At a glance
- Part 3 of the Act introduces a duty on all organisations to report certain types of personal data breach to the Information Commissioner. You must do this within 72 hours of becoming aware of the breach, where feasible.
- If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
- You should ensure you have robust breach detection, investigation and internal reporting procedures in place.
- What is a personal data breach?
- What breaches do we need to notify the ICO about?
- What information must a breach notification to the Information Commissioner contain?
- When do we have to notify individuals?
- What information should we tell individuals who have been affected by the breach?
- How do we notify a breach?
- What should we do to prepare for breach reporting?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
You only have to notify the ICO of a breach if it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals. For example:
- result in discrimination;
- damage to reputation;
- financial loss; or
- loss of confidentiality or any other significant economic or social disadvantage.
In more serious cases, for example those involving victims and witnesses, a data breach may cause more significant detrimental effects on individuals.
You have to assess this on a case by case basis and you need to be able to justify your decision to report a breach to the Information Commissioner.
You must include:
- the nature of the personal data breach including, where possible;
- the categories and approximate number of individuals concerned;
- the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer (if you have one) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures you have taken, or propose to take, to deal with the personal data breach and, where appropriate, of the measures you have taken to mitigate any possible adverse effects.
If a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly without undue delay.
A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the ICO.
The duty to notify an individual about a breach does not apply if:
- you have implemented appropriate technical and organisational measures which were applied to the personal data affected by the breach;
- you have taken subsequent measures which will ensure that any high risk to the rights and freedoms to individuals is no longer likely to materialise; or
- it would involve disproportionate effort.
Where a communication of a breach would involve disproportionate effort, you must make the information available to individuals in another, equally effective way, such as a public communication.
You must inform individuals about:
- the nature of the personal data breach;
- the name and contact details of the data protection officer (if relevant) or other contact point where more information can be obtained;
- the likely consequences of the personal data breach; and
- the measures you have taken, or propose to take, to deal with the personal data breach and, where appropriate, of the measures you have taken to mitigate any possible adverse effects.
You have to report a notifiable breach to the ICO without undue delay and within 72 hours of when you became aware of it. Part 3 of the Act recognises that it will often be impossible for you to investigate a breach fully within that time-period and allows you to provide information in phases. If you cannot provide all the information required above within 72 hours, you must also explain reasons for the delay in your breach notification.
If the breach is sufficiently serious to warrant notification to the public, you must do so without undue delay.
Failing to notify a breach when required to do so can result in a significant fine up to £8.7m or 2 per cent of your global turnover.
You should make sure that your staff understand what constitutes a data breach, and that this is more than a loss of personal data.
You should ensure that you have an internal breach reporting procedure in place. This will help decision-making about whether you need to notify the Information Commissioner or the public.
In light of the tight timescales for reporting a breach, it is important to have robust breach detection, containment, management and mitigation policies and procedures in place.