The Data Protection Commissioner has adopted a new Personal Data Security Breach Code of Practice which addresses situations where personal data has been put at risk of unauthorised disclosure, loss, destruction or alteration.

The Code focuses on minimising the risk of data security breaches and protecting those affected should such breaches occur. Data controllers are required to give immediate consideration to informing data subjects of any breaches that happen. Data processors must inform the relevant data controller as soon as they become aware of an incident.

In limited circumstances companies are exempt from informing the Office of the Data Protection Commissioner (ODPC) that security breaches have occurred. These exemptions relate to the details of the breach itself including the number of people affected and the nature of the data concerned.

The Code introduces a time frame within which security breaches involving personal data must be notified to the ODPC and outlines the ODPC’s powers to seek reports and investigate breaches where appropriate.

The Code does not yet have the force of law; this will occur if the Oireachtas is asked to approve the Code. Until then, the Code is the best practice approach recommended by the ODPC when data security breaches involving personal data occur.

The new Code comes at a time when data security remains a topical issue and data protection authorities continue to highlight the seriousness of failing to protect personal data. In the UK, Zurich Insurance recently received a record fine of £2,275,000 from the Financial Services Authority for failing to adequately protect its customers’ personal data.