Co-Dex.eu training

Increasing factors:

• The volume of the breached data (for the same individual): this factor can increase the basic DPC score, due to the increment of the quantity of the breached information (i.e. acting as aggravating factor). The volume should be considered both in terms of time (e.g. same type of data over a certain period of time) and content (complementing data of the same type). For example, in case of a breach of traffic data at an ISP, the DPC score would be higher (for the same individual) if the data cover a period of one year than if they are limited to one week (time). As another example, in case of a breach at a bank, the DPC score of the complete file of an individual would be higher than that of a single document from the same file (content).
• Special characteristics of the data controller: this factor relates to the field of operation and the activities of the data controller, which could increase the basic DPC score of the data, revealing additional information for a certain data set. For example, the DPC score of a customers' list would be higher if it comes from an online pharmacy than from a stationery shop.
• Special characteristics of the individuals: the basic DPC score of a certain data set could also be increased in case that the individuals belong to a social group with particular needs (e.g. minors, individuals of a particular group with special characteristics). For example, the DPC score of a list of telephone numbers would increase if it concerns known members of the national parliament.

Decreasing factors:

• Invalidity/inaccuracy of the data: the basic DPC score of a certain data set can be decreased if the invalidity or inaccuracy of the data is known to the controller (e.g. due to their age or content) and, thus, their significance is reduced. The controller needs to be certain of this circumstance to include it in the assessment. For example a postal service's list of addresses where letters could not be delivered would be considered as inaccurate (i.e. most probably the individuals have moved to another address).
• Public availability: the basic DPC score of a data set can also be decreased in case the breached data were already publicly available before the breach or can be easily collected and/or accessed through publicly available sources.
• Nature of data: another decreasing factor could in some cases be the very nature of a particular data set that, despite its initial DPC scoring, is of lower significance, in terms of the information that it can reveal about the individual. This is, for example, the case of a medical certificate that is just certifying that the individual is in a good state of health without disclosing any other information. In this case, although the basic score would be 4 due to health data being sensitive data, the specific data set's final DPC score would be 1, as it cannot per se affect the individual's personal life. This factor, however, should be considered with great care and clear explanation of the reason why a particular data processing is by nature lower than its basic DPC score.