Scenario
Sensitive personal data is exposed in circumstances where the controller is not at fault. Procedures were robust, industry standard, and followed. Incident was third party intervention outside of controllers knowledge or control. In terms of impact meets reportability criteria to go to ICO. Having discovered we are taking all possible, albeit limited, mitigations.
Pretty clear to me this is reportable - expected outcome - no action required.
Others are arguing there is no "breach of security" - the trigger as defined in Art 4(12) - just an incident. To my mind security is breached at point of failure - fault and breach of the DP principles is an entirely separate question
What I cannot find is anything specific in ICO or A29WP or ISO27040 guidance I can quote at them. Any pointers ?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.jiscmail.ac.uk_lists_data-2Dprotection.html&d=DwIFaQ&c=iVyFbx9TtkoGWXYs40w9MA&r=Pgrq90vq1RKyD-pj5UUL7_Bf_GcOTz6TPpDvrYpaJLU&m=S94mKVL748zPMaK3wSaKowcckUPuNeDG0jiKPapYTWk&s=YDG9Wcc47yuIo51KmkgrhENFRm_xXGNd7BqELsUwFM4&e=
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://urldefense.proofpoint.com/v2/url?u=https-3A__www.jiscmail.ac.uk_help_subscribers_subscribercommands.html&d=DwIFaQ&c=iVyFbx9TtkoGWXYs40w9MA&r=Pgrq90vq1RKyD-pj5UUL7_Bf_GcOTz6TPpDvrYpaJLU&m=S94mKVL748zPMaK3wSaKowcckUPuNeDG0jiKPapYTWk&s=pprP5i-Oz6A5IOMd1IUUD1oPqxB3eVRoy9pPQsQS8fs&e=
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html
Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html and are sent in the body of an otherwise blank email to [log in to unmask]
Any queries about sending or receiving messages please send to the list owner [log in to unmask]
(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)