By Kimone Witter
The Office of the Information Commissioner is concerned about the increasing number of data breaches reported in the public domain in recent months.
Information Commissioner Celia Barclay says the breaches, which have affected several organizations in both the private and public sectors, underscore the importance of stringent data protection measures and prompt response protocols.
The Office of the Information Commissioner is the regulatory authority established under the Data Protection Act, 2020 and is mandated to, among other things, promote good practice in the processing of personal data and monitor and enforce compliance with the Act.
This week, Biomedical Caledonia Medical Laboratory confirmed that thousands of private files and data of hundreds of patients had been accessed in a breach of its systems in November last year.
It was also revealed that some debit card holders at the Bank of Nova Scotia were victims of cyber-fraud.
In a media release yesterday, the Office of the Information Commissioner said the fact that a data controller suffers a security breach does not necessarily mean that the data controller behaved inappropriately or negligently, nor that appropriate due diligence and level of care were not maintained or exercised.
However, Information Commissioner Celia Barclay says a significant number of breaches do occur from a failure of data controllers to implement appropriate measures.
She says, regardless of the cause of the breach, data controllers are required to inform data subjects about any potential adverse effects so that they may take action to protect themselves from harm, if possible.
Under the Data Protection Regulations, 2024, failure to process personal data in accordance with the data protection standards, to report a breach or contravention, or to notify individuals of a data breach or contravention affecting their personal data, constitutes an offence, for which the data controller shall be liable to either a fine or imprisonment for up to seven years.
Ms Barclay noted that enforcement provisions have generally not yet been brought into effect to enable the prosecution of offences under the Act.
In the interim, data subjects can seek compensation through the civil court when breaches occur.
Not all reported
The Office of the Information Commissioner has also observed that not all breaches publicly revealed have been reported to it as required by the Data Protection Act.
The OIC says data controllers who have not reported breaches, should do so as a matter of urgency.
Information Commissioner Celia Barclay also notes further that most of the breaches reported to the OIC have resulted from malicious acts by third parties with damage to the data controller, data processor or the data subject.
Others have been due to accidental or negligent acts by the employees or other agents of the data controller, such as sending emails with the incorrect attachments.
Ms Barclay adds that, while she has not commented publicly on the specific breaches reported to the OIC or in various media, the Office has responded by requiring data controllers to account for the measures in place to mitigate the risks of breaches, reduce their impact and implement additional security measures to prevent future breaches.
Directives have also been issued, where necessary, for data controllers to notify affected individuals whose data have been compromised and to provide support to them.
comments powered by Disqus
.jpg)
All feeds
