Step-by-step guide to reporting security breaches

The GDPR defines a security breach as any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The data controller of a Health entity must report data security breaches to the supervisory authority when they pose a risk to the rights and freedoms of individuals. And in cases of high risk, also to those affected. This obligation is extended to all those entities that carry out any processing of personal data.

When the entity is faced with a security incident such as improper access, sniffing, malware or compromised credentials, among others, it will have to assess whether the personal data of data subjects has been affected and proceed accordingly.

From the moment it is established that the breach affects the rights and freedoms of individuals, the designated person will contact the Data Protection Officer. The latter

will advise the Data Centre or person designated by the entity and the Data Protection and Security Committee; monitor compliance with data protection regulations; and will act as a point of contact with the Authority, as will have to be indicated on a notification form.

What types of security breaches are there?

Confidentiality breach

When unauthorized or unlawful parties access personal data.

The severity of the loss of confidentiality must be analysed in conjunction with the scope of its disclosure, that is, the potential number and type of parties who may have accessed the information.

Integrity breach

When the original information is altered and data is replaced to the detriment of the individual.

Availability breach

When the original data cannot be accessed at the moment it is needed. This breach can be temporary (recoverable data) or permanent (non-recoverable data).

In the case of cross-border processing, security breaches may affect personal data in more than one Member State. In these cases, the corresponding supervisory authority will be competent to carry out the functions assigned to it and to exercise the powers conferred on it by the regulations in the territory of its Member State.

Where the processing is carried out by public authorities in accordance with Article 6 (1) (c) or (e), the competent supervisory authority will be that of the Member State concerned.

Security breaches in the field of research

In the field of health data research, there are two elements that add complexity to the management of security breach notifications:

Regulatory complexity in the field of research

Depending on the type of project, we must adhere to the specific regulations that govern that specific project. Each rule establishes a series of specific and unique obligations in relation to the processing of the data used in the research project, regarding for example the data retention period or transfers third parties.

Complexity in determining who the data controller is

There are several actors that process data (the hospital, sponsor, foundation that manages research, monitor, etc.)  and it is necessary to establish the relationships between them (data controller, joint controllers, data processor) to determine who will assess and report the security breach.

For more information, please contact the Office of the Data Protection Officer at dpdicsalutsocial.cat or check the website www.dpdsalut.cat