The Characteristics of a Data Breach
Irish Water have admitted that over 6000 letters were sent out recently which contained the personal data of people who were not resident at the addresses that the letters went to. Irish Water have variously been reported as saying that the issue affected only people who were linked with more than one property in their databases or that the issue was caused by a “scripting error”.
Writing as an information quality professional, these two lines of excusifying might be symptoms of the one problem; a lack of understanding of the structure and format of the data they were working with and the inherent business rules within the data. This is a definitions issue: defining the key data elements that an organisation is concerned with, the relationships between them, and modelling that in a database structure is both an art and a science as my good friend Graeme “The Rosie Project” Simsion used to teach people when he was a data geek.
As a Data Protection professional, I’m somewhat bemused by Irish Water’s statement that they understand they did not have a data breach. And my bemusement arises from nothing more than the definition in the Data Security Breach Code of Practice issued by the Data Protection Commissioner and the defined requirements of Section 2 of the Data Protection Acts 1988 and 2003.
Ultimately, it all comes down to definitions.
What does the Code of Practice say?
The Code of Practice is a standard that has been defined by the DPC to help organisations manage data breaches in a manner consistent with their obligations under Section 2(1) and Section 2(1)(d) of the Data Protection Acts. The Code of Practice explicitly states this:
1.The Data Protection Acts 1988 and 2003 impose obligations on data controllers  to process personal data entrusted to them in a manner that respects the rights of data subjects to have their data processed fairly (Section 2(1)).Data controllers are under a specific obligation to take appropriate measures to protect the security of such data (Section 2(1)(d))
The obligation that exists under Section 2(1)(d) is that a Data Controller, or Data Processor, needs to ensure they have appropriate technical and organisational measures in place to prevent:
…unauthorised access to, or unauthorised alteration, disclosure or destruction of, the data, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing
The Code of Practice goes on to define its scope of application as follows:
This Code of Practice addresses situations where personal data has been put at risk of unauthorised disclosure, loss, destruction or alteration.
It does not limit its scope to situations where a malicious attacker has penetrated a million layers of security defences to make off with data. It does not limit its scope to purely breaches of database security. It defines its scope as being “situations where personal data has been put at risk of unauthorised disclosure, loss, destruction, or alteration”.
Deriving a Definition
Often, if a thing is not explicitly defined, it is necessary to derive the definition from the stated attributes and characteristics. Something falls under the Data Security Breach Code of practice if there is a situation where “personal data has been put at risk of unauthorised disclosure, loss, destruction, or alteration”.
So, a good working definition of a Data Breach under Irish Data Protection law would be:
A Data Breach occurs where, as a result of a failure in an organisational or technical measure for the processing of that data, personal data has been put at risk of unauthorised disclosure, loss, destruction, or alteration
This brings in the elements of both the duty to keep data safe and secure under the Acts and the definition of scope for the Code of Practice.
Applying a Definition
In the Irish Water situation, we find ourselves faced with a set of circumstances where:
- Due to a failure of an organisational or technical control (e.g. definition of the data or the definition and execution of correct tests on data extract or mail merge scripts)
- Personal data was
- Disclosed by being included on address labels.
The personal data that was disclosed was that a person of name X lived at some point at address Y. The data breach actually occured at the point where decisions were taken about the data processing and governance that created the risk that data would be disclosed in this way. No hacking or breach of technical security was necessary for this to have occured.
Therefore, this particular set of circumstances looks like a breach and quacks like breach, so we have at least to consider the possibility that what we have in front of us is a data protection incident of the species breach (to paraphrase Douglas Adams).
The impact of the breach is a secondary consideration. But given that the breach highlights a potential failure of Irish Water to ensure that their data meets the requirements of Sections 2(1)(b) and 2(1)(c) of the Data Protection Acts (accurate and up to date, and adequate), it should be a trigger for some deep introspection about effective models of Data Governance and the associated definition of key data elements in Irish Water.
Having handled a number of data breach incidents for clients over the past number of years, our experience is that the DPC is pragmatic about things, particularly where the impact is low, and will take on board assurances of remedial action when deciding to pursue an investigation. But a pragmatic response from the Regulator is not the same as not having a data breach.
Definitions and Perspective
One common theme we encounter in Data Governance and Data Protection engagements is the impact of how key concepts are defined and prioritised in an organisation, and how crises are defined and reframed as triggers for change and improvement.
One client, for example, took the imminent threat of impending prosecutions for Data Protection breaches as an opportunity to assess and re-engineer some key customer interaction processes to reduce the risk of “the surprised customer” and asked us to help them with that change.
Irish Water, however, seem to be living in denial about Data Protection in general. Over on my personal blog I’ve written about issues with their Data Protection notice and, in particular, their marketing consents. Irish Water insists they are fully compliant. Today they insist that a thing that has the characteristics of a breach is not a breach. This Pollyanna-esque approach to definining the problem that is to be faced curtails greatly the opportunity for the organisation to place personal data protection and privacy at the core of their culture.
“De Nile” is a river in Egypt and has no place in the data governance and data protection operations of any organisation working with personal and sensitive personal data.