Personal Data Security Breach Code of Practice


On 7 July 2010 the Data Protection Commissioner (“DPC”) approved a personal data security breach Code of Practice to help organisations to react appropriately when they become aware of breaches of security. The DPC has also published a Guidance Note to accompany the Code of Practice which helpfully explains how the terms of the Code should be applied.

The Code addresses situations where personal data has been put at risk of unauthorised disclosure, loss, destruction or alteration. The Code emphasises the need to focus on the rights of the affected data subjects where their personal data has been put at risk. It sets out what the obligations for data controllers and data processors are in those situations.

The Code currently does not have force of law but it does reflect best practices as recommended by the DPC. If the Code is approved by the Houses of Oireachtais, it will then have legislative effect.

The key obligations set out in the Code are:

  • When a security breach incident occurs, the data controller must give immediate consideration to informing the affected data subjects.

  • If appropriate, the data controller should also notify organisations that may be in a position to assist in protecting data subjects such as An Garda Siochana, financial institutions, IT experts etc.

  • The data controller may conclude that there is no risk to the data and therefore no need to inform the data subjects if the data concerned is protected by technological measures (such as encryption) that make the data unintelligible.

  • A data processor must report all incidents of loss of control of personal data to the data controller as soon as they become aware of the incident.

  • All incidents of personal data security breach must be reported to the DPC except where (i) the incident has been reported to the affected data subjects and (ii) the incident affects no more than 100 data subjects and (iii) it does not include any sensitive personal data or personal data of a financial nature.

  • The data controller must report the incident to the DPC within 2 two working days of becoming aware of the incident. The DPC will then decide whether a detailed report and/or subsequent investigation are needed.

  • If a report is required, the data controller should consider the inclusion of the following elements:

    • the amount and nature of the personal data that has been compromised;
    • the action being taken to secure and/or recover the personal data that has been compromised;
    • the action being taken to inform those affected by the incident or reason for the decision not to do so;
    • the action being taken to limit damage or distress to those affected by the incident;
    • a chronology of the events leading up the loss of control of the personal data; and
    • the measure being taken to prevent repetition of the incident.

  • The DPC may investigate the circumstances surrounding the incident which may include on-site examinations of systems and procedures and could lead to a recommendation to inform data subjects about a security breach where a data controller has not already done so.

  • Even in cases where no notification is made to the DPC, the data controller should keep a record of each incident of a personal data security breach, including an explanation of why the data controller did not consider it necessary to inform the DPC.

Sabrina Burke
sburke@hayes-solicitors.ie