Personal Data Breach Report Form
Controller's should use this form to notify the Isle of Man Information Commissioner (“the Commissioner”) of a personal data breach (“PDB”) in accordance with the Isle of Man’s data protection legislation.
A ‘personal data breach’ is defined as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” “Security” can be technical or organisational measures.
Taking swift action to contain, mitigate and recover from a PDB is vital. Do not delay in notifying the Commissioner of the PDB as the Commissioner may be able to provide advice and assistance at an early stage. However, failure to report PDBs may result in enforcement action.
Controller's must, without undue delay and, where feasible, not later than 72 hours after having become aware of it, report a PDB to the Commissioner, unless the PDB is unlikely to result in a risk to the rights and freedoms of the affected data subjects. The PDB report must include reasons for the delay if not submitted within 72 hours.
Provide as much information as possible. Details of the steps taken, or proposed to be taken, to minimise or mitigate the risk to affected individuals should be included on this form. Additional information can be submitted in phases without undue further delay.
Where a personal data breach poses a high risk to the rights and freedoms of individuals then those affected individuals must be informed of the PBD (subject to certain exclusions).
Further guidance on personal data breach reporting is on the website at: https://inforights.im/organisations/data-protection-law-2018/personal-data-breach/