DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON THE NOTIFICATION OF SECURITY BREACHES TO THE DATA PROTECTION COMMISSIONER GD20

Similar documents
THE DATA PROTECTION PRINCIPLES

CRIMINAL PROCEDURE (ALIBIS) (JERSEY) RULES 1999

Mandatory data breach reporting comes to Australia new notification requirements under the Privacy Act (2018) 15(4) PRIVLB 54

Charities & Not-for-Profits Overview of Data Protection Law

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER ENFORCEMENT NOTICE DATED 18 JUNE 2013

Data Protection Commissioner s Foreword 3. Chapter 1: Introduction - Scope of the Guidance 5. Chapter 2: First Data Protection Principle 7

Guidance on Telecommunications Directories Information Covering the Fair Processing of Personal Data

GUIDANCE NOTE: COMPLAINTS AGAINST REGULATED FINANCIAL SERVICE PROVIDERS

Transitional Relief. The Data Protection (Bailiwick of Guernsey) Law, 2017 came into force on 25 May You can find a copy of the Law here.

Security Breach Notification Chart

Data Breach Charts. November 2017

Security Breach Notification Chart

The Freedom of Information (Jersey) Law, 2011

Guidelines: Consumer protection test for telephone number allocation

Security Breach Notification Chart

1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0

Security Breach Notification Chart

Jersey Gambling Commission

Policy: Notifiable Data Breach

A BILL. (a) the owner of the device and/or geolocation information; or. (c) a person to whose geolocation the information pertains.

Anti-Fraud, Bribery and Corruption Policy

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

NEW YORK IDENTITY THEFT RANKING BY STATE: Rank 6, Complaints Per 100,000 Population, Complaints (2007) Updated January 25, 2009

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

Decision 106/2012 Dr Nick McKerrell and Glasgow Caledonian University

Decision 156/2011 Mr Ralph Lucas and the University of Glasgow

Taking Action When Things Go Wrong

DATA BREACH CLAIMS IN THE US: An Overview of First Party Breach Requirements

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER MONETARY PENALTY NOTICE

BREACHES OF INFORMATION SECURITY: A U.S. COMPANY S OBLIGATIONS

Decision 166/2013 Mr David Scott and Historic Scotland. Old Beacon, North Ronaldsay. Reference No: Decision Date: 9 August 2013

State Data Breach Law Summary. November 2017

The Enforcement Guide

What Changed? Responding to the Clash Between Access to Justice and Immigration Arrests

JERSEY DOOR REGISTRATION SCHEME Application / Renewal form

in partnership, challenging DOMESTIC ABUSE

Part 1 The awarding body 1. Section A Governance 1. Section B The awarding body and Qualifications Wales 8. Section C Third parties 13

Information Commissioner s guidance about the issue of monetary penalties prepared and issued under section 55C (1) of the Data Protection Act 1998

Data Protection Bill [HL]

Security Breach Notification Chart

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

BJB Motor Company Limited (BJB) - Data Protection Act 1998 Policy & Procedures

Decision Notice. Decision 083/2018: Ms L and Edinburgh College

Data Protection Bill [HL]

b) How many outstanding arrest warrants does Suffolk Constabulary currently have?

The modernised Convention 108: novelties in a nutshell

AUDIT & RISK ASSURANCE COMMITTEE TERMS OF REFERENCE

Central Bank of Bahrain Rulebook. Volume 1: Conventional Banks ENFORCEMENT MODULE

Jersey Employment and Discrimination Tribunal. A User s Guide to Claims under the Employment (Jersey) Law 2003 Introduction.

DATA PROTECTION (JERSEY) LAW 2005 CODE OF PRACTICE & GUIDANCE ON THE USE OF CCTV GD6

Breach Notification and Enforcement

Data protection and journalism: a guide for the media

Help! How Can I Stop Them Processing my Personal Information?

Communications Protocol. between. The Nottinghamshire Office of the Police and Crime Commissioner. Nottinghamshire Police

Law Enforcement processing (Part 3 of the DPA 2018)

State Data Breach Laws

Decision 063/2012 Mr Drew Cochrane of the Largs and Millport News and the Chief Constable of Strathclyde Police

INVESTIGATION REPORT

Releasing personal information to Police and law enforcement agencies: Guidance on health and safety and Maintenance of the law exceptions

CCG CO06: Anti-Fraud, Bribery and Corruption Policy

Case 2:15-cv PA-AJW Document 1 Filed 01/02/15 Page 1 of 11 Page ID #:1 UNITED STATES DISTRICT COURT CENTRAL DISTRICT OF CALIFORNIA. Deadline.

