Oliver Topping: How to spot personal data breaches and when to report them


In 2018, new data protection laws brought in a requirement for data controllers, like employers and trustees of pension schemes, to make reports swiftly after certain types of personal data breaches occur.

Before rushing to pick up the phone to the Information Commissioner’s Office (ICO) or emailing affected employees or pension scheme members, it is worth considering whether the incident will actually meet the triggers under these new laws. If not, reporting requirements may not apply.

The new laws only cover breaches involving information on identifiable living people. A trustee may accidentally leave a pack of confidential pension scheme valuation papers on a train. While a serious flaw in security procedures, this will not constitute a personal data breach if none of the papers contain information on specific individuals.

Even when a personal data breach has clearly occurred, it may not automatically trigger the reporting requirements. A breach does not need to be reported if it is unlikely to result in a risk.

So, if an encrypted USB stick containing payroll data is stolen from an office, as long as the data is securely encrypted and inaccessible to the burglars, and if back-ups exist, this is probably a low-risk breach. No report would then be required.

On the other hand, some incidents are personal data breaches, even if they do not involve hacking or theft. If a power outage means that a pension scheme’s administration system goes down and member information is temporarily inaccessible, this may still count as a breach; if the outage is short, however, the risk may be too low to trigger a report.

Because not all incidents need to be reported, having a process to assess them within the deadlines is key. Legal advice will help to prepare a policy, or help review borderline cases.

While reporting triggers should be kept in mind, the new laws also have a strong focus on transparency and accountability. Even low-risk personal data breaches cannot, therefore, be ignored. Though they may not require a formal regulatory report, all personal data breaches should be investigated and recorded in the controller’s breaches log.

Oliver Topping is a senior associate at Sackers