Personal data breaches: What to do when they happen

Context

This article is based on personal experience and the simple position that incidents will just happen, no matter what you put in place! As a subject matter for discussion it has been inspired by Barry Moult , although the work is the author's own.

Every Data Protection Officer knows (and quakes!) at the scenario! It’s 4.45 on a Friday afternoon and you’re looking forward to clocking off and driving to the airport after work to fly to Benidorm for a fortnight’s holiday. And the phone rings. A member of the public has found hundreds of sheets of paper with your company logo and clients’ personal information sitting in a box in a layby, and lots more is blowing around in the street.

Or one of a million different, but equally serious, personal data breach scenarios, and there are many, as we have seen over the summer of 2023. One of the most serious has been the mass breach of personal data regarding staff of the Police Service of Northern Ireland, that with other contributing factors, has resulted in the Force’s Chief Constable being forced to resign.

The UK General Data Protection Regulation (GDPR) defines personal data breaches at Article 4(12) as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.

This article is not going to deconstruct that definition, taking it as read, with the presumption that ‘controllers’, exercising their appropriate DPO and governance processes, ‘shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Commissioner, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons’ as at Article 33(1).?

When the Information Commissioner’s Office (ICO) become involved in the investigation of a personal data breach, or incident, another key GDPR principle comes into play, that of accountability, the new addition to Data Protection law when the UK GDPR was initially issued as the EU GDPR in 2016.?

Accountability states, at Article 5(2), that ‘the controller shall be responsible for, and be able to demonstrate compliance with [the six data protection principles]’:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality?

Effectively this is saying that organisations must be able to demonstrate their compliance with the whole of the GDPR (and there are tumultuous amounts of information on how to do this elsewhere, but GDPR for Dummies by Suzanne Dibble LLB CIPP/E and The Ultimate GDPR Practitioner's Guide (2nd Ed.) by Stephen M. are great resources).

The need to demonstrate accountability is never more apparent than when a personal data breach occurs; the ICO will want to know both:

a.???? How you prepared the organisation to prevent incidents occurring, and

b.???? When it happened whether you responded in a planned, appropriate and proportionate manner.

?

Ten Steps

Years of experience in responding to personal data breaches, and the ICO’s investigation of them has demonstrated that even before it starts asking you questions following your having reported the breach to them, you can start your own investigations. Below is a structure by which you can do this.

Historically the ICO would come to organisations asking 20, sometimes 30 questions, and it is from these that this structure is distilled. More recent, however, experience is that they ask far fewer questions. Nevertheless, following these steps will help you get the answers you need for the ICO.

1.???? Write a detailed description of the incident

-??????? Dates

-??????? Times

-??????? Personnel involved

-??????? Equipment involved

-??????? Brief descriptions of data concerned

-??????? How processes have gone wrong

-??????? What the data was being used for

-??????? What the legal basis for its use was

-??????? Where data has ended up

-??????? Whether there has been inappropriate access to data

-??????? The frequency with which the breach has occurred

2.???? Document any immediate action taken

-??????? Actions taken locally by individuals to attempt to remedy/contain the situation

-??????? Actions taken with the department the breach occurred

-??????? Actions taken on a broader scale by the organisation

-??????? Reports that have been made to external agencies such as the police, social services, other regulators

3.???? Give full details of the data concerns

-??????? If a spreadsheet has been emailed to an inappropriate person, list out all of the fields of the spreadsheet and how many data subjects (i.e. cleints or staff) it concerned

-??????? If documents have gone missing, explain what the documents were, how the documents were stored / transferred how sensitive the information in them was and how many there were

4.???? Explain the level of the data subjects’ awareness

-??????? The data subjects were aware that their information was being used in the way it was, such as by leaflets or privacy notices

-??????? Whether they have been informed it has gone missing?

5.???? Describe any existing controls in place

-??????? An explanation of the content of the Data Protection / Information Governance training is in place that the personnel involved did (or should) have attended to cover the process they were undertaking when the breach occurred

-??????? The frequency with which the organisation and/or their department mandates that this is completed

-??????? The dates the personnel involved in the breach completed the training

-??????? A list of the Data Protection / Information Governance policies, procedures and other guidance that are in place

-??????? How they are communicated to the personnel involved

-??????? If there are physical controls in place, such as fences or keypad doors, and how they operated in this scenario

6.???? Explain how controls have been breached

-??????? Explain whether the DPO, line manager, Senior Information Risk Owner or other senior roles believe there has been a breach in any of the controls?

7.???? Describe any amendments to controls that have been implemented in response to the incident

-??????? Explain what amendments to existing controls have been made following the incident, if any?

8.???? Assess any likelihood of future similar breaches

-??????? Based on the investigation, along with analysis of other Data Protection incidents explain whether you consider there is a likelihood of similar future breaches?

9.???? Undertake a Root Cause Analysis

-??????? Explain what the root cause of the incident is (more on this below)?

10.? Explain the methodology you have used

-??????? Names and job titles of individuals interviewed

-??????? System audit reports run

-??????? Evidence reviewed

You must be prepared, upon request, to supply evidence to the ICO for its investigation, which may include, but may not be limited to, training reports, training materials, statements, and policies – indeed anything covered by your investigation, and potentially beyond.?

Root cause analysis – using the “five whys”

Referring to No. 9 of the previous section, this is not simply a question of what you think is the root cause of an incident. It is ideal to go through a process to get to that answer. If, for example, you were to use a process called the five whys, it allows you to get to the bottom of why something has happened. It consists of a series of questions asking “why?” Often, as in you don’t need ask why as many as five times, it becomes apparent that you have come to the root cause.

Using a more puerile example than a personal data breach, consider the scenario of why you arrived late at work this morning:?

• Why did I arrive late for work this morning? Because my alarm on my mobile did not go off.
• Why did my alarm not go off? Because I didn’t set it.
• Why didn’t I set my alarm? Because I left my phone in the cab on the way home.
• Why did I leave my phone in the cab? Because I was drunk and dropped it.

The root cause, in this scenario, for my being late for work is that I went out last night and got drunk, which impaired me in various ways.?

A word of caution here might be not to take things too far. Using the historical theory of causation as an example, it would probably be taking it some way too far to suggest that Nicolas-Joseph Cugnotis is responsible for me being run over by a car by virtue of him having created the first automobile way back in the eighteenth century!

Even in the scenario above you could ask why I got drunk and give the answer that it’s because I went out for a friend’s birthday. But, again, that probably takes it just a little too far. Balance and a slightly common sensical application is what’s required.

(Other means of getting to a root cause are available, such as "fish bone".)

Responding to the ICO

When the ICO contacts you following your reporting an incident to them, it is generally best to keep things simple, and to answer the questions they have asked very precisely. Often this is simply in the form an email from the domain of the data controller, most likely from the DPO. ?

This simple email could include:

• A summary of the incident as your investigation has demonstrated it occurred (based on No. 1 of the 10 steps).
• Setting out the responses to the questions it has asked in a table, literally as below. The questions here are real questions the ICO have asked.

Avoiding any defensiveness is also important.

Closing thoughts

If data controllers answer ICO investigations with this clarity, having undertaken a full investigation of their own, and can robustly demonstrate they had robust Data Protection procedures in place, and responded appropriately when the incident occurred, that they will likely come back with the response “no further action at this time”.

And everyone breathes a sigh of relief.