By me, on the Mishcon de Reya website.
…a recent request to the ICO under the Freedom of Information Act 2000 (FOIA) has revealed that, from the available data, of the 21705 personal data breaches notified to the ICO since May 2018, 14,365 were notified within 72 hours, and 7340 were not – meaning that approximately one third of personal data breaches are reported later than within 72 hours
[EDITED TO ADD: since I wrote this piece, it appears that ICO has silently amended its guidance, so it no longers threatens regulatory action for over-reporting. For posterity’s sake, (and to show I wasn’t making it up) I provide this link to the archived page.]
Data protection practitioners (and many others) are well aware that a failure to comply with the general obligation on a controller to notify the Information Commissioner’s Office (ICO), in the event of a personal data breach, is an infringement of the General Data Protection Regulation (GDPR). What may be less known, however, is that making a notification, in circumstances where it wasn’t required, might also be an infringement, and might result in sanctions from the ICO. That, at least, appears to be the ICO’s own view of the law, when it says
Over reporting breaches which have not been appropriately risk assessed in terms of their impact on the data subject may be seen as evidence of failing to comply with the GDPR accountability principle. This can also result in regulatory action.
I don’t know about you, but I think that’s a pretty extraordinary statement.
Of course, controllers should assess whether, as an exception to the general obligation, they are not required to make a notification, on the grounds that the personal data breach (defined at Article 4(12) of GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”) is unlikely to result in a risk to the rights and freedoms of natural persons. Such a risk assessment (because that’s what it is) will be, though, a nuanced challenge. What, after all, constitutes a likely “risk to the rights and freedoms of natural persons”? Although recital 85 to GDPR gives some clues, it still leaves much to be determined on the facts:
…physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
Article 83 makes a failure to notify, in circumstances where one should notify, an infringement with a maximum administrative fine attached of €10m or 2% of global annual turnover (whichever is higher). Is it any surprise then, that some controllers might have taken what they thought to be a cautious, or precautionary, approach, and notified ICO of personal data breaches even when they weren’t sure it was necessary to do so?
Although the ICO has been suggesting for some time that controllers have been too keen to make personal data breach notifications, the web page in question appears to have only very recently been amended to say this (an archived version only from 31 May 2020 lacks the wording). And it seems to me a little bit mean-spirited (and potentially confusing to some controllers) to start threatening the use of sanctions against those who are making a regulatory notification in good faith.
In fact, I’m not at all sure that – as ICO suggests – it is potentially an infringement of the Article 5(2) obligation (by which a controller shall be responsible for, and be able to demonstrate compliance with, the Article 5(1) principles) to make a notification without properly assessing risk. And to say that it is such an infringement, is – I submit – stretching the accountability principle further than, in other circumstances, ICO would expect it to be stretched.
And don’t start thinking about whether an excessive notification of a personal data breach is a personal data breach which requires notification. That way madness (or is it Wilmslow?) lies.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Failure to notify the ICO in a timely manner of a personal data breach under PECR carries a £1000 fixed penalty notice – why not something similar under wider data protection law?
When the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) were amended in 2011 to implement the Citizens’ Rights Directive, an obligation was placed upon providers of a public electronic communications service (“service providers”) to notify personal data breaches to the Information Commissioner’s Office (ICO) “without undue delay”, and in 2013 article 2(2) of European Commission Regulation 611/2013 provided , in terms, that “without undue delay” would mean “no later than 24 hours after the detection of the personal data breach, where feasible”. The 2011 amendment regulations also gave the ICO the power to serve a fixed penalty notice of £1000 on a service provider which failed to comply with notification obligations.
Thus it was that in 2016 both EE and Talk Talk were served with such penalties, with the latter subsequently unsuccessfully appealing to the Information Tribunal, and thus it was that, last week, SSE Energy Supply were served with one. The SSE notice is interesting reading – the personal data breach in question (defined in amended regulation 2 of PECR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”) consisted solely of the sending of one customer email (containing name and account number) to the wrong email address, and it appears that it was reported to the ICO two days after SSE realised (so, effectively, 24 hours too late). If this appears harsh, it is worth noting that the ICO has discretion over whether to impose the penalty or not, and, in determining that she should, the Commissioner took into account a pour encourager les autres argument that
the underlying objective in imposing a monetary penalty is to promote compliance with PECR. The requirement to notify…provides an important opportunity…to assess whether a service provider is complying with its obligations under PECR…A monetary penalty in this case would act as a general encouragement towards compliance…
As any fule kno, the looming General Data Protection Regulation (“GDPR”) expands to all data controllers this obligation to notify the ICO of qualifying personal data breaches. Under GDPR the definition is broadly similar to that in PECR (“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”) and a breach qualifies for the notification requirements in all cases unless it is “unlikely to result in a risk to the rights and freedoms of natural persons”. Under GDPR, the window for notification is 72 hours.
