One of the distinct changes made to the way we handle and perceive personal data relates to responding to a breach of personal data. A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This may include data breaches that are the result of both accidental and deliberate causes, and also means that a breach is more than just about losing personal data.
The Data Protection Act, 2019 (the DPA) touches on this, requiring the notification or communication of breach where personal data has been accessed or acquired by an unauthorized person, and there is a real risk of harm to the data subject whose personal data has been a subject of the unauthorized access. This means that a data collector and/or data processor on becoming aware of a breach, should contain it and assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen. Some personal data breaches may only lead to possible inconvenience to those who need the data, while others can significantly affect individuals whose personal data has been compromised. It is therefore necessary to assess the potential adverse consequences of the breach based on how serious or substantial they may be, and how likely they are to happen.
The Data Protection Act, 2019 (the DPA) touches on this, requiring the notification or communication of breach where personal data has been accessed or acquired by an unauthorized person, and there is a real risk of harm to the data subject whose personal data has been a subject of the unauthorized access.
The Office of the Data Protection Commissioner recently published the proposed Data Protection (General) Regulations, 2021, which attempt to provide further clarity to the DPA including providing for the nature of a data breach that would amount to notifiable data breach. This would assist in assessing the risk involved in notifying the Data Protection Commissioner of a personal data breach detected. However, the proposed regulations are yet to be in force.
Timelines for notification?
Where such a personal data breach with is a real risk of harm to the data subject has been detected, a data controller shall:
- notify the Data Commissioner without delay, within seventy-two (72) hours of becoming aware of such breach; and
- communicate to the data subject in writing within a reasonably practical period, unless the identity of the data subject cannot be established.
Where the notification to the Data Commissioner is not made within seventy-two (72) hours, such notification shall be accompanied by reasons for the delay above the specified duration.
The data controller may also delay or restrict communication referred to above as necessary and proportionate for purposes of prevention, detection or investigation of an offence by the concerned relevant body.
In the alternative, where a data processor becomes aware of a personal data breach, the data processor shall notify the data controller without delay and where reasonably practicable, within forty-eight (48) hours of becoming aware of such breach.
Information to be included in the notification
Such notification and communication to be made in the event of a personal data breach is required to provide sufficient information to allow the data subject to take protective measures against the potential consequences, including but not limited to the following:
- description of the nature of the data breach;
- description of the measures that the data controller or data processor intends to take or has taken to address the data breach;
- recommendation on the measures to be taken by the data subject to mitigate the adverse effects of the security compromise;
- where applicable, the identity of the unauthorized person who may have accessed or acquired the personal data; and
- the name and contact details of the data protection officer where applicable or other contact point from whom more information could be obtained.
The impact of implementing this requirement under the DPA would be to increase transparency in the handling of personal data, while continuously improving the measures taken to safeguard any personal data held. Although the proposed regulations also provide for more guidance on the nature of risk to be considered notifiable breach as well as other information to be included in a notification, we are yet to see the full effect of this requirement as the implementation of the DPA is still underway and as a result, the enforcement of the same is yet to be sufficiently tested. For now, they provide much needed guidance on dealing with personal data breaches, with the backing of the law to ensure our standards are at par with international best practice.
