Security incident in the protection of personal data
Personal data breach incident - how to handle it?
It is the fifth month since the new regulations on the protection of personal data come into force. The period of the media storm related to the GDPR is probably behind us. Slowly, everyone has adapted to the new regulations, completed the documentation, implemented appropriate procedures and are trying to implement them with more or less commitment. However, one of the most frequent dilemmas related to the protection of personal data is the handling of security breach incidents.
Where did the idea for incident handling come from?
Both the old Act on the Protection of Personal Data and the new provisions of the GDPR mention the need to keep a register of incidents and implement the process of their proper handling. Where do such requirements come from? It is probably a derivative of ISO standards, where such a register has a control function that allows to monitor and evaluate the effectiveness of the information security management system. The number and frequency of security incidents proves whether our data protection system is effective. It also allows you to verify whether the security measures introduced by us are effective, i.e. whether they cause the number of incidents to decrease.
What is a security incident?
An incident is any event that has resulted in or could have resulted in a breach of data security. Security is defined as the simultaneous fulfillment of three criteria: availability, confidentiality and integrity. Therefore, it is violated every time one of these three features is lost. For example, we lose confidentiality by accidentally disclosing data to unauthorized persons, we lose integrity by unauthorized modification of the collection or we lose availability by damaging it.
Is it easy to find an incident?
Using the definition from the previous point, it is not difficult to imagine situations in which the security of personal data is breached. Accidental sending of data to the wrong recipient, computer infection with malware or the theft of access data through phishing are situations that we encounter every day, and in mass quantities. And you can meet even several times in one day with cases of accidentally pasting a large list of e-mail recipients in the Cc (for message) field instead of Bcc (hidden for message). And here comes the question of what to do in such a situation. As a Data Administrator, are we obliged to record such a breach each time and to take further steps resulting from the provisions of the GDPR?
Under both the old and new regulations, an e-mail address, especially the one containing the first and last name, is treated as personal data, i.e. sufficient to uniquely identify a specific natural person. The collection of such data in any form (paper, electronic, distributed, decentralized) is treated as a collection of personal data and is subject to protection. Each administrator processing such a file must have a legal basis for this and take care of its security (confidentiality, integrity and availability). Therefore, the disclosure of even a single record, and especially the entire set of data to accidental persons, should be treated as a breach of confidentiality, i.e. a loss of security of the personal data set.
In accordance with the provisions of the GDPR, an incident in the form of a breach of personal data security, in addition to the mere entry in the register, depending on the circumstances requires, among others:
- Actions by the data controller to minimize the risk of losing the rights and freedoms of the data subjects
- Notifications of injured persons about the incident
- Notifications of the Personal Data Protection Office about the incident
How to assess the impact of such an incident on the persons whose data has been disclosed?
Unfortunately, there are no simple criteria to apply here. Depending on the circumstances, disclosing the list of e-mail recipients may be a minor leakage as well as a serious breach of sensitive data. For example, imagine a situation when a Social Welfare Center sends an e-mail to residents of a commune who use a specific help and mistakenly places all recipients in the public CC field. Each recipient receives a list of all residents of the commune suffering, for example, from alcoholism or struggling with financial problems. Information of this type constitute special categories of personal data that should be subject to the highest protection. Therefore, it cannot be automatically assumed that this type of data leakage is harmless and may not result in unpleasant consequences for the persons whose data has been disclosed. The recommended procedure in such situations is to use the assessment of the situation by the Data Protection Officer, who will be able to put himself in the place of the injured and predict the possible consequences of the violation. Consequently, the Data Controller should decide to take appropriate measures to mitigate the adverse effects of the leak. If a breach of data security has unpleasant consequences for the victims, and the administrator is not able to eliminate them with remedial actions, it is necessary to report the incident not only to the President of the Personal Data Protection Office, but also to the persons affected by the breach.
Conclusions
The process of handling personal data security incidents has certainly gained in importance thanks to the new regulations. The need to consider each incident individually and analyze its effects will probably also contribute to the fact that data controllers will more often think about the causes of incidents. This should result in taking better remedial actions, e.g. in the form of technical safeguards or dedicated employee training.