Data Breaches - What they are and how to deal with them

What is a Data Breach?

1. A Data Breach is something that happens when someone’s personal data (including more sensitive, special category data) is accidentally or unlawfully lost, stolen, disclosed or accessed. This can include sending an email to the wrong person that includes someone’s personal data, leaving a notebook on the bus, or a hacker gaining access to computer systems and files it should not have been able to access or preventing access to an organisation’s systems.

What do data controllers need to do if there has been a Data Breach?

2. The DPJL 2018 sets out the steps that data controllers need to take when handling Data Breaches, which are designed to protect individual privacy and data rights. One of the requirements of the DPJL 2018 is that data controllers need to have appropriate technical and organisational measures in place (like secure IT systems and training for staff) to ensure that personal data is kept secure and to protect against unauthorised access/processing and also against accidental access, loss, destruction, or damage.

3. Not all breaches need to be reported to us. If a breach is unlikely to harm anyone’s rights or freedoms, no official notification is required. We only need to know about the breaches that have put a person’s rights and freedoms at risk. You need to think about what has happened and assess the severity of the impact or potential impact on individual(s) because of the breach – what has happened or could happen because of the breach? Then you need to consider how likely it is that those things could occur. In other words, what is the worst that could happen and how likely is it to happen?

4. If a Data Breach occurs that does pose a risk to individuals, data controllers must notify us (the JOIC) as soon as possible, but no later than 72 hours after discovering it. Notification helps ensure that appropriate action is taken to prevent further harm. You can do this via our online form. If you need further help and guidance, please contact us.

5. If there is a risk of serious harm, data controllers must also tell individuals affected by the breach.

6. Data controllers should keep a detailed record of all breaches, even those not reported to us, as these logs may be reviewed during audits to ensure compliance. An example of what a breach log may look like and the type of information it should contain, can be found in our Related Downloads section.

What information should affected individuals be given about the Data Breach?

7. Remember, it is only if there is risk of serious harm that data controllers must tell affected individuals about the Data Breach.

8. It is up to the data controller to decide how to notify affected individuals and in some circumstances the data controller may choose to make a public announcement on its website for example, rather than writing to each affected individual personally. This is allowed under the DPJL 2018 if it would not be practical to contact everyone individually and so long as that notification includes all the information required under the law.

9. A notification to affected individuals should include information about:

• What happened
• What data was involved in the Data Breach
• What the potential impact of the Data Breach could be (what is the worst that could happen)
• What the individuals can do to protect themselves
• The name and contact details of any data protection officer/contact from whom more information can be obtained.

10. We have a template letter you can use as a starting point. You will need to adapt it to your particular circumstances, or could use it as the basis for a press release.

What does the JOIC do to investigate a Data Breach?

11. We will review the notification submitted by the data controller and may ask the data controller for clarification or further information. If we consider that the risk/harms to the individual are low, and/or that the data controller has taken appropriate steps to deal with the Data Breach (including to mitigate the impact and prevent similar things happening in the future) then we may conclude that no further formal action is necessary.

Does the JOIC have formal enforcement powers?

12. In appropriate circumstances we may undertake further investigations and can commence a formal Inquiry under Art.21 of the Data Protection Authority (Jersey) Law 2018 (DPAJL 2018). This could result in our making formal findings that the data controller has contravened the DPJL 2018, our imposing orders or, potentially, the issuing an administrative fine and/or public statement.

Can the JOIC order that a data controller pays compensation to affected individuals?

13. We cannot order a data controller to pay compensation to affected individuals, nor will we take any legal action on behalf of individuals against data controllers.

What is a Data Breach?

1. A Data Breach is defined in Art.1 of the DPJL 2018 as:

“personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”

2. There will be a Data Breach whenever any personal data (including any special category data) is accidentally lost, corrupted, or disclosed, or if someone accesses it or passes it on without proper authorisation to do so: it can be deliberate or accidental.

Example data breaches can include:

• A hacker gaining unlawful access to a computer system (including preventing the data controller from accessing the relevant information and encrypting it with ransomware)
• An employee accessing information on a colleague or client that they should not be able to access or have no good reason for accessing
• An employee sending an email meant for one person to the wrong person
• Losing hard copy information or computer devices that have personal information on them
• Changing information without permission

3. Even if the personal data was encrypted to an appropriate standard, and the decryption key remains secure, data controllers must still notify us of the breach.

