ODPA – more than 14,000 people affected by data breaches in Q2

The Office of the Data Protection Authority confirmed there were 39 breaches of personal data over the three months.

One saw a password-protected document containing information about a person being sent to an incorrect recipient.

‘On its own this would not necessarily constitute a serious breach, as the password-protection of the document would prevent the incorrect recipient accessing the information,’ the ODPA stated.

‘However, in this instance, the organisation sent the password for the document in the same email as the document itself, thereby rendering the technical measure used to protect the information – the password – useless.’

The ODPA said the case highlighted that security measures implemented with the best of intentions can fail due to poor execution.

‘You must make sure your staff are adequately trained for handling personal data safely, and that they understand the importance of implementing security measures appropriately.’

The second case study saw a service user submitting a ‘data subject access request’ to an organisation, asking for all the details the organisation had about them and what they were doing with it.

‘While staff were gathering the hard copies of this information for the person, they accidentally picked up a document which contained highly sensitive information about several vulnerable children and included it in the pack sent out to the service user,’ the ODPA stated.

Bailiwick data protection commissioner Brent Homan said the theme of these incidents was the importance of attention to detail.

‘In each situation the organisation was trying to uphold data rights, but in one case they included the password in an email with an encrypted document, and in the other they packaged third party sensitive info with an individual’s access to information request,’ he said.

‘When sending out sensitive information it is always a good practice to “pause and verify” before you hit that send button.’