A simple definition of a data breach is a security incident that affects the confidentiality, integrity, or availability of personal data. This can be a deliberate or accidental cause that leads to data being accessed unlawfully, changed, lost, stored unsafely, deleted, or shared without permission.
There are a range of forms or data breaches in the workplace. Some examples of data breaches include:
- Being included in an email distribution group when it is not necessary.
- Having access to a folder including personal data when you should not have.
- Hacking/malicious access by a 3rd party.
- Leaving paperwork on an open laptop or public transport or in a public place.
- Putting your username and password into a phishing website.
- Sending an email that was meant for a colleague, to a customer.
- Sharing personal data with another company without a contract in place.
- Theft of anything that holds data.
It is a common misconception that every breach must be reported to the ICO (Information Commissions Office). It is important to understand the risk of the breach and that will determine the seriousness and therefore determine whether it needs to be escalated to the ICO.
How to determine the risk of a data breach
Looking at the example of sending an email meant for a colleague, to a customer, it is important to go through the correct process to identify the seriousness of the data breach.
Has a breach has been identified?
Yes, in this instance, because an email has been sent to someone other than it was intended for.
Is the risk likely to result in a risk to the individual’s rights?
Say it is a spreadsheet of names, no, it would not need reporting to the ICO. Instead, you need to record the incident on your company’s breach register. If the spreadsheet had medical information on it, then this would be considered serious and would need to be reported to the ICO within 72 hours. The people whose information has been leaked should also be told.
If in doubt, notify the ICO anyway and they will guide you. Sometimes the breaches can occur from an easy mistake however, ensuring that the correct processes are followed in line with data protection and security policies protects yourself and your organisation against potentially serious consequences.