Guernsey Press

Eight of 10 data breaches are due to human error

MORE than 80% of personal data breaches in a two-month period were due to human error, a report has found, leading the data protection commissioner to call for improvements.

Published
Data protection commissioner Emma Martins. (Picture by Sophie Rabey, 26972219)

Of the 48 breaches reported to the Office of the Data Protection Authority in the two months leading up to 28 December, 39 were down to human error out of 48 reported.

Personal data breaches also nearly doubled for the same period in the previous year, from 28 to 48 this year.

Information sent via email or post to the wrong person had consistently been the most common type of breach reported since statutory reporting requirements came into effect.

The Bailiwick’s data protection commissioner, Emma Martins, said that changing attitudes and behaviour is key to reducing data breaches and preventing harm.

‘These latest figures again illustrate how important it is for us all, whatever our role, to understand data protection as something more than an IT issue,’ she said.

‘We must focus on ensuring individuals’ rights are respected while also recognising the impact of human error when using personal data.

‘It is unrealistic to expect people to never make any mistakes, but we can positively influence attitude and a culture in organisations where mistakes are learnt from, behaviours change as a result and the risk of future harm is reduced.’

In response to this trend, the ODPA has recently been focusing on the role of human error in its events programme to help organisations and individuals understand and respond to the risks.

‘We do not seek a culture of blame, rather we seek a culture of improvement,’ added Mrs Martins.

The remaining self-reported breaches for the two-month period fell into other categories including mislaid data, criminal, hacking, unauthorised access and unauthorised disclosure.

Since 18 August 2018, there have been 313 personal data breaches reported to the ODPA.

Statutory breach reporting was one of the key changes to the local data protection law introduced in May 2018.

The release is part of the bi-monthly breach report statistics the ODPA has been issuing since June 2018.

The Data Protection (Bailiwick of Guernsey) Law 2017 states that organisations are legally required to notify the ODPA of any personal data breach within 72 hours of becoming aware of it.