The Office of the Data Protection Authority (ODPA) has published its latest breach statistics with twenty-seven personal data breaches reported during January and February 2022.
Breach incidents during January-February included: detailed data about a client’s financial status being sent to another client (breach reported from within the legal sector); a form including a named patient’s medical history and clinical data posted to the wrong patient (breach reported from within the health sector); and documents relating to the identity of individuals in a business transaction sent to the incorrect recipient – including: passport details, utility bills, bank details, photo IDs, and signatures (breach reported from within the finance sector).
Examples like this show that data breaches are not a matter of random information being sent to the wrong person, but private, often sensitive, personal data being compromised. Breaches, how ever they are caused, can result in information about a living person being: accessed inappropriately; altered inappropriately; destroyed inappropriately; disclosed inappropriately; lost; or made unavailable.
These incidents have the potential to significantly impact the lives of the people whose data has been mishandled, and in extreme cases can lead to direct harm. It is challenging to measure data harms but statistics can assist us in seeing the types of issues that occur, and learn from them to assist organisations in preventing recurrence by raising awareness levels and providing practical guidance.
The Bailiwick’s Data Protection Commissioner, Emma Martins commented on the role of data breach reporting:
“Breach reporting is only one strand of our regulatory activities but it plays an important role in supporting better awareness and engagement of risks and how to mitigate them. As we get more experience dealing with the reports that come to us, we are constantly reviewing how we can improve and add value to the process, always mindful that behind each data breach there are one or more affected individuals. It is in all our interests to be open about, and learn from these incidents and I also want to acknowledge the positive manner in which our local community continues to engage with their duties in this respect.”
On 1 January 2022, the ODPA introduced an improvement to its breach reporting system so that any organisations reporting a breach can now specify both how it happened (i.e. the circumstances that led to the breach occurring) and what the outcome was (e.g. accidental disclosure of personal data).
This change addresses the complexity of circumstances surrounding incidents where personal data is compromised and allows the person reporting the breach to provide greater clarity into the reasons why a breach occurred and what impact it may have had (or has had).
The ODPA will continue publishing anonymised statistics of the breach reports it receives from the regulated community, every two months, so that everyone can apply any lessons learned. These are the first breach statistics published that reflect the changes described above and cover the period 1 January – 28 February. More information about the changes are covered in the ODPA’s latest podcast ‘Data Breaches - more than just a number’ which can be accessed via