Background

At IFLA, any question, complaint or notice regarding the processing of personal data within IFLA is regarded as an incident. The most notorious form of such an incident is a personal data breach. This template describes the policy regarding the reporting, registration and handling of incidents or likely incidents in the ordinary course of business and in special circumstances.

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. In the event of a personal data breach, third parties which should not have access to the personal data, have gained access to the personal data. In most cases a personal data breach is the result of leaked computer files, lost USB drives, lost or stolen computers/laptops or business telephones. Other examples include cyber attacks (including DDos), or email sent to wrong addresses.

Message and registration

Data subjects, processors or third parties can report an incident. Incidents are to be reported to the Secretary General.  The Secretary General considers whether the incident should be classified as a personal data breach according to the schedule* as published by the Autoriteit Persoonsgegevens.

personal data breach steps

In the case of a personal data breach, the Secretary General shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Autoriteit Persoonsgegevens, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the Autoriteit Persoonsgegevens is not made within 72 hours, the Secretary General shall explain the reasons for the delay.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Secretary General shall communicate the personal data breach to the data subject without undue delay. Data subjects will not be informed when:

  1. IFLA has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
  2. IFLA has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
  3. it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

*Autoriteit Persoonsgegevens | De meldplicht datalekken in de Wbp.