When do we need to tell individuals about a breach?
Informing affected individuals of a personal data breach provides those individuals with an opportunity to take steps to protect themselves that a controller may not be able to take. As such, informing affected individuals may be an important first step in containing and mitigating any risk to the individual.
If a breach is likely to result in a high risk to the rights and freedoms of individuals, then you must inform those affected as soon as possible. Controllers will need to undertake an assessment of the severity of the potential or actual impact of the breach upon affected individuals and the likelihood of this occurring. If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher.
A hospital suffers a breach resulting in the unintentional disclosure of patient records. Given the potential for confidential medical details becoming known to others and the significant impact upon the affected individuals; this is likely to result in a high risk to the affected individuals and, as such, they must be informed of the breach.
A member of staff accidentally deletes the record of past pupil contact details for a school. The details are later re-created from a backup. This is unlikely to result in a high risk to the rights and freedoms of those individuals and, as such, there is no obligation to inform individuals of the breach.
If the Commissioner considers that there is a high risk to an individual then a controller will be required to inform affected individuals.
What information must be provided to individuals?
A controller must describe, in clear and plain language, the nature of the personal data breach and, provide:
- the name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.