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

OPTIMUMSSL RELYING PARTY AGREEMENT

R565, Audit Committees 1

Privacy. Purpose. Scope. Policy. Appendix A

Guidance on Complaints and Disciplinary Procedure

Bartington Instruments Ltd. Anti-Bribery Manual. The copyright of this document is the property of Bartington Instruments Ltd.

Broadcast Complaint Handling Procedures

HIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS

SCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC

Approximately 4% of publicly reported data breaches led to class action litigation.

Privacy Law Update. David Goodis, Assistant Commissioner, Information & Privacy Commissioner of Ontario)

GROUP ANTI-BRIBERY POLICY SUMMARY FOR THIRD PARTY SUPPLIERS

Art. I Right to Access to Personal Data

Privacy policy. 1.1 We are committed to safeguarding the privacy of our website visitors.

End-User Agreement for SwissSign Silver Certificates

Procedures for investigating breaches of competition-related conditions in Broadcasting Act licences. Guidelines

Security Video Surveillance Policy

IN THE QUEEN'S BENCH JUDICIAL CENTRE OF REGINA. -and-

ASSEMBLY, No STATE OF NEW JERSEY. 218th LEGISLATURE INTRODUCED JANUARY 17, SYNOPSIS Authorizes use of school bus monitoring systems.

FIA INSTITUTE ANTI BRIBERY AND CORRUPTION POLICY

IMPRESS: The Independent Monitor for the Press CIC Regulatory Scheme

Issue Brief. A Public Policy Paper of the National Association of Mutual Insurance Companies July 2005

The Bribery Act 2010:

GLOBAL NEW CAR ASSESSMENT PORGRAMME ANTI BRIBERY AND CORRUPTION POLICY [DRAFT]

Self Employed Field Agent Application

PSD: COMPLAINTS & MISCONDUCT Policy & Procedures

STATE DATA SECURITY BREACH LEGISLATION SURVEY

Q. What do the Law Commission and the Ministry of Justice recommend?

Little Rascals Pre-school Anti-Bribery Policy

Purpose specific Information Sharing Agreement. Community Safety Accreditation Scheme Part 2

THE PERSONAL DATA PROTECTION BILL, 2018: A SUMMARY

End-User Agreement for SwissSign Silver Certificates

***I DRAFT REPORT. EN United in diversity EN 2012/0010(COD)

First-tier complaints handling

State Data Breach Notification Laws

The ITV Management Board is ultimately responsible for overseeing compliance with this policy.

Freedom of Information Act 2000 (FOIA) Decision notice

MANDATORY PROVIDENT FUND SCHEMES AUTHORITY. Guidelines on Notification of Events of Significant Nature

Calif. Privacy Act Will Increase Data Breach Liability

Transcription:

DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON THE NOTIFICATION OF SECURITY BREACHES TO THE DATA PROTECTION COMMISSIONER GD20

2

DATA PROTECTION (JERSEY) LAW 2005: GUIDANCE ON THE NOTIFICATION OF SECURITY BREACHES TO THE DATA PROTECTION COMMISSIONER Introduction All data controllers have a responsibility under the Data Protection (Jersey) Law 2005 ( DP(J)L ) to ensure appropriate and proportionate security of the personal data they hold. (DP(J)L 2005 7th Principle). Although there is no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, the Data Protection Commissioner believes serious breaches should be brought to the attention of her Office. The nature of the breach or loss can then be considered together with whether the data controller is properly meeting his responsibilities under the DP(J)L. Serious breaches are not defined. However the following should assist data controllers in considering whether breaches should be reported: The potential harm to data subjects: The potential harm to individuals is the overriding consideration in deciding whether a breach of data security should be reported to the Data Protection Commissioner s Office. Ways in which harm can occur include: exposure to identity theft through the release of non-public identifiers eg passport number information about the private aspects of a person s life becoming known to others eg financial circumstances. The extent of harm, which can include distress, is dependant on both the volume of personal data involved and the sensitivity of the data. 3

