Shakespeare’s King Henry probably didn’t have personal data breaches in mind when rallying his troops, but for schools and other organisations understanding the ICO’s reporting obligations in this area can feel like something of a battle.
As most schools will be aware, the General Data Protection Regulation (GDPR) introduced a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority, and in some cases to the affected individual. The Regulation aims to focus the attention of organisations on the potential negative consequences of any breach for the relevant individual, meaning breaches must always be approached on a case by case basis. In reality, a lack of clarity around what constitutes a reportable breach has led to chronic over-reporting, with the ICO revealing that almost a third of the reports it received last year were unnecessary.
In this article we seek to dispel some of the myths around data breaches, in particular in relation to identifying a personal data breach and knowing what to report and when.
- Myth no 1: a personal data breach is a breach of any aspect of data protection legislation
We tend to understand the word “breach” to mean any non-compliance. However, under the GDPR a breach is specifically defined as: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. ‘Breach of security’ could encompass any failure in the ‘appropriate technical and organisational measures’. However, a breach of a principle, for example, keeping personal data for too long, would not amount to a personal data breach.
- Myth no 2: all personal data breaches must be reported to the ICO
You only have to report breaches to the ICO if there is a risk to the rights and freedoms of the individual. In assessing risk to rights and freedoms, it is important to focus on the potential negative consequences to individuals. This could include, for example, physical, material or non-material damage such as loss of confidentiality, damage to reputation or loss of control over personal data. Breaches that meet the threshold must be reported within 72 hours of becoming aware of the breach (including weekends and school holidays).
- Myth no 3: all personal data breaches must be reported to individual(s) affected
The bar for reporting to individuals affected is higher than for reporting to the ICO. There has to be a high risk to individuals and this will depend on the likelihood and severity of harm. The more sensitive the information, the more likely the breach will be reportable.
- Myth no 4: organisations need only keep records of breaches that are reported to individual(s) affected and/or the ICO
Schools should keep records of all data breaches, whether or not they are reported to the individuals affected and/or the ICO. The GDPR requires organisations to document the facts relating to the breach, its effects, and the remedial action taken. This is part of the overall obligation to comply with the accountability principle, and allows the ICO to verify compliance with notification duties.
Going through this process will be mean that the likelihood of the same or a similar type of breach happening again should be reduced and the school will be able to show that it has acted appropriately in dealing with the incident.
School that are registered charities should also follow the same process when considering whether this amounts to a serious incident reportable to the Charity Commission.