Not all organisation data breaches get reported to the Information Commissioner’s Office (ICO).
ICO do recommend that any serious breach is reported to them, but it isn’t mandatory and ‘serious breaches’ are not defined. However, the following should assist data controllers in considering whether breaches should be reported:
The potential detriment to individuals is the overriding consideration in deciding whether a breach of data security should be reported to the ICO. Detriment includes emotional distress as well as both physical and financial damage.
Ways in which detriment can occur include:
exposure to identity theft through the release of non-public identifiers, eg passport number
information about the private aspects of a person’s life becoming known to others, eg financial circumstances
The extent of detriment likely to occur is dependent on both the volume of personal data involved and the sensitivity of the data where there is significant actual or potential detriment as a result of the breach.
Where there is little risk that individuals would suffer significant detriment, for example because a stolen laptop is properly encrypted or the information that is the subject of the breach is publicly-available information, there is no need to report.
The volume of personal data lost / released / corrupted: There should be a presumption to report to the ICO where a large volume of personal data is concerned and there is a real risk of individuals suffering some harm.
The sensitivity of the data lost / released / corrupted:
How to Report a Breach
Serious breaches should be reported to the ICO using the DPA security breach helpline on 0303 123 1113 (open Monday to Friday, 9am to 5pm). Select option 3 to speak to staff that will record the breach and give you advice about what to do next or report in writing using the DPA security breach notification form, which should be sent to the email address firstname.lastname@example.org or by post to the office address at:- Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
When a breach is reported, the nature and seriousness of the breach and the adequacy of any remedial action taken will be assessed and a course of action determined.
Record the breach and take no further action, or Investigate the circumstances of the breach and any
remedial action, which could lead to further action;
Set a requirement on the data controller to undertake a course of action to prevent further breaches;
Start formal enforcement action which could lead to a fine of up to £500,000
Welcoming recent government changes, Information Commissioner Christopher Graham said:
“The rules around marketing calls have been a licence for spammers and scammers, and people are sick of them. This law change gives consumers the chance to fight back.
“We still need people to report these calls to us, but now we can use those complaints to better target the companies behind this nuisance.”
Electronic marketing, including marketing calls and texts, are covered by the Privacy and Electronic Communications Regulations (PECR). The regulations require organisations to have an individual’s consent to make automated marketing calls or send marketing texts to that person.
For live marketing calls, the organisation must not contact people that have opted out of receiving them; most commonly by registering with the Telephone Preference Service (TPS).
The Information Commissioners Office currently has the power to issue penalties of up to £500,000 if able to prove that the marketing calls or messages caused, or had the potential to cause, ‘substantial damage or distress’. The ICO has called for this bar to be lowered to make it easier to fine companies who are breaching the regulations but who would currently not meet this statutory bar.
The changes which came into effect on 6 April 2015.
1. Spam texters held to account
Any company sending you a marketing text without your permission is already breaking the law. As it stands, the law requires the ICO to prove ‘substantial harm or substantial distress’ and now this threshold has been reduced. Making it easier for ICO to make fines stick should create more of a deterrent, and that would lower how many nuisance messages we all get.
2. Companies will need to play by the rules
It’s a myth that nuisance calls are all from a handful of bad guys. In September, the Telephone Preference Service (TPS) received over 2,000 complaints about nuisance calls. Of those, 38 companies featured in more than ten complaints. That suggests they’re probably breaking the law, but not in a way serious enough for the ICO to be able to fine them.
3. More fines means fewer calls and texts
While fines for nuisance calls and texts are relatively new, recent independent analysis of those Data Protection Act fines showed that 60 per cent of organisations had looked to improve their compliance with the law after a company in their sector was fined. More fines for companies making nuisance calls and sending spam texts should have the same affect.
4. People complaining will be more important than ever
The ICO received 161,720 concerns about nuisance calls and texts in 2015. That’s a lot of people who want to see us take action, and their complaints have meant the ICO has been able to raid offices and call centres, prosecute people and issue fines. You can report a nuisance call or a spam text to the ICO online.
Have these changes proved worthwhile?
Since the change in the law was introduced, the ICO has issued fines totalling more than £2 million compared with just £360,000 during the previous 12 months.
So that’s a YES