St. Vincents hospital in Dublin is reported to have misplaced an external hard drive containing the medical records of a number of patients. It is reported that notices have been circulated amongst staff asking if anyone had seen the hard drive.

The incident has been reported to the Data Commissioner and an internal investigation is underway. The hospital is in the process of creating a report advising the Data Protection Office of the circumstances surrounding the loss of the hard drive and the implementation of measures that will prevent any future incidents of this nature.

The records relate to a number of patients who are believed to have attended the hospital during 2002 and 2008 suffering from laryngeal disorders.

The Data Protection Commissioner is unable to comment in detail until their own investigation into the matter is completed.

Irish companies that loose the personal data of more than 100 people will be obligated by law to report the breach to the authorities according to the new rules proposed by the Data Commissioner.

The only instance where a company or organisation can avoid having to report the breach is ensuring that data is encrypted and protected by a strong password, or in the case of lost or stolen equipment that a remote memory-wipe feature on a device be activated immediately.

In 2008 the Irish Government ordered a review to determine whether or not reporting obligations protected individuals sufficiently. It recommended that some kind of official guidance was necessary in the event of a breach.

The Irish Data Protection Commissioner has now published a draft Code of Practice outlining exactly when reports to him must be made.

“I have sought to bring forward a draft Code as quickly as possible after the Review Group report to respond to public concern in relation to organisations losing personal data under their control while at the same time not imposing an undue burden on those organisations,” said Irish Data Protection Commissioner Billy Hawkes.

In the event of an organisation loosing data comprising of sensitive medical or financial data then this must still be reported even if fewer that 100 people are involved.

“Data controllers who are required to report to the Office of the Data Protection Commissioner in accordance with this Code must do so within two working days of becoming aware of the incident,” said the guidance.

“Such data controllers are required to provide a detailed report of the incident reflecting careful consideration of … the amount and nature of the personal data that has been compromised; what action is being taken to secure and / or recover the personal data that has been compromised; what actions are being taken to inform those affected by the incident or reasons for the decision not to do so; what actions (if any) are being taken to limit damage or distress to those affected by the incident; and a chronology of the events leading up to the disclosure,” it said.

“The Office of the Data Protection Commissioner will investigate the issues surrounding the data breach,” it said. “Investigations may include on-site examination of systems and procedures and could lead to the use of the Commissioner’s legal powers to compel certain actions. Such actions may include a recommendation or requirement to inform data subjects about a security breach incident where a data controller has not already done so.”

The draft code of practice can be found here.

In the U.K. in April 2010 The Information Commissioner for the first time gained the power to fine organizations for violating the Data Protection Act. Fines up to £500,000 can be levied. In the case of Banks and Insurances companies other agencies have the power to impose even greater fines.

The European Union approved a data breach notification law last year as part of telecoms law reforms however this law only applies to telecoms firms. The Commission and Council rejected EU Parliament proposals to have the law apply to businesses that operate online, such as shops and banks.