Question from: County Councillor Gareth Ratcliffe Subject: Data Protection Breaches
What actions do the council take when data protection breaches occur?
How many personal data breaches have occurred in last 12 months and how many apology letters have been sent out?
Response by the Portfolio Holder:
Powys County Council responds to any notification of an actual or potential personal data breach in line with its Information Security Incident Reporting Policy, and the changes introduced by the implementation of the General Data Protection Regulations in May 2018.
Those changes included the requirement of all controllers of personal data to notify the Information Commissioner (ICO) within 72 hours of becoming aware of a personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the individual.
Additionally, the legislation goes on to say that the controller is required to inform the data subject where the personal data breach results in a high risk to the rights and freedoms of the individual, unless containment activity has been implemented to ensure that those high risks are no longer likely to materialise.
The Council’s Data Protection Officer oversees and monitors the Council’s compliance with its obligations to data protection legislation.
A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed
2019-2020 saw 104 personal data breaches occurring, of those 8 were assessed as requiring notification to the ICO and another organisation notified the ICO of 1.
Of those 9, 3 cases were assessed as being of such severity as to also require reporting to the individuals too, and in another 2 cases the individuals were already aware.
However, in another 12 of the 104 cases the individuals were also informed of the personal data breach, even when there was no obligation on the Council to do so.