The words Incident and Breach can be quite worrying, the connotation behind them being especially scary when your business primarily deals with sea fairing vessels. However, as with what happens on a ship when a Breach occurs, if we deal with it quickly, calmly and follow the proper process then it’ll just be a small bump in the journey and nothing to worry about.
As you can imagine, the last thing you want to do though is just leave that breach alone and hope it fixes itself.
What is a personal data breach?
A personal data breach is officially described as “a breach of security, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data”. In English? If personal data has been lost, destroyed, incorrectly disclosed or corrupted it should be considered a Personal Data Breach which must be reported to Privacy@carnivalukgroup.com.
As an example, if a Guest doesn’t correctly answer their identity verification questions and make changes to their account, this isn’t a breach, as long as it is still the correct Guest making the changes. We still made a mistake because the Guest didn’t pass their identity verification and therefore shouldn’t have been able to make changes to their account, but this is not a personal data breach – it’s a process failure.
The identity verification process exists to make sure that we know we’re talking to the right person. If in the same situation, it’s not the correct Guest and we share another Guests details this would be a breach because we incorrectly disclosed their data.
What about if we accidentally email the wrong Guest, is that a personal data breach?
We can use a simple two stage test here.
- Was there personal data involved?
- Was that personal data incorrectly lost, destroyed, disclosed, or corrupted?
Let’s look at number one first, personal data is anything that can be used to identify an individual, either directly or indirectly, that includes something as simple as name, email addresses, account references or booking reference. The chances are that email does include personal data.
On point two, we know that we have emailed the wrong Guests , so yes, we have disclosed information to another individual.
What if we accidentally send an email intended for another colleague outside the business?
Here we would use our two-step check again. Was personal data involved and if so, was it lost, destroyed, disclosed, or corrupted?
If your email was just a “Hi how are you” with your own signature involved, then while it’s not very professional and will probably need an apology it’s not been a personal data breach.
How to report a breach? 
There is one sure fire way to be sure if you’re dealing with a personal data breach or not, that’s to rely upon the expertise of the Privacy and Data Protection Team in Carnival UK. Simply pop an email over to the inbox at Privacy@carnivalukgroup.com