Data Security Breaches - Report of the DP Review Group
.jpg)
The Data Protection Review Group published its Report (pdf) on Data Protection in May 2010. The Group, which was appointed by the Minister for Justice, Equality and Law Reform, was formed to look at whether legislative changes were necessary to address the lack of any specific legal obligation to report security breaches of data.
The key recommendations contained in the Report are:
1. Legislation should provide for a general offence by a data controller of deliberate or reckless acts or omissions in relation to the data protection principles, including contraventions of the security principle in relation to data breach incidents.
2. The reporting obligations of data controllers in relation to data breaches should be set out in a statutory Code of Practice. The Group recommended that there should be a legal requirement to report breaches of data to the Data Protection Commissioner (DPC) but not necessarily to data subjects.
The European Commission is expected to make a proposal for a new or amending Data Protection Directive either later this year or during 2011 and the Report states that the introduction of any Irish legislation is likely to be influenced by the pace of such EU developments. The Minister has requested the DPC to begin preparing a statutory Code of Practice.
In the meantime, although there is no legal requirement to notify the Office of the Data Protection Commissioner of a security breach, depending on the nature and severity of the breach, it is usually recommended to consult with the Office in the event of one arising.