Where there is significant actual or potential harm as a result of the breach, whether because of the volume of data, its sensitivity or a combination of the two, there should be a presumption to report. Where there is little risk that individuals would suffer significant harm, for example because a stolen laptop is properly encrypted, or the information that is the subject of the breach is publicly available information, there is no need to report. The volume of personal data lost/released/corrupted: There should be a presumption to report to the Data Protection Commissioner where a large volume of personal data is concerned and there is a real risk of individuals suffering some harm. It is difficult to be precise what constitutes a large volume of personal data. Every case must be considered on its own merits but a reasonable rule of thumb is any collection containing information about 1000 or more individuals. An example we would expect to be reported would be the theft / loss of an unencrypted laptop computer or other unencrypted portable electronic / digital media holding names and addresses, dates of birth and Social Security Numbers of 1000 individuals. An example we would not expect to be reported would be the theft / loss of a marketing list of 500 names and addresses or other contact details where there is no particular sensitivity of the product being marketed. However it may be appropriate to report much lower volumes in some circumstances where the risk is particularly high perhaps because of the circumstances of the loss or the extent of information about each individual. If the data controller is unsure whether to report or not, then the presumption should be to report. The sensitivity of the data lost/released/unlawfully corrupted: There should be a presumption to report to the Data Protection Commissioner where smaller amounts of personal data are involved, the release of which could cause a significant risk of individuals suffering substantial harm. This is most likely to be the case where that data is sensitive personal data as defined in Article 2 of the DP(J)L. As few as 10 records could be the trigger if the information is particularly sensitive. An example we would expect to be reported would be a manual paper based filing system (or unencrypted digital media) holding the personal data relating to 50 named individuals and their financial records. An example we would not expect to be reported would be a similar system holding the trade union subscription records of the same number of 4

individuals where there were no special circumstances surrounding the loss. Reporting: Serious breaches should be notified to the Data Protection Commissioner s Office by email using the address dataprotection@gov.je, or by post to our office address: Morier House, Halkett Place, St Helier, Jersey JE1 1DD. The notification should include: The type of information and number of records The circumstances of the loss / release / corruption Action taken to minimise / mitigate effect on individuals involved including whether they have been informed Details of how the breach is being investigated Whether any other regulatory body has been informed and their response Remedial action taken to prevent future occurrence Any other information you feel may assist us in making an assessment Guidance on how to manage a data security breach can be found here: What will the Data Protection Commissioner do when a breach is reported? The nature and seriousness of the breach and the adequacy of any remedial action will be assessed and a course of action determined. We may: Record the breach and take no further action Investigate the circumstances of the breach and any remedial action which could lead to: 1) no further action 2) a requirement on the data controller to undertake a course of action to prevent further breaches (formal undertaking) 3) formal enforcement action turning such a requirement into a legal obligation Where a breach has been voluntarily reported to the Data Protection Commissioner, we will take this into consideration when deciding on the most appropriate course of action. 5

Will a reported breach be made public? We do not see it as our responsibility to publicise security breaches not already in the public domain or to inform any individuals affected. In so far as they arise these are the responsibilities of the data controller. However, the Data Protection Commissioner may recommend the data controller to make a breach public where it is clearly in the interests of the individuals concerned or there is a strong public interest argument to do so. Where the Data Protection Commissioner takes regulatory action, it is policy to publicise such action, unless there are exceptional reasons not to do so. This policy on publication extends to any formal undertakings provided to the Commissioner by a data controller. However the Commissioner will not normally take regulatory action unless a data controller declines to take any recommended action, she has other reasons to doubt future compliance or there is a need to provide reassurance to the public. Such a need is most likely to arise where the circumstances of the breach are already in the public domain. Further information on the Data Protection Commissioner s regulatory action strategy can be found here: http://www.dataprotection.gov.je/nr/rdonlyres/dab889f1-8b37-47ca- 8053-1B25ACB5ADA9/0/DataProtectionRegulatoryActionPolicy.pdf Further information on the Data Protection Commissioner s communication of enforcement activities can be found here: http://www.dataprotection.gov.je/nr/rdonlyres/1a6ddf6a-26fc-497a- ADA7-72169AA9F6FD/0/CommunicatingEnforcementActivities.pdf 6

CONTACT THE COMMISSIONER: Enquiries and Publication Requests: T: 01534 441064 F: 01534 441065 E-Mail: dataprotection@ gov.je W: www.dataprotection@gov.je Office of the Data Protection Commissioner Morier House Halkett Place St.Helier Jersey JE11DD 7

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback