Lost or destroyed information

dpa

Lost or destroyed information is described as a data security breach under the Data Protection Act 1998. The seventh data protection principle says that

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

This means that your employer must have appropriate security to prevent the personal data from being accidentally or deliberately compromised.

Your employer must;

  • design and organise information security to fit the nature of the personal data held and the harm that may result from a security breach;
  • be clear about who in the organisation is responsible for ensuring information security;
  • make sure the right physical and technical security is used and backed up by robust policies, procedures as well as reliable, well-trained staff; and
  • be ready to respond to any breach of security swiftly and effectively

The ICO has a Security breach notification form for reporting breaches.

The ICO: Guidance on data security breach management details how information security breaches can occur and how data controllers can deal with. It says that organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal data. Many organisations take the view that one of those measures might be the adoption of a policy on dealing with a data security breach.

 

A data security breach can happen for a number of reasons;

  • Loss or theft of data or equipment on which data is stored
  • Inappropriate access controls allowing unauthorised use
  • Equipment failure
  • Human error
  • Unforeseen circumstances such as a fire or flood
  • Hacking attack
  • ‘Blagging’ offences where information is obtained by deceiving the organisation which holds it.

 

No matter how a breach occurs, the ICO recommends that an employer should carry out these four actions in response;

 

  1. Containment and recovery
  2. Assessment of ongoing risk
  3. Notification of breach
  4. Evaluation and response

Under Regulation 5A of the Privacy and Electronic Communications (EC Directive) Regulations 2003, unless the data controller is a public electronic communications services provider, there is no legal requirement to notify the ICO of breaches of security that result in loss, release or corruption of personal data. Even so, the ICO says that serious breaches should be brought to its attention.

 

What are serious breaches?

‘Serious breaches’ are not defined, but the following factors should be taken into account in deciding whether breaches should be reported;

 

  •  where there is significant actual or potential harm the breach should be reported
  • breaches which involve a large volume of personal data and there is a real risk of individuals suffering some harm
  • where it is sensitive data.

The ICO gives the following examples;

 

  •  theft or loss of an unencrypted laptop holding names, addresses, dates of birth and NI numbers of 100 individuals is reportable
  • theft or loss of a marketing list of 100 names and addresses where there is no particular sensitivity of the product being marketed is not reportable

 

Case Study

The possibility of losing your job whether through dismissal, redundancy or sickness is something that doesn't bear thinking about for…The Disciplinary Hearing: Understanding the Process, and Surviving it
Business, Finance & Law