The ICO Annual Report for 2016-17 has been published. Among the findings reported is the number of self-reported data protection incidents, broken down by sector.
The headline figures show a 31.5% increase in self-reported incidents – from 1,950 to 2,565 incidents.
The key word here: self.
Reporting of actual or suspected incidents to the ICO is currently not mandatory, except for NHS and Government organisations, so one might expect the figures for those sectors to be higher (indeed, they account for 53% of self-reported incidents).
Note: charities receiving NHS or other public sector funding will likely have contracts imposing the requirement for reporting incidents to the ICO, either directly or through the NHS Information Governance Incident Reporting Tool.
All charity Trustees have a duty to report serious incidents of regulatory non-compliance to the Charity Commission, as a requirement of charity law; this can include data protection breaches.
Rather than being alarming, it is actually encouraging to see the increase in self-reporting.
The Report does not detail the numbers of self-reported incidents which then resulted in a finding of non-compliance with the Data Protection Act; however, even if the majority of incidents were due to actual breaches of compliance, the fact that they were identified, recognised and reported is an indication that organisations are taking their responsibilities seriously.
It has been recognised by many within the information security industry that low volumes of incident reporting is more likely to be an indicator that risks (some of which may be quite serious) are going under the radar; however, high levels of reporting shows that there is a culture of awareness and diligence in which risks are likely to be proactively managed.
All change on 25th May 2018…
With the enforcement of the GDPR we can expect to see significant increases in reporting of actual or suspected incidents across all sectors.
This is because notification of “personal data breaches” “without undue delay” (and, where feasible, within three days of becoming aware of it)becomes a mandatory requirement for all Data Controllers (Article 33).
Breaches do not need to be reported if the Data Controller considers the breach as “unlikely to result in a risk to the rights and freedoms” of individuals.
Also, Data Controllers must “document any personal data breaches.”
And further, Data Controllers shall inform individuals directly, “without undue delay” if the breach “is likely to result in a high risk to the rights and freedoms” of the individuals (Article 34).
This does not need to happen if the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the breach. For example, encryption was applied to electronic data.
Actions to take
1. Raise internal awareness
All staff need to know what a breach looks like, and; that breaches do not just mean the loss of data, but also (for example) unauthorised disclosure of (or access to) personal information.
2. Have clear reporting procedures
All staff need to know when to report a breach, to whom, and how – e.g. that as soon as there is a concern about a possible breach, it should be escalated internally; there must be clarity on who to report to (is it their line manager; a central number or email address) and what steps should be taken at each stage of the incident handling procedure.
This procedures must include a log of incidents that details the facts about the breach, its impact and the actions taken.
3. Have clear assessment and external reporting procedures
The staff allocated to handle incidents need to use consistent tools to assess the severity of breaches and to decide whether the incident must be reported to the ICO and/or the individuals affected, i.e. how is the assessment made of whether a breach is likely, or not, to result in a risk, or a high risk, to someone’s rights and freedoms?
4. Ensure you can prove that appropriate security was in place and working
When breaches do happen, it will be critical to quickly access evidence of the security in operation at the time, e.g. asset numbers of IT equipment and logs of the encryption in operation; copies of staff training records; copies of current policies and procedures and when they were signed off and agreed.
The ICO figures in 2018-2019 will therefore give a much clearer indication of the actual number of incidents in all sectors, and enable a fairer, more accurate comparison of the levels of data protection maturity across the public, private and voluntary sectors.
Prevention is better than cure…
Preventing serious data protection incidents is more critical than reporting them when they do occur. Although an organisation may recover from damage to their reputation or from regulatory penalties – and this can take considerable time – the effect on the individuals whose personal privacy has been affected may be more profound and long-lasting.
Clearly, it is better to make as much effort as possible to prevent and avoid incidents occurring in the first place through a combination of data protection-aware culture, strong governance, good policies, processes and effective technical controls.