Ireland is considering beefing up its data protection rules with more detailed guidelines for when an organization should report a data breach.
The proposed code of practice has been published by the Office of the Data Protection Commissioner on its Web site and is open for public comment through June 18.
The code of practice details the reporting obligations for data handlers under Ireland’s Data Protection Acts. As in the U.K., Ireland has had its share of high-profile data breaches, which likely spurred the creation of the code of practice, said William Malcolm, a privacy lawyer with the law firm Pinsent Masons.
The code of practice would require organizations to report a breach within two working days with some exceptions if strong security measures are implemented.
The report would include the nature of the data compromised, what action is being taken, how people have been informed or the reason for not informing people, actions taken to limit distress to those affected and a chronology of events.
All breaches that result in the loss of personal data affecting more than 100 people would have to be reported unless the personal data was encrypted to a “high standard” with a strong password and that password had not been compromised.
Organizations are exempt from reporting if the data was remotely erased immediately after the incident and if there is no reason to believe that personal data was accessed before the data was erased.
A last exception allows organizations to not report an incident if affects fewer than 100 people and that the data lost does not include personal or financial data that could be used for identity theft, the code of practice says.
In comparison, the U.K.’s disclosure guidelines are less specific than the proposed Irish code of practice, Malcolm said. However, the U.K.’s Information Commissioner does expect organizations to report serious data breaches, he said.
In April, the U.K. Information Commissioner for the first time gained the power to fine organizations for violating the Data Protection Act. Fines up to up to £500,000 (US$730,000) can be levied. Other agencies, such as the U.K.’s Financial Services Authority, can impose even higher fines on organizations such as banks and insurers, Malcolm said.
Ireland’s code of practice is a step forward but is not necessarily materially much different than the U.K.’s expectations for reporting data breaches, which organizations tend to follow, Malcolm said.
The European Union has a data breach disclosure law on the books, but it only applies to telecommunication companies. European Union countries are in the process of implementing that law, Malcolm said.
Europe has rejected other proposals for data disclosure rules that would apply to companies that have online operations, according toPinsent Masons’ blog.
Send news tips and comments to jeremy_kirk@idg.com