Last July, the Irish Data Protection Commissioner formalized and approved a Code of Practice for organizations suffering information security breaches: the Personal Data Security Breach Code of Practice. The Code specifies that all data security incidents should be reported to the Data Protection Commissioner, except in very limited cases, and sets out additional risk minimization measures.
Although the intention was that the Code of Practice would have legal force, the Irish Data Protection Commissioner has revealed that, at the current time, the Code is still not legally binding in Ireland because the final parliamentary measure that would have bestowed the Code with legal status was never undertaken. Speaking at an Irish Computer Society event this week, Commissioner Hawkes said that “the code of practice that exists now is not legally binding – it’s just strong recommendations.”
Any Irish-based or multinational organization affected by a data security breach will want to consider this statement in assessing its reporting obligations. For more information, see this article from the Irish Times.