Peter A Clarke

The timing couldn’t be better.  The European Data Protection Board (“EDPB”)  released Guidelines 09/2022 on personal data breach notification under GDPR on 18 October 2022. Given the issue of notification of data breaches is a significant issue currently in Australia it is a very relevant document.  More importantly the guidelines on privacy and data breach issues are much more comprehensive in the EU and the UK.  That makes for better and more effective systems and protections, if followed.

The announcement provides:

The European Data Protection Board welcomes comments on the Guidelines 09/2022 on personal data breach notification under GDPR. The targeted update and this public consultation concern paragraph 73 of the Guidelines (marked in yellow in the document). Such comments should be sent 29th November 2022 at the latest using the provided form.

Please note that, by submitting your comments, you acknowledge that your comments might be published on the EDPB website.

The EDPB Secretariat staff screens all replies provided before publication (only for the purpose of blocking unauthorised submissions, such as spam), after which the replies are made available to the public directly on the EDPB public consultations’ page. Unauthorised submissions are immediately deleted. The attached files are not altered in any way by the EDPB.

Please, note that regardless the option chosen, your contribution may be subject to a request for access to documents under Regulation 1049/2001 on public access to European Parliament, Council and Commission documents. In this case the request will be assessed against the conditions set out in the Regulation and in accordance with applicable data protection rules.

All legal details can be found in our Specific Privacy Statement (SPS).

The guidelines are referable to obligations under the GDPR.  That said they contain best practice processes when dealing with the data breaches.  To that extent they are a very valuable resources in the Australian context in providing structure in anticipating and responding to a data breach.  Some points worth noting are:

• the benefits of notification include the controllers obtaining advice on whether the affected individuals need to be informed. The supervisory authority may order the controller to inform those individuals about the breach.
• communicating a breach to individuals allows the controller to provide information on the risks presented as a result of the breach and the steps those individuals can take to protect themselves from its potential consequences.
• the focus of any breach response plan should be on protecting individuals and their personal data. Breach notification should be seen as a tool enhancing compliance in relation to the protection of personal data.
• controllers and processors are encouraged to plan in advance and put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary. Notification to the supervisory authority should form a part of that incident response plan
• GDPR requires:
  • both controllers and processors to have in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed to the personal data being processed which should take into account:
    • the state of the art,
    • the costs of implementation
    • the nature,
    • the scope,
    • context and
    • purposes of

processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

• all appropriate technological protection an organisational measures to be in place to establish immediately whether a breach has taken place, which then determines whether the notification obligation is engaged
• a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
• the types of data breaches are categorised according to the following three well-known information security principles:
  • “Confidentiality breach” – where there is an unauthorised or accidental disclosure of, or access to, personal data.
  • “Integrity breach” – where there is an unauthorised or accidental alteration of personal data
  • “Availability breach” – where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
• determining if there has been a breach of confidentiality or integrity is relatively clear
• determining an availability breach may be less obvious. A breach will always be regarded as an availability breach when there has been a permanent loss of, or destruction of, personal data
• a security incident resulting in personal data being made unavailable for a period of time is also a type of breach, as the lack of access to the data can have a significant impact on the rights and freedoms of natural persons
• a breach involving the temporary loss of availability should be documented however, depending on the circumstances of the breach, it may or may not require notification to the supervisory authority and communication to affected individuals.
• the GDPR requires that, in the case of a breach, the controller shall notify the breach without undue delay.  A controller should be regarded as having become “aware” when that controller has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised
• controller should implement all appropriate technical protection and organisational measures to establish immediately whether a breach has taken place.
• when, exactly, a controller can be considered to be “aware” of a particular breach will depend on the
  circumstances of the specific breach. The emphasis should be on prompt action to investigate an incident to determine whether personal data have indeed been breached, and if so, to take remedial action and notify if required.
• after first being informed of a potential breach by an individual, a media organisation, or another source, or when it has itself detected a security incident, the controller may undertake a short period
  of investigation in order to establish whether or not a breach has in fact occurred. During this period the controller may not be regarded as being “aware”. The initial investigation should begin as soon as possible and establish with a reasonable degree of certainty whether a breach has taken place; a more detailed investigation can then follow
• The controller should have internal processes in place to be able to detect and address a breach.
• practical steps that should be taken in all cases are:.
  • information concerning all security-related events should be directed towards a responsible person or persons with the task of addressing incidents, establishing the existence of a breach
    and assessing risk.
  • Risk to individuals as a result of a breach should then be assessed (likelihood of no risk, risk or high risk), with relevant sections of the organisation being informed.
  • notification to the supervisory authority, and potentially communication of the breach to the affected individuals should be made, if required.
  • the controller should act to contain and recover the breach.
  • documentation of the breach should take place as it develops.
• breaches that are “unlikely to result in a risk to the rights and freedoms of natural persons” do not require notification to the supervisory authority.
• a confidentiality breach of personal data that were encrypted with a state of the art algorithm is still a personal data breach, and has to be notified. However, if the confidentiality of the key is intact – i.e., the key was not compromised in any security breach, and was generated so that it cannot be ascertained by available technical means by any person who is not authorised to access it – then the data are in principle unintelligible. As the breach is unlikely to adversely affect individuals and therefore would not require communication to those individuals .
• even where data is encrypted, a loss or alteration can have negative consequences for data subjects where the controller has no adequate backups. In that instance communication to data subjects would be required, even if the data itself was subject to adequate encryption measures
• if personal data have been made essentially unintelligible to unauthorised parties and where the data are a copy or a backup exists, a confidentiality breach involving properly encrypted personal data may not need to be notified
• if there is a breach where there are no backups of the encrypted personal data then there will have been an availability breach, which could pose risks to individuals and therefore may require notification
• when selecting encryption software controllers should:
  • carefully weigh the quality and the proper implementation of the encryption offered,
  • understand what level of protection it actually provides and whether this is appropriate to the risks presented.
  • be familiar with the specifics of how their encryption product functions.
  • consider whether the encryption may also be considered currently adequate but may become outdated in a few years’ time
• the main objective of notification to individuals is to provide specific information about steps they should take to protect themselves
• the controller should at least provide the following information to individuals affected by a data breach:
  • a description of the nature of the breach;
  • the name and contact details of the data protection officer or other contact point;
  • a description of the likely consequences of the breach; and
  • a description of the measures taken or proposed to be taken by the controller to address the
    breach, including, where appropriate, measures to mitigate its possible adverse effects.
• dedicated messages should be used when communicating a breach to data subjects and they should not be sent with other information, such as regular updates, newsletters, or standard messages.
• transparent communication methods include:
  • direct messaging (e.g. email, SMS, direct message),
  • prominent website banners or notification,
  • postal communications and
  • prominent advertisements in print media.
• inadequate notification includes:
  • solely confined within a press release or
  • corporate blog
• Controllers may also need to ensure that the communication is accessible in appropriate alternative formats and relevant languages to ensure individuals are able to understand the information being
  provided to them
• under the GDPR there are three circumstances where notification is not required:
  • The controller has applied appropriate technical and organisational measures to protect personal data prior to the breach, in particular those measures that render personal data unintelligible to any person who is not authorised to access it.
  • immediately following a breach, the controller has taken steps to ensure that the high risk posed to individuals’ rights and freedoms is no longer likely to materialise.
  • it would involve disproportionate effort to contact individuals, perhaps where their contact details have been lost as a result of the breach or are not known in the first place.
• when assessing risk the following factors are relevant:
  • The type of breach that has occurred may affect the level of risk presented to individuals
  • type and sensitivity of personal data that has been compromised by the breach. The more sensitive the data, the higher the risk of harm will be to the people affected
  • Some types of personal data may seem at first relatively innocuous, however, what that data may reveal about the affected individual should be carefully considered
  • Similarly, a small amount of highly sensitive personal data can have a high impact on an individual, and a large range of details can reveal a greater range of information about that individual.
  • an important factor to consider is how easy it will be for a party who has access to compromised personal data to identify specific individuals, or match the data with other information to identify individuals
  • the potential damage to individuals that could result can be especially severe, in particular where the breach could result in identity theft or fraud, physical harm, psychological distress,
    humiliation or damage to reputation
  • whether there are special characteristics, such as personal data concerning children or other vulnerable individuals.
  • the number of people affected. The higher the number of individuals affected, the greater the impact of a breach can have
• the controller needs to record details concerning a breach, which should include its causes, what took place and the personal data affected. It should also include the effects and consequences of the breach, along with the remedial action taken by the controller.
• Where the controller does notify a breach to the supervisory authority, but the notification is delayed, the controller must be able to provide reasons for that delay
• it is advantageous to both controllers and processors to have a documented notification procedure in place, setting out the process to follow once a breach has been detected, including how to contain, manage and recover the incident, as well as assessing risk, and notifying the breach