Feeds

Ireland publishes proposed data breach notification rules

More than 100 spills and you've got to mop up

Secure remote control for conventional and virtual desktops

Irish organisations which lose the personal data of more than 100 people will have to report the data security breach to the authorities, according to new rules proposed by that country's privacy regulator.

The proposal will force the declaration of data losses to Ireland's Data Protection Commissioner in all cases in which more than 100 people's data have been compromised, according to a draft Code of Practice published by the Commissioner.

Organisations can avoid reporting an incident if data is encrypted and protected by a strong password, or if there was a strong password and a remote memory-wipe feature on a lost device and that feature was activated immediately.

Data protection officials are split on whether data security breach notifications should be introduced. Many US states have them on their statute books but the UK's Information Commissioner's Office (ICO) has never fully supported them, arguing that they can mask the seriousness of some incidents by making lesser incidents seem common and without serious consequences.

The Irish Government ordered a review in 2008 to determine whether or not reporting obligations there protected individuals sufficiently. It recommended that some sort of official guidance about when incidents must be reported should be created.

The Irish Data Protection Commissioner has now published a draft Code of Practice outlining exactly when reports to him must be made.

"I have sought to bring forward a draft Code as quickly as possible after the Review Group report to respond to public concern in relation to organisations losing personal data under their control while at the same time not imposing an undue burden on those organisations," said Irish Data Protection Commissioner Billy Hawkes.

Even when an organisation loses the data of fewer than 100 people they must report an incident if that information includes sensitive personal data or financial information which could be used to impersonate them.

"Data controllers who are required to report to the Office of the Data Protection Commissioner in accordance with this Code must do so within two working days of becoming aware of the incident," said the guidance.

"Such data controllers are required to provide a detailed report of the incident reflecting careful consideration of … the amount and nature of the personal data that has been compromised; what action is being taken to secure and / or recover the personal data that has been compromised; what actions are being taken to inform those affected by the incident or reasons for the decision not to do so; what actions (if any) are being taken to limit damage or distress to those affected by the incident; and a chronology of the events leading up to the disclosure," it said.

Organisations will have to provide a second report to the authorities outlining the steps it is taking to ensure that a similar incident does not happen again, the draft Code said.

"The Office of the Data Protection Commissioner will investigate the issues surrounding the data breach," it said. "Investigations may include on-site examination of systems and procedures and could lead to the use of the Commissioner’s legal powers to compel certain actions. Such actions may include a recommendation or requirement to inform data subjects about a security breach incident where a data controller has not already done so."

The European Union approved a data breach notification law last year as part of telecoms law reforms, but the law only applies to telecoms firms. The Commission and Council rejected EU Parliament proposals to have the law apply to businesses that operate online, such as shops and banks.

See: The draft Code of Practice

Copyright © 2010, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Bono apologises for iTunes album dump
Megalomania, generosity and FEAR of irrelevance drove group to Apple deal
HBO shocks US pay TV world: We're down with OTT. Netflix says, 'Gee'
This affects every broadcaster, every cable guy
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
Zippy one-liners, broken promises: Doctor Who on the Orient Express
Series finally hits stride, but Clara's U-turn is baffling
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
America's super-secret X-37B plane returns to Earth after nearly TWO YEARS aloft
674 days in space for US Air Force's mystery orbital vehicle
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.