Home Knowledge New guidance on data security breaches

New guidance on data security breaches

May 1, 2009
Partner
Leo Moore

The Office of the Data Protection Commissioner (ODPC) has issued new guidance on how businesses should deal with security breaches involving personal data. The number of reported high profile data security incidents both in Ireland and internationally has dramatically increased in recent years.

All businesses are obliged by law to put in place appropriate technical and organisational security measures against unauthorised access to or accidental loss of personal data.

Current legislation does not contain a requirement for data controllers to notify the ODPC of security breaches, however, the new guidance issued on 14 April 2009 recommends that businesses should immediately contact the ODPC as soon as it becomes apparent that personal data have been compromised. The guidelines also set out some of the additional measures that the ODPC may recommend or require depending on the circumstances of each case. These include the preparation of detailed incident reports, site inspections by the ODPC and reporting of incidents to individuals whose personal data have been compromised.

There is growing momentum in Ireland and within the EU for the introduction of a mandatory reporting regime for security breaches. The Government opposition proposed a Private Members Bill in October 2008 to introduce compulsory reporting of breaches of data security to the ODPC. The Government has also established a Data Protection Review Group to consider whether legislation needs to be amended to deal with breaches of data security and whether mandatory reporting and penalties should be introduced. The latest guidance from the ODPC is described as being “interim” in nature pending the findings of the Data Protection Review Group.

At an EU level, the European Commission has published a proposal for a mandatory reporting system obliging network and internet service providers to report data security breaches resulting in personal data being lost or compromised. The European Parliament has proposed that consumers should also be notified of security breaches by online businesses such as banks, retailers and pharmacies.

Prevention is always better than cure. As such, all businesses, whether data controllers or data processors, should audit their data security arrangements and seek advice on implementing appropriate measures to seek to prevent the loss of employee, customer and/or supplier data held by them.

 

Recommended Insights

See all
Article and Insights
1
Feb 2024
Responsible Business Annual Report 2023
William Fry is pleased to launch its Responsible Business Annual Report 2023.
Article and Insights
2
Feb 2024
Digital Operational Resilience Act – second batch of technical standards launched for consultation
We focus on the second batch of draft implementation measures announced by the Eur...
WF_author_blank
Partner
John O’Connor
Article and Insights
2
Feb 2024
John Delaney Documents – Supreme Court Refuses Leave to Appeal
The Supreme Court has refused leave to appeal from a decision rejecting John Delan...
WF_author_blank
Partner
Deirdre O’Donovan
Article and Insights
24
Jan 2024
Cross-Examining Affidavit Evidence in Insolvency Cases
The High Court recently dismissed a petition seeking the winding up of a biofuel c...
WF_author_blank
Partner
Fergus Doorly
prev
next
See all