Tusla, the Child and Family Agency, recently became the first organisation in Ireland to be fined for a data breach under the GDPR. The Irish Data Protection Commission (DPC) fined Tusla €75,000 following its investigation into three data breaches where information concerning children was disclosed to unauthorised parties.
The DPC later fined Tusla €40,000 when a letter containing details on allegations of abuse was sent to the wrong recipient and the information was then published on social media. It is not clear if the second fine is part of, or in addition to, Tusla's first fine but the DPC will clarify the issue when it publishes its report.
Inquiries made by the DPC found that Tusla had infringed the GDPR in a number of ways by:
- disclosing the identify of a data subject to third parties (the breach itself)
- failing to notify the DPC of the breach without undue delay (infringing Article 33(1) of the GDPR)
- failing to implement organisational measures appropriate to the risk (as required under Article 32(1) of the GDPR), and
- failing to appropriately redact materials in contravention of Article 32(1) of the GDPR
Tusla is reflecting on the decision and has a month to lodge an appeal.
These fines should act as a warning to businesses of the importance of compliance with the data protection laws. It also sends a clear message that the DPC will exercise its enforcement powers where necessary, which can result in significant financial penalties and reputational harm for businesses.
What is a personal data breach?
Article 4(12) of the GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Data breaches can be deliberate, like a cyber-criminal hacking into a system and stealing personal data, or accidental, such as an employee sending an email to the wrong person.
The DPC can impose significant administrative fines for breaches of the GDPR. The severity of a fine depends on the specific data protection obligation breached. Fines can be up to 4% of annual global turnover of the preceding financial year or €20 million, whichever is greater.
Data security procedures
Anyone handling personal data has a responsibility to maintain its confidentiality, integrity and availability. A business should not collect and store unnecessary data and should delete data as soon as it is no longer needed.
Generally, a business must consider information and physical security in terms of:
- risk analysis
- access controls
- security of IT equipment
- data backup and restoration
- organisational policies, internal training and periodic checks
The Data Protection Acts and the GDPR do not detail specific security measures beyond implementing data protection by design and having in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In assessing whether this second requirement has been met, the DPC will take into account things like the technology currently available to businesses, the costs of implementation in the context of what is appropriate to the controller's circumstances, and any risk the processing presents, for example, if it contains special category data.
Reducing the risk when sending correspondence
In addition to the above general security guidelines, when sending correspondence containing personal data, businesses should ensure staff adhere to the following steps to minimise the risk of data breaches occurring:
- double check that the letter or email is addressed to the correct recipient
- satisfy self that the recipient is a trustworthy individual and is entitled to receive the personal data in question
- if sending sensitive or high volumes of data, ensure files attached to an email or included on portable storage drives are password protected. The password must not be communicated to the recipient in the same correspondence. Some businesses also require two-factor authentication to add an extra layer of security
- consider if protection measures such as redaction, encryption or pseudonymisation are appropriate
If a data breach occurs
The GDPR contains strict rules about reporting personal data breaches that controllers and processors must comply with.
Notifying the DPC
If a breach occurs, the controller must notify the DPC without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The only exception to the obligation to report a breach is if the controller assesses the risk and can show that the breach is unlikely to result in a risk to the rights and freedoms of affected individuals.
If the controller is not able to notify the breach to the DPC within this 72 hour window, it must provide the DPC with a reason for the delay. It is also permissible for the controller to file an initial notification and provide further information to the DPC in phases as long as this is done without undue delay and the controller can provide the DPC with reasons for the delay.
In line with the GDPR principle of accountability, a controller must maintain its own written records of all breaches of the GDPR, even for breaches that it doesn't notify to the DPC or the individuals concerned. A controller should record how and when it became aware of a breach, how it assessed the potential risk, the effects of the breach and the steps taken in response. It will have to provide these records to the DPC on request.
A controller can use its own template breach notification form or use the form on the DPC's website. A breach notification form should set out:
- the nature of the breach, the categories and numbers of data subjects and personal records concerned
- the name and contact details of the controller's DPO or other point of contact
- the possible effects of the breach
- the steps taken or proposed to be taken to deal with the breach and any measures that might mitigate the effects of the breach
- how and when the controller became aware of a breach
Notifying the data subject
In addition to notifying the DPC, a controller must, without undue delay, inform the data subject of the breach if the breach is likely to result in a high risk of adversely affecting the data subject's rights and freedoms. This notification helps the data subject to take the necessary precautions.
A breach notification to an individual should in plain language describe:
- the nature of the breach
- recommendations as to how the data subject can mitigate the effects of the breach
- the contact details of the controller's DPO
- a description of the likely consequences of the breach, and
- steps taken or proposed to be taken by the controller to address the breach
In certain limited circumstances the controller does not need to notify the data subject of a breach that is likely to result in a high risk. This includes, for example, if the affected data was encrypted or if the controller has taken subsequent steps to ensure that the high risk to the data subject's rights and freedoms is no longer likely to arise.
If notifying data subjects of a breach would involve disproportionate effort, then the controller can make the information available to individuals in another, equally effective way, such as a public communication.
Controllers are free to communicate other personal data breaches to data subjects if it is appropriate to do so in the context of the particular breach.
A processor processing personal data on behalf of a controller must notify the controller without undue delay after becoming aware of a personal data breach. This is important to facilitate the controller complying with its own breach notification obligations. The parties should document this obligation in the data processing agreement between the controller and the processor.
Tusla's recent fines should serve as a warning to businesses of the importance of compliance with data protection rules and the reputational harm that can result from non-compliance. The DPC has shown that it is willing to exercise its enforcement powers and fine organisations for not following the data protection rules.
While cyber-crime and ransomware often steal the headlines, many data breaches are self-inflicted and are contributed to by human error. Even the best technical and organisational security on paper are no good if they are not implemented consistently.
Businesses need to be vigilant when handling personal data. It is important they take appropriate preventative steps and understand their obligations on detecting, investigating and reporting personal data breaches. Best practice is to put in place strict access controls across the business, secure IT equipment, provide regular internal training to staff on data handling practices, and conduct periodic checks and audits. Anticipating that breaches can happen, savvy businesses will also implement risk assessment measures, maintain a data breach register, and ensure staff are aware of and follow the organisation's standard operating procedure for data breach prevention and response.
You can read the DPC's Guidance Note: A Practical Guide to Personal Data Breach Notifications under the GDPR here.
Originally published by Mason Hayes, July 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.