 2011 which addresses how to deal with situations where a personal data security breach has occurred. It is understood that that contact made with the hospital this week was an informal reminder to the hospital about their obligations under the Code of Practice.  

The Code of Practice applies to all categories of data controllers and data processors to which the Data Protection Acts 1988 and 2003 apply and states that all incidents in which personal data has been put at risk should be reported to the Office of the Data Protection Commissioner as soon as the data controller becomes aware of the incident, except when the full extent and consequences of the incident has been reported without delay directly to the affected data subject(s) and it affects no more than 100 data subjectsandit does not include sensitive personal data or personal data of a financial nature.

When in doubt it is advisable that the data controller should report the incident and give immediate consideration to informing those affected.  Data controllers reporting to the Office of the Data Protection Commissioner in accordance with the Code of Practice should do so within 2 working days of becoming aware of the incident, preferably by e-mail.

Under the Code of Practice the Data Protection Commissioner may request a data controller to provide a detailed written report of a particular incident. Such reports should consider the following:

  • the amount and nature of the personal data that has been compromised;
  • the action being taken to secure and / or recover the personal data that has been compromised;
  • the action being taken to inform those affected by the incident or reasons for the decision not to do so;
  • the action being taken to limit damage or distress to those affected by the incident;
  • a chronology of the events leading up to the loss of control of the personal data;
  • the measures being taken to prevent repetition of the incident.

The Data Protection Commissioner may then proceed to investigate the circumstances surrounding the security breach through an on-site examination of systems and procedures and can ultimately use relevant enforcement powers to compel appropriate action to protect the interests of data subjects.

The hospital has confirmed that they have launched an internal investigation to the matter and will be required to submit a report if its internal investigation discovers a data security breach.