Mandatory reporting of security breaches on the way
Ireland’s Data Protection Commissioner has unveiled a new draft Code of Practice that sets out the reporting obligations of organisations in the event of a security breach and how they go about protecting private data.
The draft Code of Practice has been placed on the website of the Office of the Data Protection Commissioner and the commissioner has invited comments from members of the public and organisations.
The Data Protection Review Group, established by the Minister for Justice and Law Reform in 2008, considered, amongst other things, how to ensure that the reporting obligations of organisations in relation to data security breaches are sufficiently robust to protect the rights of data subjects.
The review group has voiced its opinion that disclosure of data breaches should be mandatory and failure to comply should result in a prosecution.
“I have sought to bring forward a draft code as quickly as possible after the review group report to respond to public concern in relation to organisations losing personal data under their control while at the same time not imposing an undue burden on those organisations,” said commissioner Billy Hawkes.
The draft code provides that all instances of the loss of personal data must be reported to the Office of the Data Protection Commissioner where it affects more than 100 people or where it involves any loss of sensitive personal data or personal financial data that could be used to carry out identity theft.
In situations where 100 or less individuals are affected there will be no need to report to the office, provided that those individuals are fully informed by the organisation and no sensitive personal data or personal financial data that could be used to carry out identity theft is involved.