But under GDPR, and under the Data Protection Bill currently in Parliament, there is no provision for similar fixed penalty notices for notification failures (although, of course, a failure to notify a breach could constitute a general infringement under article 83, attracting a theoretical non-fixed maximum fine of €10m or 2% of global annual turnover). Is Parliament missing a trick here? If the objective of the PECR fixed penalty notice is to promote compliance with PECR, then why not a similar fixed penalty notice to promote compliance with wider data protection legislation? In 2016/17 the ICO received 1005 notifications by service providers of PECR breaches (up 63% on the previous year) and analysing/investigating these will be no small task. The figure under GDPR will no doubt be much higher, but that is surely not a reason not to provide for a punitive fixed penalty scheme for those who fail to comply with the notification requirements (given what the underlying objective of notification is)?
I would be interested to know if anyone is aware of discussions on this, and whether, as it reaches the Commons, there is any prospect of the Data Protection Bill changing to incorporate fixed penalties for notification failures.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Everyone knows the concept of ambulance chasers – personal injury lawyers who seek out victims of accidents or negligence to help/persuade the latter to make compensation claims. With today’s judgment in the Court of Appeal in the case of Vidal-Hall & Ors v Google [2015] EWCA Civ 311 one wonders if we will start to see data protection ambulance chasers, arriving at the scene of serious “data breaches” with their business cards.
This is because the Court has made a definitive ruling on the issue, discussed several times previously on this blog, of whether compensation can be claimed under the Data Protection Act 1998 (DPA) in circumstances where a data subject has suffered distress but no tangible, pecuniary damage. Section 13 of the DPA provides that
(1)An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
(2)An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—
(a)the individual also suffers damage by reason of the contravention
This differs from the wording of the European Data Protection Directive 95/46/ec, which, at Article 23(1) says
Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered
It can be seen that, in the domestic statutory scheme “distress” is distinct from “damage”, but in the Directive, there is just a single category of “damage”. The position until relatively recently, following Johnson v Medical Defence Union [2007] EWCA Civ 262, had been that it meant pecuniary damage, and this in turn meant, as Buxton LJ said in that case, that “section 13 distress damages are only available if damage in the sense of pecuniary loss has been suffered”. So, absent pecuniary damage, no compensation for distress was available (except in certain specific circumstances involving processing of personal data for journalistic, literary or artistic purposes). But, this, said Lord Dyson and Lady Justice Sharp, in a joint judgment, was wrong, and, in any case, they were not bound by Johnson because the relevant remarks in that case were in fact obiter. In fact, they said, section 13(2) DPA was incompatible with Article 23 of the Directive:
What is required in order to make section 13(2) compatible with EU law is the disapplication of section 13(2), no more and no less. The consequence of this would be that compensation would be recoverable under section 13(1) for any damage suffered as a result of a contravention by a data controller of any of the requirements of the DPA
As Christopher Knight says, in a characteristically fine and exuberant piece on the Panopticon blog, “And thus, section 13(2) was no more”.
And this means a few things. It certainly means that it will be much easier for an aggrieved data subject to bring a claim for compensation against a data controller which has contravened its obligations under the DPA in circumstances where there is little, or no, tangible or pecuniary damage, but only distress. It also means that we may well start to see the rise of data protection ambulance chasers – the DPA may not give rise to massive settlements, but it is a relatively easy claim to make – a contravention is often effectively a matter of fact, or is found to be such by the Information Commissioner, or is conceded/admitted by the data controller – and there is the prospect of group litigation (in 2013 Islington Council settled claims brought jointly by fourteen claimants following disclosure of their personal data to unauthorised third parties – the settlement totalled £43,000).
I mentioned in that last paragraph that data controller sometimes concede or admit to contraventions of their obligations under the DPA. Indeed, they are expected to by the Information Commissioner, and the draft European General Data Protection Regulation proposes to make it mandatory to do so, and to inform data subjects. And this is where I wonder if we might see another effect of the Vidal-Hall case – if data controller know that by owning up to contraventions they may be exposing themselves to multiple legal claims for distress compensation, they (or their shareholders, or insurers) may start to question why they should do this. Breach notification may be seen as even more of a risky exercise than it is now.
