Although there is no legal obligation to report breaches of security, the Information Commissioner Office, (’the ICO’), is of the opinion that ‘serious breaches’ should be brought to the attention of his Office.
Unfortunately, what ‘serious breaches’ means is not defined, but the following should be taken into consideration when deciding whether breaches should be reported:
- The actual or potential harm to those people whose personal information has been compromised
- The volume of personal data involved
- The sensitivity of the data.
1. How should a report be made?
Serious breaches should be notified to the ICO using its DPA security breach notification form.
2. Will a reported breach be made public?
The ICO does not see it as their responsibility to publicise security breaches not already in the public domain or to inform any individuals affected. However, the ICO may recommend that a breach be made public where it is clearly in the interests of the people concerned or if it considers there is a strong public interest argument to do so.
3. Are there any exceptions?
Charities and organisations working in the Health, Public Health and Adult Social Care sectors have additional legal and/or regulatory obligations.
4. Is the law changing?
Proposed new EU law is likely to make it compulsory to report a breach to the ICO and also, in many cases, to inform those people who’s privacy has been compromised.