Hi does anyone know what the procedure is for reporting after a fire which has destroyed personal data? Early stages at the moment, but does this sort of thing need to be reported to the ICO as technically the data has been destroyed. Thanks in advance.
I had a similar event a few years ago but not fire !! We called if “Poo-gate’ Lots of health records got contaminated by with ….. wet, smelly, poo and we had to incinerate a few hundred records. Reportable to the ICO (pre GDPR) and the records were damaged, lost.
Lovely experience Barry. lol
It will be exactly the same as any other breach. If there is a risk to the individual then report. If there is a high risk then you also let the data subject know.
Perhaps stating the obvious, but there was no backup of the data elsewhere? If all(!) the data is still available from other locations, I would not consider this a databreach/dataloss.
If there was no (complete) backup, I agree on the answers above and treat it as such. Also, this is the “best” time to request budget for a backup technology 😉
I hope no personal damages occurred during this incident!
This is a data breach that affects the availability of personal data, meaning that personal data is no longer available to authorised users. You should do your risk assessment, and then if there is a risk to data subjects, report it to the SA. As it is an availability data breach, pay special attention on whether there is a backup or another way to restore the data, or if the personal data has been completely destroyed. I assume it is about hard copies, but maybe there is a way to retrieve the personal data.
Henk van Leussen
Putting your thoughts on paper and then make the report: I think you have a point there. Now we always start from a standard questionnaire. But are these questions the questions you need for the incident you are dealing with? That’s why I insist that we are not computers, but human beings. So that we can continue to think and draw conclusions ourselves.
Then we can do the reporting.
You first need to decide if it is a breach. According the Art. 4(12) definition, it appears as if it is. Next, you need to assess the risk. Art. 33 only requires you to report if you believe that there is a risk to the individuals. I would suggest that the risk is something more than just ‘a minor inconvenience’ but something tangible. Document your thinking and if necessary, make the report.