The Irish Data Protection Commission Widens the Definition of “Personal Data Breach,” as Well as the Approach to Timely Notification

April.14.2022

On 14 March 2022 the Data Protection Commission of Ireland (DPC) handed down a decision in respect of 22 personal data breach notifications made by the Bank of Ireland Group Plc (BOI) between November 2018 and June 2019. The personal data breaches included incidences of unauthorised disclosure of customer personal data to the Irish Central Credit Register, in addition to occasions of accidental alteration of customer personal data.

The DPC imposed administrative fines totalling €463,000 ($504,000) and ordered BOI to make certain changes to its technical and organisational measures to enhance the security of its processing compliance under Article 32(1) of the General Data Protection Regulation (GDPR). However, the interesting points of note relate to the scope of the definition of a personal data breach, as well as the approach to timely notification.

Context

The personal data breaches arose from unauthorised and/or inaccurate disclosures of customer personal data to the Central Credit Register by BOI across an eight-month period. The Central Credit Register is used to generate independent credit reports on borrowers to assist financial institutions in assessing whether a loan should be provided. Seven of the incidents also involved transfer of data to the now-defunct Irish Credit Bureau. The DPC considered four issues:

  • Preliminary Issue: whether the incidents described in the breach notifications fell within the definition of personal data breaches under Article 4(12) GDPR;
  • Issue 1: Whether BOI infringed Article 33 GDPR (personal data breach reporting to the regulator);
  • Issue 2: Whether BOI infringed Article 34 GDPR (personal data breach reporting to data subjects); and
  • Issue 3: Whether BOI infringed Article 32 GDPR (technical and security measures).

Preliminary Issue

The DPC confirmed that 19 of the 22 reported incidents met the definition of “personal data breach” under Article 4(12) GDPR. As a reminder, the definition of “personal data breach” is: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Whilst unauthorised disclosure is more likely to be considered a “security breach leading to” a personal data breach, the DPC appears to have afforded a much wider approach to the not‑often‑considered part of the definition, alteration of personal data. The DPC confirmed that the definition of “security measures” under Article 32(1) GDPR included the ability to ensure the ongoing integrity of processing systems and services in addition to the ability to restore the availability of personal data in the event of a technical incident. Therefore, according to the DPC, a “breach of security”is not limited to a technical incident or unauthorised disclosure of personal data and can include internal processing operations that result in the accidental and unlawful alteration of personal data [6.9].

It is also worth noting that the DPC acknowledges that the existence of a personal data breach is not conclusive that there has been an infringement of any provisions of GDPR [6.10]. Whilst a personal data breach triggers notification obligations for controllers, it does not automatically confirm that the GDPR has been breached.

Other Issues

  1. When considering the application of Article 33 GDPR (notification of the personal data breach to a supervisory authority), the DPC referred to Recital 85 stating that:

    A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons.

    The DPC then referred to controller “awareness,” as discussed in the EDPB Breach Notification Guidelines, emphasising that an organisation should have measures in place to facilitate awareness in a timely manner. A number of the reported incidents were notified outside of the prescribed 72 hours on the basis of the event being “under investigation.” The DPC also stated in some cases that some incidents were undetected for “an inordinate amount of time” (sometimes over a year) resulting in an unacceptable delay in notification [7.55].

  2. In line with the assessment of Article 34 GDPR, the DPC also held in some cases that BOI failed to notify data subjects of an incident without undue delay. In relation to some incidents, the DPC specifically found that a delay in notification may have resulted in data subjects being unable to take mitigating steps to protect themselves. In some instances, notification to data subjects took six months from the point at which BOI decided that it would notify those individuals.

  3. The DPC also held that BOI infringed the Article 32(1) GDPR requirement to implement appropriate technical and security measures. This infringement included a failure to have a clear procedure to ensure compliance with Article 34 GDPR, the failure to have an error management procedure in place at the time of the incidents (which has now been rectified) and that a lack of subject matter experts at the organisation resulted in the poor deployment of technical measures.

Comment

The DPC’s decision highlights the focus on integrity of data that is shared between organisations, especially given the risk of harm to data subjects if that information is incorrect. Effectively, if data is altered as it moves through an organisation’s process, then it may amount to a personal data breach. An interesting point for further consideration is when the DPC would consider an organisation becomes aware of such a personal data breach: is it at the point when the inaccuracy is identified, or the point when the organisation identifies that a process has altered the accuracy of such data? This is not clear from the DPC’s decision in this case.

The United Kingdom Information Commissioner’s Office recently determined that having a written cybersecurity policy in place does not automatically negate the risk of a contravention of the GDPR; the DPC’s decision appears to follow the same line. Whether it is a security feature, a privacy policy or a ‘safe’ transfer mechanism, if personal data can still be impacted through data theft or inadvertent alteration, then organisations will still be at risk of a reprimand under the GDPR no matter how good the theoretical process. The integrity and accuracy of data is not only key for commercial relationships. In the eyes of the regulators, the accuracy of data is of paramount importance for data subjects too.

The decision also highlights the need to adhere to the GDPR’s notification structure as much as possible. If an organisation determines that there may be a high risk to data subjects, then it must notify them in a timely manner and not after a substantial period. The DPC’s decision often refers to the recitals of the GDPR containing the reasoning behind some provisions including the purpose of data subject notification, which is to allow data subjects to take steps in mitigation. Organisations need to be cognizant that they are unlikely to be able to excuse away lengthy notification timelines; as was the case here, such an approach may be deemed unacceptable by the supervisory authority.