There are other interesting aspects to the Vidal-Hall case – misuse of private information is, indeed, a tort, allowing service of the claims against Google outside jurisdiction, and there are profound issues regarding the definition of personal data which are undecided and, if they go to trial, will be extremely important – but the disapplying of section 13(2) DPA looks likely to have profound effects for data controllers, for data subjects, for lawyers and for the landscape of data protection litigation in this country.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
If the Information Commissioner (IC) reasonably requires any information for the purpose of determining whether a data controller has complied or is complying with the data protection principles, section 43 of the Data Protection Act 1998 (DPA) empowers him to serve a notice on the data controller requiring it to furnish him with specified information relating to compliance with the principles. In short, he may serve an “information notice” on the data controller which requires the latter to assist him by providing relevant information. A data controller has a right of appeal, to the First-tier Tribunal (Information Rights) (FTT), under section 48 DPA.
These provisions have recently come into play in an appeal by Medway Council of an IC Information Notice. That it did not go well for the former is probably rather understating it.
It appears that, back in 2012, Medway had a couple of incidents in which sensitive personal data, in the form of special educational needs documents, was sent in error to the wrong addresses. Medway clearly identified these as serious incidents, and reported themselves to the IC’s Office. By way of part-explanation for one of incidents (in which information was sent to an old address of one of the intended recipients), they pointed to “a flaw in the computer software used”. Because of this explanation (which was “maintained in detail both in writing and orally”) the ICO formed a preliminary view that there had been a serious contravention of the seventh data protection principle (which is, let us remind ourselves “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”). Moreover, the ICO served a Notice of Intent to serve a Monetary Penalty Notice (MPN). Upon receipt of this, it appears that Medway changed their explanation and said that the incident in question was a result of human error and that there was “no evidence of a ‘system glitch’”. It appears, however, that the ICO was concerned about discrepancies, and insufficient explanation of the change of position, and served a section 43 information notice requiring Medway to “provide a full explanation of how the security breach on 10 December 2012 occurred”. This was the notice appealed to the FTT.
However, during the FTT proceedings a third explanation for the incidents emerged, which seemed to combine elements of human error and system glitches. This was, observed the FTT, most unsatisfactory, saying, at paragraphs 28 and 29:
not only is this a third explanation of the breach but it is inconsistent with the other 2 explanations and is internally incoherent… The Tribunal is satisfied that there is still no reliable, clear or sufficiently detailed explanation of the incident to enable the Commissioner to be satisfied of:
a) what went wrong and why,
b) whether there was any prior knowledge of the potential for this problem,
c) what if any procedures were in place to avoid this type of problem at the relevant date,
d) why the Commissioner and the Tribunal have been provided with so many inaccurate and inconsistent accounts.
But even more ominously (paragraph 30)
The evidence provided to the Commissioner and the Tribunal has been inconsistent and unreliable and the Tribunal agrees with the Commissioner that it is reasonable that he should utilize a mechanism that enables him to call the Council to account if they recklessly [make] a statement which is false in a material respect in light of the various contradictory and conflicting assertions made by the Council thus far
The words in italics are from section 47(2)(b) DPA, and relate to the potential criminal offence of recklessly making a material false statement in purported compliance with an information notice.
Finally, Medway’s conduct of the appeal itself came in for criticism: inappropriate, inconsistent and insufficient redactions were made in some materials submitted, and some evidence was sent in with no explanation of source, date or significance.
It is rare that information notices are required – most data controllers will comply willingly with an ICO investigation. It is even more rare that one is appealed, and maybe Medway’s recent experience shows why it’s not necessarily a good idea to do so. Medway may rather regret their public-spirited willingness to own up to the ICO in the first place.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Last weekend I noticed some tweets from the ever-vigilant Dissent Doe. She said
I’ve spent 5 min on NHS’s web site and still can’t figure out how/where to report or question an IT security issue. Anyone?…It’s 2015. It really shouldn’t be so hard to find a contact email to use to notify an entity of a security breach or vulnerability…So I finally said, “screw this waste of my time,” and emailed @ICOnews to alert them and ask them to pass the notification to
#NHS
Knowing that she wouldn’t tweet this without good reason I made contact, and she referred me to a list of what looked like serious data security vulnerabilities on a range of NHS websites. The list had been posted openly on the internet by a well-known hacker (for obvious reasons I won’t link to it).
