Reporting a Data Breach - The Key Considerations

Introduction

A personal data breach occurs when the data is accessed, disclosed, altered, lost or destroyed in contravention of an organisation's obligation to keep personal data in its possession safe and secure.

As an employer, you have a duty to ensure the safety and integrity of the data you store and process on behalf of your employees and clients. However, if a data breach occurs, you may be under an obligation to notify the Data Protection Commission (DPC) within 72 hours. 

In determining how serious you consider the breach to be for affected individuals, you should take into account the impact the breach could potentially have on individuals whose data has been exposed. In assessing this potential impact you should consider the nature of the breach, the cause of the breach, the type of data exposed and whether the personal data of vulnerable individuals has been exposed. 

There are three levels:

Low Risk: The breach is unlikely to have an impact on individuals, or the impact is likely to be minimal

Medium Risk: The breach may have an impact on individuals, but the impact is unlikely to be substantial

High Risk: The breach may have a considerable impact on affected individuals

Severe Risk: The breach may have a critical, extensive or dangerous impact on affected individuals.

If the risk is ‘low’, you may not be required to report a breach, but, it may be advisable to contact your solicitor to determine whether communication with the DPC is required. 

Information Required when Reporting a Data Breach

1. Breach Timeline

1.1. Do you know the date on which the breach initially occurred?

1.2. The date on which the breach began

1.3. Do you know the time at which the breach occurred?

1.4. Is the breach ongoing?

1.5. If you became aware of the Breach is more than 72 hours ago, please enter the reasons for the late notification of the breach to Data Protection Commission

1.6. How were you made aware of the breach?

2. About the Breach

2.1. Does the Breach involve accidental or unlawful:

2.1.1. Destruction

2.1.2. Loss

2.1.3. Alteration

2.1.4. Disclosure of transmitted personal data

2.1.5. Disclosure of stored personal data

2.1.6. Disclosure of personal data otherwise processed

2.1.7. Access to transmitted personal data

2.1.8. Access to stored personal data

2.1.9. Access to personal data otherwise processed

2.1.10. Unavailability

2.2. What is the nature of the Breach:

2.2.1. Device Lost or Stolen (encrypted)

2.2.2. Device Lost or Stolen (unencrypted)

2.2.3. Paper lost/stolen

2.2.4. Disclosure (unauthorised)

2.2.5. Inappropriate disposal of paper

2.2.6. Hacking

2.2.7. Malware

2.2.8. Phishing

2.2.9. E-Waste (personal data present on obsolete device)

2.2.10. Unintended online publication

2.2.11. Network security compromised

2.2.12. Website security breach

2.2.13. Other

2.3. Please describe how the Breach occurred

2.4. Please select the cause of the Breach

2.4.1. Employee error or omission

2.4.2. Employee intentional act

2.4.3. Contractor error or omission

2.4.4. Contractor intentional act

2.4.5. External intentional act

2.4.6. External unintentional act

2.4.7. Unknown

3. About the Breached Data

3.1. What identifying details relating to individuals were disclosed? 

3.1.1. Data subject identify (name, surname, date of birth)

3.1.2. PPSN (or other national identification number

3.1.3. Contact details

3.1.4. Identification data (passport, licence data etc)

3.1.5. Economic or Financial data

3.1.6. Location data

3.1.7. Criminal convictions, offences or security measures

3.1.8. Other

3.2. Were any special categories of data involved ?

3.3. Do you know the number of affected individuals?

3.4. Please enter the approximate number of affected individuals

3.5. Do you know the number of affected records?

3.6. Please enter the approximate number of records affected

3.7. Are data subjects in another member state likely to be affected?

3.8. Were vulnerable individuals affected ?

3.9. Does the breach involve personal data maintained for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties in the State ?

4. Measures in place before the Breach and measures to respond to the Breach

4.1. Measures in place before the Breach and measures to respond to the Breach

4.2. What measures have you taken / do you propose to take in response to the breach?

4.3. Are the mitigating actions fully implemented?

4.4. Have you secured/retrieved the breached data?

5. Consequences/Damages of the Breach for affected individuals

5.1. What in your view are the potential consequences of the breach for affected individuals? 

5.1.1. Loss of control over their personal data

5.1.2. Limitation of their rights

5.1.3. Discrimination

5.1.4. Identity theft

5.1.5. Fraud

5.1.6. Financial loss

5.1.7. Unauthorised reversal of pseudonymisation

5.1.8. Damage to reputation

5.1.9. Loss of confidentiality of personal data protected by professional secrecy

5.1.10. Other

5.2. Self-Declaration: How severe is the breach for affected individuals ? 

5.2.1. Low Risk

5.2.2. Medium Risk

5.2.3. High Risk

5.2.4. Severe Risk

6. Notification to affected individuals

6.1. Have you notified the affected individuals of the Breach?

6.1.1. Yes

6.1.2. Partially

6.1.3. No

6.1.4. No, but the affected individuals will be notified

6.2. How many affected individuals were informed? 

6.3. How were the affected individuals informed? 

6.3.1. Formal letter

6.3.2. Email Message

6.3.3. Telephone call

6.3.4. Website notice

6.3.5. Social media notification

6.3.6. Press / media notification

6.3.7. Other

6.4. Please outline the reasons for using this channel

6.5. What information was communicated to the affected individuals? In particular, please indicate if you have related to affected individuals the steps they may take to mitigate any adverse consequences which have been caused or could be caused to them by this breach.

6.6. What information was communicated to the affected individuals? In particular, please indicate if you have related to affected individuals the steps they may take to mitigate any adverse consequences which have been caused or could be caused to them by this breach.

Conclusion

Crushell & Co have extensive experience in advising both employers and employees on all aspects of Irish data protection and privacy laws, including responding to potential data breaches. 

We counsel clients on their rights and responsibilities under the data protection regulations, raising or responding to an access request, as well as raising or responding to a notification or complaint to the Data Protection Commission. 

Speak to one of our Dublin based specialist data protection solicitors to determine how we can best assist you with your workplace data protection, privacy or GDPR matter.