The Data Protection Acts do not specifically require that subjects be notified when their data has been compromised. But they do impose obligations upon controllers to processing data fairly, which includes notifying subjects when their data is disclosed to third parties. These issues are discussed more fully in Chapter 11 of Privacy and Data protection Law in Ireland
This code “…addresses situations where personal data has been put at risk of unauthorised disclosure, loss, destruction or alteration” It should be noted that this code applies to data that has been put “at risk”; there is no need to be certain that the data has in fact been disclosed, lost, destroyed or altered without authorisation.
Following such an incident “…the data controller must give immediate consideration to informing those affected” unless the data is properly encrypted or otherwise protected. Data processors must inform controllers of any such incidents; the controller may then have to inform the subjects.
The DPC’s code provides that:
“All incidents in which personal data has been put at risk should be reported to the Office of the Data Protection Commissioner as soon as the data controller becomes aware of the incident…”
- “the full extent and consequences of the incident has been reported without delay directly to the affected data subject(s)” and
- The incident “…affects no more than 100 data subjects” and
- The data at risk “…does not include sensitive personal data or personal data of a financial nature”.
Where a notifcation is to be made to the DPC then:
- Initial contact should be made with the DPC “…within two working days of becoming aware of the incident”
- This contact should outline “the circumstances surrounding the incident”
- Contact may be made by “e-mail (preferably), telephone or fax” but should not “…involve the communication of personal data”
When the DPC receives such an initial notificaiton she may seek more detailed information (see paragraph 10 of the code) and may direct that an investigation take place. Her approach will be determined by “…the nature of the incident and the presence or otherwise of appropriate physical or technological security measures to protect the data”
Controllers should keep records of such incidents, even where they do not notify the DPC.