Theft or loss of personal data relating to more than 100 individuals would have to be reported to the Data Protection Commissioner under a draft code of practice outlined today.
The commissioner published a draft code in response to the recent recommendations of the Data Protection Review group established by Minister for Justice Dermot Ahern.
Data Protection Commissioner Billy Hawkes said he had sought to publish the draft as quickly as possible after the review group report “to respond to public concern in relation to organisations losing personal data under their control while at the same time not imposing an undue burden on those organisations”.
The code provides that all instances of the loss of personal data must be reported to the commissioner where it affects more than a hundred individuals or where it involves any loss of sensitive personal data or personal financial data that could be used to carry out identity theft.
It provides for an exception to this where the data can be considered inaccessible due to proper security.
In situations where 100 or fewer people are affected there will be no need to report to the commissioner’s office provided those individuals are fully informed by the organisation and no sensitive personal data or personal financial data that could be used to carry out identity theft is involved.
The Data Protection Review Group recommended that the reporting obligations of those who control personal data in relation to security breaches should be set out in a statutory code of practice.
It also recommended that failure to comply with the disclosure obligations could lead to prosecution by the commissioner.
Where a breach needs to be reported to the commissioner’s office under the code, this must be done within two working days of the data controller becoming aware of the incident.
The controller will have to provide a detailed report on the security breach, including on the amount and nature of the data that has been compromised, and will have to outline what action is being taken to limit "damage and distress". The organisation or individual will also have to issue a further report on the measures being taken to prevent repetition of the security breach.
The commissioner will investigate the issues surrounding the data breach and may use his legal powers to compel the data controller to take certain action to address it.
High-profile losses of personal data in recent years included the theft of a laptop with the unencrypted details of as many as 90,000 customers of Bord Gáis who had signed up for the company’s ‘Big Switch’ campaign.
The laptop was one of four stolen from Bord Gáis offices on Foley Street in Dublin’s north inner city in the early hours of June 5th last year.
Sensitive details relating to a social worker’s case notes on HSE patients was also contained on one of 15 laptops stolen in Co Roscommon last year.
Members of the public have been invited to make observations or submissions on the draft code before Friday, June 18th.
Full details have been published on the commissioner’s website at www.dataprotection.ie