06 July 2010 by Simon O’Neill
The Data Protection Commissioner has published a draft Data Security Breach Code of Practice for public consultation in response to a recommendation in the recently published report of the Data Protection Review Group.The Commissioner has invited comments and observations in relation to the draft code from members of the public and organisations.
The Data Protection Review Group issued a report recommending that, “The reporting obligations of data controllers in relation to data breaches should be set out in a statutory Code of Practice as provided for under the Data Protection Acts. The Code, broadly based on the current guidelines from the DPC, should set out the circumstances in which disclosure of data breaches is mandatory. Failure to comply with the disclosure obligations of the Code could lead to prosecution by the DPC.”
The draft Code provides that all instances of the loss of personal data (except where the data can be considered inaccessible due to proper security) must be reported to the Office of the Data Protection Commissioner where it affects more than a hundred individuals or where it involves any loss of sensitive personal data or personal financial data that could be used to carry out identity theft.
In situations where one hundred or less individuals are affected there will be no need to report to the Office provided that those individuals are fully informed by the organisation and no sensitive personal data or personal financial data that could be used to carry out identity theft is involved.
Click on the link to the draft Code of Practice