In response, I contacted an NHS Information Governance professional, who quickly pointed me towards the IG Alliance. I sent emails to two people, but have not yet had a reply. I even tweeted Tim Kelsey, the NHS’s National Director for Patients and Information, but he didn’t reply. Eventually, a contact managed to contact someone else (I’m being deliberately vague) and I have some reassurance that action will now be taken.
But when I told Dissent Doe this, earlier today (06.02.15) she, although pleased at that outcome, expressed surprise that she had not heard anything from the Information Commissioner’s Office (ICO), whom she had alerted last Sunday. I told her that this had been my, and others’, experience when reporting serious concerns about data protection and data security. The ICO is tremendously over-stretched, and can’t immediately respond to all queries and concerns raised, but there is a community of knowledgeable and dedicated professionals who can help. One of the ICO’s main regulatory roles is, after all
to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers
Indeed, I’ve written on the subject before, and suggested this
I think the ICO should consider operating a priority alert system when well-informed third-parties alert them to exposures of personal data. They certainly shouldn’t leave those third parties to do in-depth investigation.
I didn’t get a comment from the ICO when I wrote that previous post, but I also didn’t ask them for one. This time I will, and I’ll report back on what their response is.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
I think the ICO should consider operating a priority alert system when well-informed third-parties alert them to exposures of personal data. They certainly shouldn’t leave those third parties to do in-depth investigation.
My attention was recently drawn to the existence of sensitive personal data being made available online. Google’s bots are brute things, and will effectively cache anything they can, such as data exposed by an unsecured ftp server, and that is what appears to have happened in this case. I looked at the names of the files and folders exposed, and I felt very uncomfortable. I don’t want to see this information, and the people involved certainly wouldn’t want me to. Furthermore, neither would the data controller – a voluntary service organisation. And section 55 of the Data Protection Act 1998 (DPA) creates, in terms, an offence of obtaining personal data knowingly, without the consent of the data controller. Admittedly, if one does so and it is justified as in the public interest, then the elements of the offence are not made out, but my feeling was very much that, having seen very briefly the extent of the inadvertent exposure, I should go so far, and no further.
But what to do then? The short answer, is, to alert the data controller and refer the matter to the Information Commissioner’s Office (ICO). The ICO’s duties are to regulate and enforce the DPA, and promote the following of good practice by data controllers. Although their website is predicated on the basis that a person reporting a concern will have a direct interest in the situation, it is still possible to report a third party concern. However, when I recently reported the fact that a local authority was exposing huge amounts of personal data as open data, firstly, the case officer could not understand why the data in question allowed individuals to be identified, and secondly, asked me to explain why, by providing screenshots. (I should add that I never received a reply from the local authority.) And I know of two other people who have been asked by the ICO to provide specific and detailed examples, such as screenshots, of exposed personal data. The problem with this is that it is dragging concerned third parties directly into potential illegality: taking and emailing screenshots of personal data is processing, without the consent of the data controller, and will (or should) involve encryption (although the ICO doesn’t appear to offer this to third parties) and issues about retention. I’m not suggesting that people will be prosecuted for doing a beneficial civic act, but it is far from ideal.
As always, I understand and accept that the ICO is woefully underfunded. They can only afford to pay new case officers about £4.5k above the annual minimum wage, but I do think they should have a system in place for people to report serious exposures of personal data, and for these reports to be treated and investigated with some urgency. In my recent “open data” case, I didn’t receive any acknowledgment of receipt of my concerns (other than an automated one indicating my email had been received) and the case officer, when I did get a reply, rather impatiently explained that their service standards mean “that if you have reported a concern to us you can expect to receive a response within 30 days”. But I noted that the MS Word doc. that was sent to me was called “ICO to DS raising concerns”. I presume “DS” means “data subject”, but, of course, that is not what I was in this case. A data subject raising concerns is, in the vast majority of cases, not going to be reporting the public exposure of large amounts of sensitive personal data (most often they will be complaining about a discrete incident involving their own data).
I have spoken to people who have reported what were quite clearly horrendous exposures of personal data, but by the time the ICO looked at the case the problem had either been rectified by the data controller, or, for instance, the Google cache links had expired. Of course, that is good on one view, but when it comes to the ICO’s regulatory role, it effectively means that delays in considering these reports allow evidence of serious contraventions by data controllers to be erased.
