Mixed messages on data loss
First, the not-so-good news. In response to a parliamentary question from Labour leader Ruairí Quinn, it emerged that the rate of loss of electronic devices is increasing to approximately one per week. (A figure which includes e.g. laptops, desktops, usb keys, Blackberries, etc.) Worse, only three government departments have fully encrypted their portable devices and although the majority are in the process of doing this, two departments (Communication and Education and Science) have not done so at all.
So what’s the good news? After these figures emerged, the Minister for Justice indicated that he was considering introducing mandatory reporting where personal data is lost, which, according to the Irish Times, would extend to “all state agencies, banks and other entities”. We’ve been calling for mandatory reporting of data loss for some time now, something which has been endorsed by amongst others the European Data Protection Supervisor and the Irish Times and it’s good to see the Minister (albeit belatedly) acknowledge the need for change.
The devil is, however, in the details and (while it’s dangerous to read too much into a relatively short piece) there are indications in the story that what the Minister is considering is too narrow.
First, the story talks about reporting “when an electronic device containing information on members of the public is lost or stolen”. This reflects a rather old fashioned view of data being embodied in a particular tangible form – a view which is no longer valid. It makes little sense to say that there should be notification when a USB key is lost but not when an online database is compromised.
Secondly, the focus seems to be on data which goes “missing”. This might fit the traditional example of the laptop left on the bus – but excludes situation where a corrupt insider deliberately misuses data. A good example is the recent scandal where mortgage brokers illegally passed on details of buyer’s finances to estate agents and auctioneers. Such abuses are often more serious than inadvertent loss of data, and any duty to report should also include deliberate and illegal disclosures of data.
Thirdly, the duty to report would be to the Data Protection Commissioner, with the public being informed “in major cases”. This must not mean, however, that the individuals whose data is lost would only be informed “in major cases”. The risk to your finances if your details are lost is just as great whether or not you are the only victim. It would be little consolation to learn that you were not informed and given a chance e.g. to cancel your credit cards because you were the victim of a “minor breach” only.
These concerns aside, we welcome the Minister’s decision and look forward to seeing detailed proposals soon.