Ireland’s Security Breach Code of Practice May Be Effective Soon

Ireland is prepping for stricter requirements soon to be in effect for the protection of personal data.  In March of 2011, Ireland’s Data Protection Commissioner released his 2010 Annual Report [.pdf] regarding the state of data protection.  It was reported that in 2010, the office of the Data Protection Commissioner received 410 data breach notifications, a 350% increase from 2009.  Most of the notifications were in the finance and medical sectors.

Billy Hawkes, Data Protection Commissioner, partially attributed the increase to the higher level of awareness regarding security breaches and stricter requirements - under the Security Breach Code of Practice published in July 2010, not yet given statutory effect.

The Security Breach Code of Practice:

• addresses situations where personal data has been put at risk of unauthorized disclosure;
• provides that the focus of the Office of the Data Protection Commissioner is on the rights of the affected data subjects in relation to the processing of their personal data;
• provides steps for data controllers to take post incident, including reporting the incident to the Office of the Data Protection Commissioner within two days of becoming aware of the incident.

Commissioner Hawkes also attributed the trebling of the number of breach reports to organizations failing to protect the personal data entrusted to them.  The Report included a number of case studies in order to educate public and private organizations about security breach investigations of the Commissioner.  It was suggested that public and private organizations dedicate attention to protecting personal data, including designing of systems, services and products that would lend to effortless compliance with data protection regulations – especially with the mandatory provisions of the Code of Practice soon to be in effect.