Understanding and assessing risk in personal data breaches

More info

A personal data breach doesn’t just mean any data that goes missing or is stolen.

For example, it could include an email about your business sent to multiple addresses without using a secure bulk mailing method. This might be a personal data breach, if your customers’ private email addresses were visible. But if it turns out that  only the business email addresses of limited companies were visible, then it may not be a personal data breach. This is because business information is not personal information. In this case, you wouldn’t need to continue with your risk assessment or any other steps you might take following a personal data breach, because that wouldn’t be what you’re dealing with here.

People’s names and addresses are common examples of personal information, but the term covers any information that could identify someone, such as photographs, comments they’ve made or other records.

More info

If you don’t already have a list of the information that you process about people, including what was contained in any personal information that might have been breached, you need to create this straight away. This will help you understand how seriously the breach might affect people.

The type of personal information involved matters, because the way you assess the risk will vary widely depending on the situation. For example, if the breach involves the sensitive personal information of vulnerable people, or financial information that may lead to identity fraud, these are both likely to be high risk situations. You need to handle sensitive personal information with even more care than other types of personal information.

You should try to find out as much as you can about what information was involved in the data breach.   

More info

If someone has been sent the personal information in error, accessed it without your authorisation or it has been lost or stolen, then you face different levels of risks depending on who is involved.

For example, accidentally sending an email internally to the wrong department in your business is lower risk than sending the same email to an unknown person outside your business.

More info

Depending on what personal information you use, the people affected might include your customers, clients, service users, staff or shareholders.

For example, if a set of documents has been sent to the wrong address, you might immediately know they contain some personal information. However, you’re likely to need to investigate more before you can be certain what was in the documents and how many people will be affected.

Your initial investigation into the breach will be based on the information you currently have, but your risk assessment may change as you find out more information. 

More info

Every situation will be different, but there are a number of questions to ask yourself, such as:

• Are the people involved vulnerable adults or children?
• Is it likely the breach will put someone in an unsafe situation?
• Are people at risk of losing money, their job or their home as a result of the breach?
• Do you know how the breach will impact people’s health and wellbeing?

Thinking about the impact the breach will have on people can help you decide what to do to try and limit that impact and protect them from potential further harm.

More info

Common types of personal data breaches include:

• staff members inappropriately accessing personal information;
• staff taking personal information with them when they leave an organisation; security breaches or hacks of computer systems; and
• personal information being sent to the wrong person by mistake.

Some common types of risk are identify theft, discrimination and reputational damage to the people whose data has been breached.

You need to find out what has happened in your situation and decide if it was the result of human error, a system error, a deliberate or malicious act or something else.

There are steps that you can take to contain the breach and mitigate its impact, such as trying to retrieve the personal information, asking third parties to delete information that was sent to them in error or changing passwords. You should keep a record of the steps you’ve taken and include this as part of your risk assessment.

More info

Risk in personal data breaches means the risk to the people whose information may have been breached.

A risk assessment, in personal data breach terms, is where you think about how seriously you think people might be harmed and the probability of this happening.

Your risk assessment should take into account who might be affected, how many people might be affected and the ways it might affect them. There will always be other risks for you to consider, such as the risk to your reputation, or financial loss, but your first response should be to look at the risk to individuals and think about any steps you can take to reduce that risk or help them in some other way. 

Whether or not it’s a high-risk situation depends on what the personal information is and what could potentially happen with it. If you decide it’s unlikely there'll be a negative impact on those concerned, you might categorise it as low risk. However, if the potential consequences are very significant, you might consider the overall risk assessment to be high, even if it’s unlikely to happen. Follow our guide on what to do in the 72 hours after a personal data breach, which includes advice on letting people know about the breach.

In every situation, levels of risk can vary and your decisions might change as new information becomes available.

If you’re not sure what the risk is, contact us to talk through what has happened. We can help you make a decision and support you through the next steps.