Almost a year ago I was alerted to a horrendous exposure of highly sensitive personal data (I understand that, again, an unsecured ftp server was to blame). And I remember the frustration and consternation that I and others felt at the apparent delay by Newcastle Citizen’s Advice Bureau in getting the data removed from the web. I’m rather amazed we never heard anything from the ICO about that incident – did they complete their investigation? did they take action? if not, how on earth did the CAB manage to persuade them there wasn’t a serious DPA contravention warranting enforcement action? And, as far as I know, the CAB branch never acknowledged what had happened, nor apologised for it, nor thanked those who had alerted them to the situation.
There are many expert and well-informed people who are prepared to alert data controllers and the ICO to potentially harmful exposures of personal data. Could there not be some sort of priority alert system? (If necessary, it could be through some sort of “trusted third-party” list.) If data controllers, but particularly if the ICO, are not willing to embrace the sort of public-spiritedness which identifies and alerts them to exposures of personal data, then it’s a poor lookout for data subjects.
Filed under Breach Notification, Data Protection, Information Commissioner
The Information Commissioner’s Office (ICO) has “sounded the alarm” to the legal profession regarding breaches of the Data Protection Act 1998 (DPA). In a press release today it says it is
warning barristers and solicitors to keep personal information secure, especially paper files. This follows a number of data breaches reported to the ICO involving the legal profession
Fifteen incidents (which, of course, are not in themselves, breaches of the DPA) involving members of the legal profession have been reported to the ICO in the last three months, and the release goes on to point out that
The information handled by barristers and solicitors is often very sensitive. This means that the damage caused by a data breach could meet the statutory threshold for issuing a financial penalty. Legal professionals will also often carry around large quantities of information in folders or files when taking them to or from court, and may store them at home. This can increase the risk of a data breach
This of course is shorthand for what enforcement of the DPA really entails. Solicitors and barristers will often be data controllers pursuant to section 1(1) of the DPA (but not always – in-house lawyers are employees, and their employer will generally be the relevant data controller) and as such they will have an obligation under section 4(4) DPA to comply with the data protection principles of Schedule One. The seventh principle requires a data controller to take
Appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
and this is what the ICO refers to (or should refer to) when it talks about a “data breach”: a data security incident (such as loss of files) might occur as a result of a seventh principle breach, but, equally, it might not (I blogged at length on this distinction previously).
Nonetheless, the ICO will often give a shot across the bows of a particular group or industry, prior to taking formal enforcement action, such as the serving of monetary penalty notices, to a maximum of £500,000. The likelihood of any individual barrister or solicitor or any but the very largest firms getting such a large penalty is very very low (the ICO’s own rules state that he must take into account the impact on a data controller of a penalty). That said, all lawyers would do well to check their compliance with the DPA, and with their information security obligations.
Anyone who’s worked for a large organisation is likely to be familiar with the situation when someone mistakenly sends an email to everyone who works there. Replies – to all – start straight away: “Hi, I don’t know what this means?” “Hi, nor me” “Hi, I don’t think you meant to send this to me” “Nor me” “Hi everyone, please don’t ‘reply to all'” “Hi, you just did the same thing!!!” “Stop replying to all!” “You too!!!” “AAAAGGGHHHH!!!” etc etc, until eventually it settles down.
And then two weeks later someone comes back from leave and replies to all “Hi, I don’t know what this means”…
I imagine the frustration felt by fellow employees in those circumstances doesn’t begin to equate to that felt by some Virgin Media customers, if stories about an incident yesterday are correct. As The Register reports
The broadband biz emailed Brits using its virgin.net email service, which is provided by Google, to warn them of some forthcoming changes…But any email replies to that message were sent to everyone on the mailing list: the email address the update was sent from acted as a conduit to the full list of virgin.net customers. This not only spewed hundreds of extra missives into inboxes, it also shared the senders’ email addresses with everyone on the list
And the BBC says
Some people reported receiving hundreds of emails, including spam messages and light-hearted exchanges between other customers.
I’ve added the emphasis there, to highlight how excruciatingly annoying it must have been to be on the receiving end of hundreds of light-hearted messages like “I don’t know why you’re emailing me” “Stop replying to all!!!” “You’re doing it too LOL!!” ad nauseum.
Virgin Media have apologised, and tell customers that the issue is now resolved
A small proportion of our customers have received an email from one of our suppliers which, if they reply-all, it is sent to a wider group…We are confident that this issue has now been resolved, the problem stopped and further messages prevented.
