Guernsey Press

Charities ‘understanding data protection risks’

The importance of data protection is getting through to charities, according to the regulator.

Published
New data protection commissioner Brent Homan. (32960415)

In the last quarter of 2023 four breaches were reported by charities.

The Office of the Data Protection Commissioner said that it was a good sign that the charitable sector was better understanding data protection issues.

‘The ODPA works closely with the charitable sector to support their awareness of, and compliance with, the law,’ said new data protection commissioner Brent Homan.

‘The fact that they are reporting breaches points to this engagement having a positive effect on their understanding of their breach reporting requirements.’

The quarterly statistics revealed 39 breaches of personal data reported during the three months, which affected 1,115 people. This brought the total number of breaches during the year to 145, compared to 151 in 2022, 177 in 2021 and 180 in 2020.

‘It is interesting to note the slight decrease in reported breaches over the past few years,’ said Mr Homan. ‘This could be a positive indicator of organisations better assessing the risk of harm for any given breach incident and reporting accordingly.’

The main problem during the quarter was a continuation of the long-established trend of emails containing personal data being sent to the wrong person. This happened twice as often in Q4 as in Q2.

This clear trend of personal data being sent to the wrong person is by far the most common breach reported to the ODPA. Mr Homan said that there were many ways that data could be breached, by being accidentally destroyed, lost, altered, disclosed or accessed without authorisation, and this could happen in many ways, not just through email.

Last year was exceptional in terms of the large numbers of people affected – nearly 10m., due to a single incident which affected customers of a UK-based company which was victim of a large cyber attack. The company is not based locally but reported the incident to data protection regulators in all jurisdictions where its customers were based.