The Article 29 Working Party has recently adopted an Opinion, providing good practice guidance for data controllers on when to notify data subjects of a personal data breach.
Notification of data breaches to data protection authorities is already a requirement under Directive 2002/58/EC (known as the e-Privacy Directive), which applies to electronic communications providers. Under this legislation and the proposed new European Regulation, data controllers should, if feasible, inform the relevant competent authority of the breach no later than 24 hours after its detection. This can be extended to within 72 hours in some cases.
Notification to individual data subjects is not automatically required for every breach, but should be made when the personal data breach is likely to have an adverse effect on the individual’s personal data or privacy. In such cases, notification shall be made without undue delay. There is an exemption to the requirement to notify individuals, if the data have been rendered unintelligible to anyone not authorised to see it. This can be done by the application of appropriate technological processes, for example, encryption with a state of the art algorithm. However, there can still be negative effects for data subjects, where a breach involves loss or alteration of data, and the Article 29 Working Party advises that notification to data subjects should still be required in such cases.
The Opinion includes examples of situations where data subjects should be notified, under these security breach scenarios:
- an “availability breach” – involving the accidental or unlawful destruction of personal data;
- an “integrity breach” – dealing with the alteration of personal data); or
- a “confidentiality breach”- involving the unauthorised disclosure of, or access to, personal data.
The Opinion also provides guidance and a series of questions and answers on some common concerns, such as:
- When does a security breach become a personal data breach?
- If only one person is concerned, is it necessary to notify the individual?
- How to notify when the contact details of the individuals affected are insufficient or not known?
- Is it necessary to notify data subjects who were not affected by the breach?
The Opinion is a useful guide on whether to notify data subjects of a breach, but data controllers should be proactive and plan how they would respond to a breach in advance.
As the Opinion states:
“It is important to have an appropriate risk management framework in place, presenting the minimum elements that such an approach should have and also providing a set of minimum appropriate technical and organisational controls, that the controller may define, and with a particular focus on those controls rendering data unintelligible when needed. Companies should also define in advance appropriate plans to deal with personal data breaches, which can ensure that they respond quickly and effectively to a personal data breach.”
Above all, it should be remembered that notifying data subjects gives them an opportunity to manage their personal data and reduce the adverse effects of a breach. For example, it is noted that many individuals re-use the same passwords online and informing them of a breach enables them to change their passwords elsewhere. If there is any doubt about whether notification is required, data controllers should err on the side of caution, especially as data protection authorities may request notification to individuals as part of their investigation.