Examples of the personal data breach
Example: „As a result of a power outage or a denial of service, the controller temporarily or permanently loses the access to personal data.”
In the above example we encounter an issue that results in a loss of access to personal data for a certain time. Such an event constitutes a breach because a lack of access may be of significant importance for the rights and freedoms of natural persons. At the same time, it must be kept in mind that not each and every case of temporary data inaccessibility is a breach. It is so only when the inaccessibility may lead to a risk for the rights and freedoms of natural persons, e.g. in the case of a hospital, the lack of access to patients’ data may lead to precluding a medical operation, and therefore to a threat to life which is to be classified as a high risk to the rights and freedoms of natural persons. In the event of a media company lacking access to its systems for a few hours and the resulting impossibility of dispatching its newsletter to its subscribers, a low level of risk for the rights and freedoms of natural persons exists. Similarly in the event of a planned system maintenance, the personal data might be unavailable for a certain time, and in this instance it should not be treated as a safety breach (low risk).
Although the loss of access to the systems of the controller might be only a temporary one and at its initial stage it does not have effects for the rights and freedoms of natural persons, it is important that the controller, after having conducted a full risk analysis, considered all possible consequences of the breach: those which have already existed and those which might occur in the future.
Example: The controller’s IT system was infected by malicious software. After conducting the initial analysis the controller concluded that a temporary loss of access to data occurred. However, due to the fact that the controller owned an electronic security system, which prevented a data leakage, the risk of breaching the rights and freedoms of natural persons was low and the breach itself did not demand a notification to the President of the Personal Data Protection Office (UODO). After few hours it became apparent that, as a result of hacking into the system, the hacker, after having bypassed the security protocols, gained access to personal data, because of which the risk of breaching the rights and freedoms of natural persons became high and demanded a notification to the supervisory authority.
Data breach may also occur in the following instances:
- data modification without consent of the data subject;
- sending data to the wrong person (e.g. by wrongly addressing an e-mail);
- the loss of data storage medium (phone, laptop, USB, folders containing data in paper form);
- unauthorized data disclosure (e.g. digitally – transmitting data via a remote access such as VPN, which is often being assigned indefinitely – but also via phone (the interlocutor, while attempting to elicit information, claims to be a police officer or an official);
- inappropriate data erasure procedure (e.g. the controller decides to get rid of old computers. Before the sale he/she only deletes the desktop files and empties the trash without deleting data from the computer’s drive).