April.14.2022
On 14 March 2022 the Data Protection Commission of Ireland (DPC) handed down a decision in respect of 22 personal data breach notifications made by the Bank of Ireland Group Plc (BOI) between November 2018 and June 2019. The personal data breaches included incidences of unauthorised disclosure of customer personal data to the Irish Central Credit Register, in addition to occasions of accidental alteration of customer personal data.
The DPC imposed administrative fines totalling €463,000 ($504,000) and ordered BOI to make certain changes to its technical and organisational measures to enhance the security of its processing compliance under Article 32(1) of the General Data Protection Regulation (GDPR). However, the interesting points of note relate to the scope of the definition of a personal data breach, as well as the approach to timely notification.
The personal data breaches arose from unauthorised and/or inaccurate disclosures of customer personal data to the Central Credit Register by BOI across an eight-month period. The Central Credit Register is used to generate independent credit reports on borrowers to assist financial institutions in assessing whether a loan should be provided. Seven of the incidents also involved transfer of data to the now-defunct Irish Credit Bureau. The DPC considered four issues:
The DPC confirmed that 19 of the 22 reported incidents met the definition of “personal data breach” under Article 4(12) GDPR. As a reminder, the definition of “personal data breach” is: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Whilst unauthorised disclosure is more likely to be considered a “security breach leading to” a personal data breach, the DPC appears to have afforded a much wider approach to the not‑often‑considered part of the definition, alteration of personal data. The DPC confirmed that the definition of “security measures” under Article 32(1) GDPR included the ability to ensure the ongoing integrity of processing systems and services in addition to the ability to restore the availability of personal data in the event of a technical incident. Therefore, according to the DPC, a “breach of security”is not limited to a technical incident or unauthorised disclosure of personal data and can include internal processing operations that result in the accidental and unlawful alteration of personal data [6.9].
It is also worth noting that the DPC acknowledges that the existence of a personal data breach is not conclusive that there has been an infringement of any provisions of GDPR [6.10]. Whilst a personal data breach triggers notification obligations for controllers, it does not automatically confirm that the GDPR has been breached.
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons.”
The DPC then referred to controller “awareness,” as discussed in the EDPB Breach Notification Guidelines, emphasising that an organisation should have measures in place to facilitate awareness in a timely manner. A number of the reported incidents were notified outside of the prescribed 72 hours on the basis of the event being “under investigation.” The DPC also stated in some cases that some incidents were undetected for “an inordinate amount of time” (sometimes over a year) resulting in an unacceptable delay in notification [7.55].
The DPC’s decision highlights the focus on integrity of data that is shared between organisations, especially given the risk of harm to data subjects if that information is incorrect. Effectively, if data is altered as it moves through an organisation’s process, then it may amount to a personal data breach. An interesting point for further consideration is when the DPC would consider an organisation becomes aware of such a personal data breach: is it at the point when the inaccuracy is identified, or the point when the organisation identifies that a process has altered the accuracy of such data? This is not clear from the DPC’s decision in this case.
The United Kingdom Information Commissioner’s Office recently determined that having a written cybersecurity policy in place does not automatically negate the risk of a contravention of the GDPR; the DPC’s decision appears to follow the same line. Whether it is a security feature, a privacy policy or a ‘safe’ transfer mechanism, if personal data can still be impacted through data theft or inadvertent alteration, then organisations will still be at risk of a reprimand under the GDPR no matter how good the theoretical process. The integrity and accuracy of data is not only key for commercial relationships. In the eyes of the regulators, the accuracy of data is of paramount importance for data subjects too.
The decision also highlights the need to adhere to the GDPR’s notification structure as much as possible. If an organisation determines that there may be a high risk to data subjects, then it must notify them in a timely manner and not after a substantial period. The DPC’s decision often refers to the recitals of the GDPR containing the reasoning behind some provisions including the purpose of data subject notification, which is to allow data subjects to take steps in mitigation. Organisations need to be cognizant that they are unlikely to be able to excuse away lengthy notification timelines; as was the case here, such an approach may be deemed unacceptable by the supervisory authority.