The nature of the personal data breaches identified by my Department fall into the following general categories: personal data being shared accidentally with unintended recipients; the loss or theft of equipment (phones/laptops); the accidental exposure of personal data to unauthorised persons; or systems being compromised.
All breaches are dealt with in line with my Department’s Data Breach Management Policy, and as required under Articles 33-34 of the General Data Protection Regulation (GDPR). The majority of personal data breaches identified by my Department are unlikely to result in any risk to individuals and, in accordance with Articles 33-34 of the GDPR, do not require notification to the Data Protection Commission or communication to the individuals concerned. On five occasions where some level of risk was identified the Data Protection Commission was notified and on one occasion the individuals concerned were formally informed. My Department fully complies with its obligations under Articles 33-34 of the GDPR which are based on the level of risk to notify the Data Protection Commission and inform individuals where a personal data breach is identified.