4. These are some common examples of Data Breaches reported to us.

Case Study 1 A data controller sent a confidential report to an individual containing details about a family member and very sensitive information they had disclosed to the organisation previously. This information was not known to the third party previously and there was no need for it to be contained in the report.

Case Study 2 A notebook was found in a communal dustbin of a residential area that contained notes about clients of a data controller.

Case Study 3 Patient A was sent an appointment letter for Patient B. Whilst the address on the letter was correct, it had been put in a wrongly addressed envelope. Patient A then had information about Patient B’s name, address, and an indicator about a medical condition from which Patient B suffered (the letter had the name of a particular department and name of treating doctor). .

Reporting Obligations to the JOIC

5. Under Art.20(1) of the DPJL 2018, data controllers must notify us without undue delay and, in any event and where feasible, within 72 hours of becoming aware of a data breach that could risk the rights and freedoms of individuals.

6. This means that in respect of every Data Breach suffered you need to undertake a risk assessment to work out whether you need to notify us and any affected individual. Whilst there is a threshold for seriousness in that breaches that are unlikely to result in a risk to the rights and freedoms of natural persons need not be reported, if there is any doubt, REPORT IT.

7. We do accept that it will not always be feasible to provide us with full details within 72 hours. In such cases, Art.20(4) of the DPJL 2018 states that: “Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.”

8. As soon as you have enough information to confirm that there has been a Data Breach and provide some basic facts you should still make the notification within 72 hours, even if you can’t yet provide full details and it is just to tell us that a breach has occurred and to provide us with the contact details of your data protection officer (DPO), data protection lead or other person with responsibility for data protection matters. You can provide additional information to us once available.

9. If you fail to notify within the specified timeframe, you will need to be able to explain why you could not make the notification¹.

10. We consider that you will have become aware of the Data Breach when you have a reasonable degree of certainty that personal data, for which you are responsible, has been compromised².

11. We provide a secure notification web form for data controllers to use to notify us of Data Breaches and tell us exactly what happened. The same form can be used for initial and follow-up notifications.

12. Failing to notify us of a breach when required to do so may result in an administrative fine of up to £5,000,000.00.

Assessing the Risk of Data Breaches

13. To know whether notification needs to be made to us and/or the individual, data controllers need to:

1. undertake a full assessment to understand exactly what data has been breached; and then
2. assess the impact of the Data Breach on any affected individuals i.e. what are the potential consequences of that breach on them.

14. To understand the extent of the Data Breach and how it could affect individuals, you need to know:

1. What type of data was involved (including a description of the data, and the categories and approximate number of records)
2. What has happened to the data?
3. How sensitive the data is that has been breached (does it involve special category data)
4. Who is affected by the Data Breach and what are the likely consequences of the breach on them? What is the worst that could happen if the breached information fell into the wrong hands or was out in the public domain? For example, could they be at risk of:
   1. Discrimination
   2. Identity theft/fraud
   3. Financial loss
   4. Reputational damage
   5. Physical threat/harm
   6. Emotional distress
5. What could a third party find out about an affected individual from the breached information?
6. Where data has been stolen, is it encrypted, or has it been pseudonymised?

15. Further helpful information on assessing risk can be found on the European Commission website, in Part IV of the Guidelines published by the previous Article 29 Working Party on "Personal data breach notification under Regulation 2016/679".

16. We expect you to take any Data Breach incidents seriously and prioritise its investigation. If you need further information or assistance, please contact us.

Information that must be included in your notification to the JOIC

17. Any notification must include:

• The name of the data controller
• The name and contact details of the DPO or other point of contact where more information can be obtained
• Whether it is a first or subsequent notification
• The date and time of the Data Breach (or best estimate)
• The date and time of the controller becoming aware of the Data Breach
• The nature and content of the personal data concerned
• Technical and organisational measures applied (or that will be applied) to the affected personal data
• The name of the organisation affected by the data breach (if different from the data controller)

18. If possible, the initial notification should also include the more detailed information set out below³, otherwise, this must be included in any second notification:

• A summary of the incident that caused the Data Breach, including the physical location of the Data Breach i.e. what actually happened, why, and who caused the breach
• The number and category of data subjects concerned
• The number and category of personal data records concerned
• The likely consequences of the Data Breach and potential adverse effects on the data subjects i.e. what is likely to happen - or has happened - as a result of the breach and what is the worst thing that could happen to data subjects
• The technical and organisational measures taken or proposed to be taken to mitigate those potential adverse effects
• The content of any notification provided to affected data subjects
• The means of communication used to notify the affected data subjects
• The number of data subjects notified
• Whether the Data Breach affects data subjects in any jurisdiction other than Jersey
• Details relating the notification with any other data protection authorities
• If these details cannot be included in any second notification, a reasoned justification for the further delay.

