Personal data breaches
At a glance
- Part 3 of the DPA 2018 introduces a duty on all organisations to report certain types of personal data breach to the Information Commissioner. You must do this within 72 hours of becoming aware of the breach, where feasible.
- If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
- You should ensure you have robust breach detection, investigation and internal reporting procedures in place.
In brief
- What is a personal data breach?
- What breaches do we need to notify the ICO about?
- What information must a breach notification to the Information Commissioner contain?
- When do we have to tell individuals about a breach?
- What information should we tell individuals who have been affected by the breach?
- How do we notify a breach?
- What should we do to prepare for breach reporting?
What is a personal data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
What breaches do we need to notify the ICO?
You only have to notify the ICO of a breach if it is likely to result in a risk to the rights and freedoms of individuals. If left unaddressed such a breach is likely to have a significant detrimental effect on individuals. For example:
- result in discrimination;
- damage to reputation;
- financial loss; or
- loss of confidentiality or any other significant economic or social disadvantage.
In more serious cases, for example those involving victims and witnesses, a personal data breach may cause more significant detrimental effects on individuals.
You have to assess this on a case by case basis and you need to be able to justify your decision to report a breach to the Information Commissioner.
What information must a breach notification to the Information Commissioner contain?
You must include:
- a description of the nature of the personal data breach including, where possible:
- the categories and approximate number of individuals concerned;
- the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer (if you have one) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures you have taken, or propose to take, to deal with the personal data breach and, where appropriate, of the measures you have taken to mitigate any possible adverse effects.
When do we have to tell individuals about a breach?
If a breach is likely to result in a high risk to the rights and freedoms of individuals, you must inform those concerned directly without undue delay.
A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO.
The duty to tell an individual about a breach does not apply if:
- you have implemented appropriate technical and organisational measures which were applied to the personal data affected by the breach (for example the data has been securely encrypted);
- you have taken subsequent measures which will ensure that any high risk to the rights and freedoms to individuals is no longer likely to materialise; or
- it would involve disproportionate effort.
Where a communication of a breach would involve disproportionate effort, you must make the information available to individuals in another, equally effective way, such as a public communication.
You may restrict the information, either wholly or partly, that you provide to individuals affected by a breach under certain circumstances. This is when doing so is a necessary and proportionate measure:
- to avoid obstructing an official or legal inquiry, investigation or procedure;
- to avoid prejudicing the prevention, detection, investigation or to prosecution of criminal offences or the execution of criminal penalties;
- to protect public security;
- to protect national security; or
- to protect the rights and freedoms of others.
What information should we tell individuals who have been affected by the breach?
You must give individuals information including:
- a description of the nature of the personal data breach;
- the name and contact details of the data protection officer (if relevant) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures you have taken, or propose to take, to deal with the personal data breach and, where appropriate, of the measures you have taken to mitigate any possible adverse effects.
How do we notify a breach?
You have to report a notifiable breach to the ICO without undue delay and within 72 hours of when you became aware of it. Part 3 of the DPA 2018 recognises that it will often be impossible for you to investigate a breach fully within that time-period and allows you to provide information in phases. If you cannot provide all the information required above within 72 hours, you must also explain reasons for the delay in your breach notification.
If the breach is sufficiently serious to warrant notification to the public, you must do so without undue delay.
Failing to notify a breach when required to do so can result in a significant fine up to £8.7m or 2 per cent of your global turnover.
To notify the ICO of a personal data breach, please see our pages on reporting a breach.
What should we do to prepare for breach reporting?
You should make sure that your staff understand what constitutes a personal data breach, and that this is more than a loss of personal data.
You should ensure that you have an internal breach reporting procedure in place. This will help decision-making about whether you need to notify the Information Commissioner or the affected individuals.
In light of the tight timescales for reporting a breach, it is important to have robust breach detection, containment, management and mitigation policies and procedures in place.