Guernsey Press

Fewer data breaches made to ODPA in 2021

MORE than 170 data breaches were made in 2021, which is slightly lower than the 2020 total.

Published
Bailiwick Data Protection Officer Emma Martins. (30399740)

The Office of the Data Protection Authority found there were 177 breaches, compared with 180 the year before.

The final report of the year found 25 breaches in November and December.

More than half of these reported breaches were due to personal data being sent to the wrong person.

Usually the most reported incidents in this category are due to an email going to the wrong person, but during this period there were more incidents where this happened due to something being sent by post to the wrong person.

These types of errors are consistently responsible for the highest number of reported breaches, highlighting again the role that human error plays in data breaches.

The other main feature of this period’s statistics is that cyber incidents continue to be reported, where incidents have affected personal data.

Four cyber incidents were reported during November and December 2021.

Of the remaining breaches reported, two incidents were due to the inappropriate or unauthorised access of information, three were unspecified and one breach resulted from data being lost.

The 25 breaches were spread across a number of different sectors. The most, eight incidents, were reported from the health sector, then fiduciary with four breaches.

Bailiwick Data Protection Commissioner Emma Martins said that one of the key themes with breach reports was their link to human behaviour, whether that be deliberate actions or human error.

‘Cyber incidents occur where criminals attack systems or seek to exploit human behaviour to gain access to systems, and one of the strongest lines of defence against these crimes is to ensure your staff understand the risks to personal data, the tactics cyber criminals use, and what your response plan is,’ she said.

‘So, your staff are both your biggest risk and your biggest opportunity in looking after the personal data in your care.’

On 1 January 2022 the ODPA introduced an improvement to its breach reporting system so that any organisations reporting a breach can now specify both how the breach happened and what the outcome was.

This change addresses the complexity of circumstances surrounding incidents where personal data is breached, and allows the person reporting the breach to provide greater clarity into the reasons why a breach occurred, and what impact it may have or has had.

The ODPA publishes anonymised statistics of the breach reports it receives from the regulated community, every two months, so that everyone can apply any lessons learned.