Ireland Proposes Data Breach Rules
June 11th, 2010 by adminOrganisations based in Ireland who lose the personal data of one hundred people or more shall be compelled to report the data loss to the authorities under new rules proposed Irelands Data Protection Commissioner.
The country’s privacy regulator has drafted a Code of Practice after thousands of people’s personal data became lost after organisations privacy policy was not sufficient to protect data.
Under the proposed rules, organisations will be compelled to encrypt all data and secure using a strong password if they are to avoid the requirement to report the data loss to the Irish Data Protection Commissioner.
In 2008, the Irish Government requested a review be undertaken to establish whether obligations on organisation to report data losses would be sufficient to assist in the protection of personal information. The Government recommended that official guidelines ought to be put into place to distinguish clearer rules on when to, or when not to, report data losses.
Although data protection officials are split over the Commissioner’s recommendations, the European Union approved a data breach law last year under the telecommunications law reforms. However, this law was not extended to include online business such as online shops and banks after the European Commission and European Council rejected the Parliaments suggestion to extend data breach rules to all.
The Commissioner’s proposed Code has also been used as a means of clarifying when, exactly, reports should be made to the Commissioner’s office regarding a data breach. When an organisation loses the data of a group of less than one hundred people, they must report any incident that occurs to the Commissioner within two working days of that incident occurring. This is to encourage identity fraud protection and to inhibit identity theft whereby an individual is impersonated by another.
Upon notification of the data breach to the Commissioner’s office, a thorough investigation shall be undertaken of all procedures that are in place by that organisation, as well as the systems and strategy in place. The findings obtained by the authorities may result in legal action being taken to coerce particular actions to be undertaken by that organisation.
The draft Code of Practice shall be decided upon shortly. Under this Code, all organisations in breach shall have provide a secondary report to the Commissioner outlining the steps they are taking to protect data and prevent a similar incident occurring again.
