Do I need to report a data breach to the ICO during the coronavirus (COVID-19) epidemic?

Do I need to report a data breach to the ICO during the coronavirus (COVID-19) epidemic?

This Q&A considers whether commercial organisations are obliged to comply with GDPR personal data breach reporting requirements during the coronavirus (COVID-19) epidemic.

Legal requirements

You must notify the ICO of a personal data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it. The only exception is where the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. This will require some sort of preliminary assessment of the severity of the data breach in advance of making a decision about whether to notify.

This approach is endorsed in WP 29, Guidelines on Personal data breach notification:

‘After first being informed of a potential breach…or when it has itself detected a security incident, the controller may undertake a short period of investigation in order to establish whether or not a breach has in fact occurred. During this period of investigation the controller may not be regarded as “being aware”. However, it is expected that the initial investigation should begin as soon as possible and establish with a reasonable degree of certainty whether a breach has taken place; a more detailed investigation can then follow.’

Where the ICO notification is not made within 72 hours, you must give reasons for the delay.

Reports are made via the ICO’s Report a breach page. This includes information about reporting the breach by telephone and/or using an online Personal data breach reporting form.

Your report must include the:

• nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned

• name and contact details of the data protection officer or other contact point where more information can be obtained

• likely consequences of the personal data breach

• measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effect

Where you cannot provide the required information within 72 hours, the GDPR allows this to be provided in phases ‘without undue further delay’.

You should therefore consider notifying the ICO of the breach when you become aware of it, and submit further information as soon as possible. If you know you won’t be able to provide full details within 72 hours, it is a good idea to explain the delay to the ICO, stating when you expect to submit more information—and the reason for the delay, particularly if this is related to coronavirus.

For more guidance, see Practice Note: GDPR compliance—managing personal data breaches—Notifying the ICO.

ICO guidance

The ICO acknowledges that the coronavirus public health emergency means organisations are facing staff and operating capacity shortages, together with acute financial pressures which are impacting their finances and cash flows. The ICO further states that as a public authority, it must act in a manner which takes into account these circumstances and it:

• recognises the current reduction in organisations’ resources could impact their ability to comply with aspects of the law

• will focus its efforts on the most serious challenges and greatest threats to the public

• will be flexible in its approach, taking into account the impact of the potential economic or resource burden its actions could place on organisations

On the specific issue of data breaches, the ICO says:

‘Organisations should continue to report personal data breaches to us, without undue delay. This should be within 72 hours of the organisation becoming aware of the breach, though we acknowledge that the current crisis may impact this. We will assess these reports, taking an appropriately empathetic and proportionate approach.’

Practical tips

On discovering a data breach, the first thing you should do is assemble a data breach team, comprising the various people within your organisation who are best placed to respond to the breach, eg Data Protection Officer (if you have one), head of IT, head of compliance/legal and, if employee data is involved, your head of HR.

Having assembled your data breach team, you can then take the following priority action:

• conduct a preliminary assessment of the breach

• contain the data breach and (so far as reasonably practicable) recover, rectify or delete data that has been lost, damaged or disclosed

If, due to challenges presented by the coronavirus, you have a choice between deploying your available resources on assessing and containing the breach or collating the information required to notify the ICO, focus on the former. However, make a record of the reasons for your decision, so you can justify your actions if/when you do notify the ICO. If necessary, you can then make a skeleton notification to the ICO and provide further information at a later stage.

For guidance on the immediate actions to consider when handling a personal data breach, see Precedent: Data breach—panic sheet. See also Practice Note: Managing a personal data breach—process flowchart—GDPR and Precedents:

• Personal data breach plan—GDPR compliant

• Data breach assessment and action plan

Related Articles:
Latest Articles: