It is unrealistic to expect people to never make mistakes, however the Bailiwick's Data Protection Commissioner has said organisations must learn from those mistakes if people's behaviour is going to change.
48 data breaches were reported to The Office of the Data Protection Authority (ODPA) in the final two months of 2019, of which 39 were due to human error.
Emma Martins said information sent via email or post to the wrong person has been the most common type of data breach reported since statutory reporting requirements came into effect.
"These latest figures again illustrate how important it is for us all, whatever our role, to understand data protection as something more than an IT issue," she said. "We must focus on ensuring individuals’ rights are respected while also recognising the impact of human error when using personal data.
The ODPA has recently been focussing on the role of human error in its events programme to help organisations and individuals understand and respond to the risks.
"It is unrealistic to expect people to never make any mistakes," said Mrs Martins, "but we can positively influence attitude and a culture in organisations where mistakes are learnt from, behaviours change as a result and the risk of future harm is reduced.
“We do not seek a culture of blame, rather we seek a culture of improvement."
The remaining self-reported breaches for the two month period up to 28 December fell into the mislaid data, criminal, hacking, unauthorised access and unauthorised disclosure categories.
Pictured: The Data Protection Authority website has a lot of information for the public to use.
What is a breach?
A personal data breach is defined by law as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
There will likely be a breach whenever any personal data is accidentally lost, corrupted or disclosed, or if someone accesses it or passes it on without authorisation to do so.
However, organisations do not have to report any incidents that meet the above criteria if the incident is ‘unlikely’ to result in a risk to the ‘significant interests’ of any person whose data has been affected by the incident. It can be difficult, and sometimes inappropriate, for organisations themselves to judge what is a risk to a person’s significant interests, so the ODPA encourages all incidents to be reported.
What qualifies as a significant interest?
A person’s ‘significant interests’ are defined in the law as any aspect of their life that could be put at risk due to their personal data being breached. This could include someone's physical safety, their reputation, or any other data that puts someone at risk of identity theft, fraud, financial loss, psychological distress or humiliation.
Pictured top: Data Protection Commissioner Emma Martins.
Comments
Comments on this story express the views of the commentator only, not Bailiwick Publishing. We are unable to guarantee the accuracy of any of those comments.