Hi Phil
Putting the law aside... I generally take the default stance of notifying Data Subjects anyway, not only to be transparent, but it can also help to assess whether in fact there is an ongoing high risk. Sometimes an incident may appear on face value that there is an ongoing high risk, but in reality, the DS actually tells us there isn't because of certain circumstances. This can influence the decision to notify the ICO. I would only not notify the DS if it would involve a significant amount of effort/time, or, it would cause them unnecessary distress when the incident has been successfully contained. Obviously, this is on a case by case basis.
Thanks
Jo
Joelle Taylor
Information Management Officer
Business Change and Information Solutions (BCIS)
Resources Portfolio, Sheffield City Council
Tel: 0114 27 36388/ Mobile: 07769 285 843
Email: [log in to unmask]
Postal Address: Sheffield City Council, PO Box 1283, Sheffield S1 1UJ
GDPR Notice - If your Service processes personal information, you must ensure that a record of this is kept on the Council’s Record of Processing Activities:
https://corporate.sheffield.gov.uk/InfoGovWorkGroup/SitePages/Record%20of%20Processing%20Activities.aspx
You can provide feedback by emailing: [log in to unmask]
-----Original Message-----
From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Phil Bradshaw
Sent: 04 January 2019 11:45
To: [log in to unmask]
Subject: [data-protection] Friday Question - Breach Notification
Breaches must be reported to ICO if there is a risk to the rights and freedoms of the subject. We all understand that we need to "assess the likelihood and severity of the resulting risk to people’s rights and freedoms" in deciding whether to report so that not every trivial breach is reported.
Subjects must be informed if there is a 'high risk' - a more restrictive test.
Is it ever acceptable then, to inform the subject but not the ICO?
Would doing so compromise your ability to argue to the ICO (e.g. if the subject complained to ICO) that it had not in fact met the reporting threshold? If I was ICO I would certainly be asking "If there was no risk why were you upsetting the subject by doing this?"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This Email, and any attachments, may contain non-public information and is intended solely for the individual(s) to whom it is addressed. It may contain sensitive or protectively marked material and should be handled accordingly. If this Email has been misdirected, please notify the author immediately. If you are not the intended recipient you must not disclose, distribute, copy, print or rely on any of the information contained in it or attached, and all copies must be deleted immediately. Whilst we take reasonable steps to try to identify any software viruses, any attachments to this Email may nevertheless contain viruses which our anti-virus software has failed to identify. You should therefore carry out your own anti-virus checks before opening any documents. Sheffield City Council will not accept any liability for damage caused by computer viruses emanating from any attachment or other document supplied with this e-mail
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|