Personal Data Breach
Under the Data Protection Act 2018 (DPA 2018) and GDPR, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Lost or destroyed information is described as a personal data breach under the Data Protection Act 2018 and GDPR.
Article 5(1)(f) of the GDPR contains the principle of “integrity and confidentiality”. This is also called the Security Principle. The Security Principle says that personal data should be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, and also against accidental loss, destruction or damage and using appropriate technical or organisational measures.
In addition, the Accountability Principle in Article 5(2) requires data controllers (employers) to be able to demonstrate compliance with the principles. Article 32 provides more specific security requirements. While the Security Principle only applies to controllers, Article 32 applies to both controllers and processors and Article 28 requires processors to be contractually bound to take the security measures required by Article 32.
Section 66 DPA 2018 says that controllers and processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks. This applies to all law enforcement processing, that is not covered by GDPR. Where the processing relates to intelligence services and is not covered by GDPR, section 107 DPA 2018 says that controllers and processors must implement security measures appropriate to the risks arising from the processing. After conducting a risk assessment, the controller or processor must put steps in place to;
- Prevent unauthorised processing or unauthorised interference with the relevant systems used for processing.
Ensure the precise details of the processing that takes place can be established.
Ensure that systems used for processing function properly and can be restored when interrupted.
Ensure that stored personal data cannot be corrupted in the event of a system malfunction.
Sections 67 and 68 deal with personal data breaches and notifications to the ICO and data subjects for law enforcement processing, and section 108 for intelligence services processing.