19. We will ask you to upload.

• An extract from your data breach log (the entry that relates to this particular incident)
• A copy of the information that has been breached (so we can see what information has been compromised was and satisfy ourselves that you have appropriately analysed the risk)
• A copy of your breach reporting policy (if you have one)

20. You must fill as much of the form in as you can based on the information available and you must provide us with the documents we ask for.

21. We will consider the information provided to assess whether you are complying with your obligations under the DPJL 2018, including the duty to take appropriate technical and organisational measures to safeguard the personal data of data subjects, and any notification requirements. We may have follow up questions for you and may ask for additional documentation. We will also check your organisation’s profile to see whether or not you have reported breaches to us previously and, if so, how many times and what the breaches were about. This is because we check for patterns in the types of breaches reported to us. If an organisation suffers from multiple breaches of the same type for example this may be indicative of a broader problem that requires investigation.

22. Depending on the severity of the Data Breach, we may consider that you have responded appropriately and that no formal actions are necessary or we may consider that the issues surrounding the Data Breach are so serious as to warrant our initiating a formal Inquiry under Art.21 of the DPAJL 2018.

Notifying Affected Individuals

23. If a Data Breach presents a high risk to individuals' rights, data controllers must also inform affected individuals without undue delay.

24. A ‘high risk’ means the requirement to inform individuals is higher than for notifying the JOIC. You need to assess both the severity of the potential or actual impact on individuals because of the Data Breach and the likelihood of this occurring. If the impact of the Data Breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again, the risk is higher.

25. In such cases, you will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effect of a breach.

26. Notifications to affected individuals must.

• Use clear, plain language to describe the Data Breach (including being suitable for your audience and so that they can understand what has happened)
• The name and contact details of the DPO or other point of contact where more information can be obtained
• Explain potential consequences of the Data Breach (i.e. how it could affect them)
• Outline protective steps taken by the data controller to address the Data Breach and provide suggested actions for individuals.

27. You should provide advice and guidance to affected individuals on any steps they can take to protect themselves from the effects of the Data Breach and advise them if there is anything you are willing to do to help. This could include giving practical guidance such as recommending resetting relevant usernames/passwords or offering credit monitoring services.

28. If notifying all individuals is impractical, a public announcement can be used as an alternative, provided it provides the required information in an equally effective manner⁴ .

29. Notification is not required if;

• the data controller has implemented proportionate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption⁵ ; or
• the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize⁶ .

30. If a data controller has not notified affected individuals, we can direct a data controller to do so if we consider that there is a high risk to those individuals. You may also need to consider whether there are any contractual requirements in place that oblige you to tell affected individuals.

31. We have a template letter available that you can use and adapt for your own purposes.

Processors

32. If you use a processor and the processor suffers a Data Breach, then it must tell you without undue delay as soon as it becomes aware of what has happened⁷. It would be for you to notify us if required, not the processor, and specific details on what happens in the event of a Data Breach should be set out in any agreement between you and the Processor.

33. You can find more information about this in our separate guidance note on Duties of a Controller.

Breach Log Requirements

34. Art.20(5) of the DPJL 2018, says that data controllers must maintain detailed logs of all breaches, including: a. Facts and circumstances of the breach b. Impact assessments and remedial actions

35. We offer a template for maintaining this log, and data controllers should be prepared for periodic audits as these logs are subject our inspection for compliance verification. See our related downloads section

Planning for Data Breaches

36. You must have appropriate technical and organisational measures in place to ensure a level of security appropriate to the risk posed by the personal data being processed. This means understanding what is processed, why, what the risks are to individuals if that information is breached and putting in place appropriate safeguards to protect against such incidents.

37. These processes and procedures must be maintained and reviewed at regular intervals.

38. You also need to plan in advance and have processes in place so you can identify and respond to Data Breaches that occur. These plans should include guidance on how to assess the risk to individuals, whether it is necessary to report the Data Breach to us (or any other supervisory authority) and whether affected individuals also need to be informed.

39. You must also consider whether there is adequate staff awareness of security issues and look to fill any gaps through training or tailored advice.

40. You should regularly check and test your processes to make sure that they are working properly and that they are fit for purpose.