My Department processes any personal data breaches that occur in accordance with its obligations under the GDPR including reporting requirements to the Data Protection Commission and communication with affected individuals in relation to a breach of their data, as appropriate.
The Department has an internal personal data breach reporting protocol. All breaches must be formally notified to the Department’s Data Protection Officer for assessment.
The majority of the breaches that occurred in my Department in the period 2017 – 2023 were as a result of administrative error. These were generally where an email was sent to an incorrect recipient, where an intended recipient incorrectly received data as part of an email attachment, or where an intended recipient inadvertently had sight of the full email recipient list.
The table below provides the details on the number of data breaches recorded in my Department, the numbers which were reported to the Data Protection Commission and the number of instances where communication with individuals took place. In instances where data breaches were not reported to the Data Protection Commission, the breach was deemed to comprise no risk to the individual. In relation to communicating with individuals, the Department as a data controller is obliged to notify an individual of a personal data breach where the breach is likely to result in a high risk to the rights and freedoms of the individual.
Year
|
Number of breaches
|
Number reported to the DPC
|
Instances where communication with an individual took place having regard to threshold being reached
|
2017
|
2
|
1
|
0
|
2018
|
14
|
7
|
0
|
2019
|
10
|
3
|
0
|
2020
|
17
|
6
|
1
|
2021
|
25
|
2
|
0
|
2022
|
25
|
5
|
0
|
2023
|
22 (to date)
|
1
|
0
|