Irish Data Protection Commissioner introduces draft code of practice on breach notification

News by Dan Raywood

The theft or loss of personal data relating to more than 100 individuals now has to be reported to the Data Protection Commissioner under a draft code of practice in Ireland.

The theft or loss of personal data relating to more than 100 individuals now has to be reported to the Data Protection Commissioner under a draft code of practice in Ireland.

According to the Irish Times, a draft code has been published in response to the recent recommendations of the Data Protection Review group established by Minister for Justice Dermot Ahern. Data Protection Commissioner Billy Hawkes said he had sought to publish the draft as quickly as possible after the review group report ‘to respond to public concern in relation to organisations losing personal data under their control while at the same time not imposing an undue burden on those organisations'.

However there is an exception to this law where the data can be considered inaccessible due to proper security. Members of the public have been invited to make observations or submissions on the draft code before Friday 18th June.

Brian Honan, founder and head of Ireland's computer security incident response team and who contributed to the working group, said that he was pleased to see this proposed.

He said: “As someone who has been campaigning for mandatory data breach disclosure laws in Ireland for a number of years I am pleased to see the proposed Data Security Breach Code of Practice. I have long argued that organisations need to realise that the data they hold on staff and customers is not theirs but rather has been entrusted to them by those individuals.

“The purpose of breach notification should not be to punish the organisation that suffered a breach, but rather to help the affected individuals take appropriate steps to protect themselves, especially nowadays with identity theft and financial fraud being so rife.

“The proposed code strives to reach a balance whereby organisations that have taken appropriate measures to protect sensitive data, e.g. encryption etc., need not notify anybody about the breach, nor if the breach affects non-sensitive personal data or small amounts of sensitive personal data. Yet, companies who have not taken the appropriate measures will indeed be obliged to admit to their shortcomings and shoulder the responsibility for same.”

He also claimed that the introduction of the Breach Code of Practice is another example of how Ireland can better protect its citizens and provide an effective information security governance framework for businesses to follow.

ISACA international vice president Rolf von Roessing also welcomed the proposal, saying that the code of conduct formalises the situation regarding data losses or thefts in the Republic of Ireland and, as such, will act as a reference model for other European countries.

He said: “When the UK's ICO announced in January of this year that he was increasing the penalties for data beaches and losses to £500,000, we welcomed those changes, noting that it is a major worry for responsible citizens to find that their private data - or even worse, that of their family - has been released into the public domain.

“It has been more than 25 years since the original UK Data Protection Act came into force, and since then, computers and the internet have changed our lives largely for the better. The same is true for Ireland and most other countries and this is why we welcome this proposal by the Irish Data Commissioner's Office, as it formalises what has been best practice in many organisations to date.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews