How to report a Breach

The Data Protection (Jersey) Law 2018 includes a duty on all organisations to report certain types of personal data breach to the Jersey Office of the Information Commissioner (JOIC). You must do this within 72 hours of becoming aware of the breach, where feasible.

 

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

 

A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

 

In short, there will be a Breach whenever any personal data (including any special category data) is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without proper authorisation to do so.

 

This means that a breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. You need to assess this case by case, looking at all relevant factors.

 

  • If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
  • You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
  • You must also keep a record of any personal data breaches, regardless of whether you are required to notify.
  • If your organisation uses a data processor, and this processor suffers a breach, then they must inform you without undue delay as soon as it becomes aware.
  • This requirement allows you to take steps to address the breach and meet your breach-reporting obligations under the DPJL. 
  • If you use a processor, the requirements on breach reporting should be detailed in the contract between you and your processor.

 

This guide explains the following;

 

  • Relevant breaches
    • What is a personal data breach?
    • Breached of encrypted information
  • Notifying the OIC
    • Within 72 hours of becoming aware
    • What information to include
    • What happens next
  • Notifying data subjects
    • If a breach is likely to represent a high risk to their fundamental rights and freedoms
    • What to tell them
    • When and how to tell them
  • Keeping a log of personal data breaches