Charities and internal investigations
The Information Commissioner’s recently published Annual Report for 2017/18 reveals a substantial – 29% - increase in the number of self- reported data breaches. In light of the fact that the GDPR introduced new mandatory reporting of serious breaches, it is to be anticipated that the 2018/19 Annual Report will show an even greater increase.
The Data Protection Act 1998 did not include any mandatory obligation to self-report data breaches although the ICO, through its guidance, encouraged reporting of serious breaches of data security; and, as a matter of Government policy, certain public bodies were required to self-report material breaches of security.
The unsurprising outcome of this, as shown by the 2017/18 Annual Report, is that the leading areas for self-reports were in the public sector: “top” was the health sector (with 36% of the total of 3,156 reports) followed by education (11%).
The Annual Report also revealed some detail of the outcomes of the self-reports: in just over 60% of cases there was “no action” for the reporting data controller, in the remainder some form of action was required, but it is striking that the most serious sanction, a monetary penalty, was only pursued in 0.3% of cases.
The GDPR has transformed the landscape, introducing an obligation on all data controllers, under Article 33, to self-report data breaches unless the breach “is unlikely to result in a risk to the rights and freedoms of natural persons” (Article 34 also introduces an obligation to report data breaches to data subjects, but with a higher threshold for reporting – if the breach “ is likely to result in a high risk to the rights and freedoms of others”).
“Unlikely to result in a risk to the rights and freedoms of natural persons” will not always be an easy test for a data controller to apply in practice when faced with a breach; and, the decision to report has to be made quickly (without “undue delay and, where feasible, not later than 72 hours” after having become aware of the breach). Data controllers can get some assistance from the recitals to the GDPR, and in particular recital 85, which highlights some of the different ways in which data breaches can lead to ‘damage’ and in addition the Article 29 Working Party has published guidance on the subject. The ICO has not, yet, published specific guidance but has a short section on the obligation to report within its “Guide to GDPR for Organisations”. This emphasises the need to focus on the possible negative consequences for individuals and gives just one example of when to report and one example of when not to report – “The theft of a customer database, the data of which may be used to commit identity fraud, would need to be notified, given the impact this is likely to have on those individuals who could suffer financial loss or other consequences. On the other hand, you would not normally need to notify the ICO, for example, about the loss or inappropriate alteration of a staff telephone list”
The introduction of mandatory reporting will undoubtedly lead to a very considerable increase in the number of reports received by the ICO. For data controllers, it will not always be straightforward to know when to report – in many instances, the severity of impact is likely to fall somewhere on the spectrum between the report and non-report examples given by the ICO – and it will be important not to get the decision wrong. A failure to report in an appropriate case will in itself be a breach of the GDPR, potentially leading to action by the ICO, but may also lead the ICO to give enhanced scrutiny to the underlying breach.
Should you need legal advice or assistance in this area, please contact our data protection team.
Skip to content Home About Us Insights Services Contact Accessibility