I’ve just got a couple of observations to make. One is that “a small proportion of our customers” does not necessarily mean a small number, and while this is not quite a simple “reply to all” issue (it seems that the mailing list was wrongly configured) it clearly caused considerable disruption for those affected. And if Wikipedia is correct Virgin Media has several million customers – a “small proportion” of those could well number the 130,000-odd that some news outlets are claiming were affected. And the other observation is that as far as I can see Virgin Media don’t say whether they have informed the Information Commissioner, who will, no doubt, be wanting to ask some questions to establish whether this incident was as a result of a serious contravention of the data controller’s obligations under the Data Protection Act 1998. After all it only takes one careless individual to send a wrongly-addressed email, but it might point to information security failings if a mailing list is wrongly configured.
Filed under Breach Notification, Data Protection, Information Commissioner
Yesterday’s data breach involving Morrisons supermarket and its staff payroll illustrates how difficult it is properly to handle such incidents, and perhaps provides some learning points for the future. But also raises issues about what is a “data breach”
What do we mean by “data breach”, “personal data breach”, “data security breach” etc?
The draft European General Data Protection Regulation (GDPR), which continues to slouch its way towards implementation, says in its current form that
In the case of a personal data breach, the controller shall without undue delay notify the personal data breach to the supervisory authority [and]
When the personal data breach is likely to adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay
“without undue delay” is, by virtue of (current) recital 67, said to be “not later than 72 hours” (in the original draft it was “where feasible, within 24 hours”). However “personal data breach” is not defined – it is suggested rather that the proposed European Data Protection Board will set guidelines etc for determining what a “breach” is.What is not clear to me is whether a “breach” is to be construed as “a breach of the data controller’s legal obligations under this Regulation”, or, more generally, “a breach of data security”. Certainly under the current domestic scheme there is, I would argue, confusion about this. A “breach of data security” is not necessarily equivalent to a breach of the Data Protection Act 1998 (DPA). To give a ludicrous example: if a gunman holds a person hostage, and demands that they unencrypt swathes of personal data from a computer system and give it to them, then it is hard to see that the data controller has breached the DPA, which requires only that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” (which clearly cannot be construed as an unlimited obligation) but there has most certainly been a breach of data security.
It is unclear whether Morrisons chose to inform the Information Commissioner (ICO) about their incident, but the wording they’ve used to describe it suggests they are seeing this not as a breach of their obligations under the DPA, but as a potentially criminal act of which they were the victim: on their Facebook page they describe it as an “illegal theft of data” and that they are liaising with “the police and highest level of cyber crime authorities” (a doughnut to anyone who can explain to me what the latter is, by the way). If an offence has been committed under section 55 of the DPA (or possibly under the Computer Misuse Act 1990) there is a possible argument that the data controller is not at fault (although sometimes the two can go together – as I discuss in a recent post). Morrisons make no mention of the ICO, although I have no doubt that they (ICO) will now be aware and making enquiries. And, if Morrisons’ initial assessment was that they hadn’t breached the DPA (i.e. that they had taken the appropriate technical and organisational measures to mean they were not in breach of the seventh DPA principle), they might quite understandably argue that there was no need to inform the ICO, who, after all, regulates only compliance with the DPA and not broader issues around security breaches. There was certainly no legal obligation under current law for Morrisons to self-notify. Plenty of data controllers do, often ones in the public sector (the NHS Information Governance toolkit even automatically delivers a message to the ICO if an NHS data controller records a qualifying incident) but even the ICO’s guidance is unclear as to the circumstances which would trigger the need to self-notify. Their guidance is called “Notification of data security breaches to the ICO” but in the overview at the very start of that guidance it says
Report serious breaches of the seventh principle
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service
The people whose data was apparently compromised in the Morrisons “breach” were its staff – it was payroll information which was allegedly stolen and misused. It appears that Morrisons emailed those staff with internal email addresses (how many checkout staff and shelf-stackers have one of those?) and then, as any modern, forward-thinking organisation might, it posted a message on its Facebook page.However, I really wonder about that as a strategy. The comments on that Facebook page seem to be threatening to turn the incident into a personnel, and public communications disaster, with many people saying they had heard nothing until they read the message. Moreover, one wonders to what extent some staff might have been misled, or have misled themselves, into assuming that the comments they were posting were on some closed forum or network. As was suggested to me on twitter yesterday, some of the comments look to be career-limiting ones, but by engaging on its social media platform, might Morrisons be seen to have encouraged that sort of robust response from employees?
Much of this still has to play out – notably whether there was any contravention of the DPA by Morrisons – but, in a week when their financial performance came under close scrutiny, their PR handling of this “data breach” will also be looked at very closely by other data controllers for lessons in case they are ever faced with a similar situation.
