When is a breach a breach?
Over the five years of working with barristers and chambers on all aspects of data protection and the GDPR, one of the most frequently asked questions is "what is a breach?" This is usually followed by a suggested scenario, a strictly hypothetical one of course! Most seem shocked by the extent of what constitutes a data breach so it may be useful to explore this further here.
What constitutes a data breach?
You have to be able to recognise a breach in order to properly deal with one. Article 4(12) defines a "personal data breach" as:
"a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed"
Under GDPR, data controllers and processors must comply with this fundamental principle:
"using appropriate technical and organisational measures, personal data shall be processed in a manner to ensure the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage."
It is worth reiterating that the GDPR only applies where there is a breach of personal data. Not all security incidents are necessarily personal data breaches. This is one of the reasons why barristers and chambers are being urged to review their systems, policies and working practices now. Consider the difference if a burglary occurred in chambers or at home where all devices are encrypted, offices are secured, a clear desk policy is followed and papers are stored in locked cabinets.
What should I do if a breach happens?
Having taken all reasonable steps to prevent a breach but it nonetheless occurs, the ability to react in a timely manner is critical. The GDPR makes notification to the Information Commissioner mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of an individual(s). Given the type of personal and sensitive information held by barristers, a breach is likely to have adverse effects such as the potential for identity theft or fraud, damage to reputation or social disadvantage and therefore, would constitute a risk to the rights of individuals.
Regardless of whether a breach in data was due to the barrister or the chambers, the barrister must notify the Information Commissioner's Office within 72 hours. There is no expectation that all details relating to the breach will be available or known but the key is to register the breach within the timeframe. Any undue delay may give rise to an investigation.
Although barristers have overall responsibility for the protection of data, chambers have an important role to play in helping barristers comply with their obligations. If chambers become aware of a breach, they must inform the barrister(s) without undue delay. Furthermore, if the barrister has given authorisation, chambers could initiate the notification on their behalf. Given the interdependencies, it is vitally important that the data processing agreement is clear on these matters.
Whilst we much prefer being engaged as a proactive step towards compliance, there are unfortunately times when our help is needed to manage a data breach or navigate a client through an ICO investigation. Contrary to what may be believed, the focus of the notification is to encourage controllers to act promptly, to contain a breach, to recover the compromised data and to seek relevant advice. As has been our experience to date, not all notifications will result in punitive action. The risk of failing to notify and the ICO becoming aware of the breach by other means is too great to contemplate.
Briefed can help barristers and chambers with GDPR compliance - we also offer a range of online training and compliance tools available here.