Data Breach Procedure
As an organisation that processes personal data the we must ensure appropriate measures are in place to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The General Data Protection Regulation specifies that all breaches (except those ‘unlikley to result in a risk to the rights and freedoms of natural persons) should be reported to the ICO ‘without undue delay…not later than 72 hours after having become aware of it’.
In the event of a data breach or an information security incident, it is therefore vital that appropriate actions are taken to promptly report the breach to the Data Protection Officer (DPO) or whoever is the data protection lead who will manage the incident and minimise associated risks.
This procedure is designed to set out the process that should be followed to ensure a consistent and effective approach is in place for managing a data breach across the organisation and ensure that:
• Data breach events are detected, reported and monitored consistently
• Incidents are assessed and responded to appropriately
• Action is taken to reduce the impact of a breach
• Relevant breaches are reported to the ICO within the 72 hour window
• Improvements are made to prevent recurrence
• Lessons learnt are communicated to the wider organisation
3.1 Partners and Employees.
The partners and employees of the company have responsibility to Customers, Employees and anyone else whose data is processed, for ensuring that any privacy risks are managed.
All users of information assets across the company should familiarise themselves with this procedure, be aware of privacy risks and be vigilant in order to ensure breaches are identified, reported and managed in a timely manner.
4.1. Identification of a Personal Data Breach/Suspected Personal Data Breach
A personal data breach can happen for a number of reasons, for example:
• Loss or theft of data or equipment on which data is stored, or through which it can be accessed
• Loss or theft of paper files
• Hacking attack
• Phishing attack
• Inappropriate access controls allowing unauthorised/unnecessary access to data
• Equipment failure
• Human error
• Unforeseen circumstances such as a fire or flood
4.2. Reporting an Incident
It is vital that as soon as a Data Breach is identified or suspected it is immediately reported to the DPO. In order to improve our understanding of the risks to data and address them before breaches occur suspected breaches will be recorded and analyised.
As much information as is immediately available should be collated and the Data Breach Notification Form should be completed
The DPO will analyse the form, update the Data Breach Log and ascertain whether any immediate corrective/containment/escalation actions are required.
4.3. Investigating an Incident
Depending on the type and severity of the incident the DPO will assess whether a full investigation into the breach is required. Full timely cooperation of people involved here is key.
The investigation will:
a) Establish the nature of the incident, the type and volume of data involved and the identity of the data subjects
b) Consider the extent of a breach and the sensitivity of the data involved
c) Perform a risk assessment
d) Identify actions the organisation needs to take to contain the breach and recover information
e) Assess the ongoing risk and actions required prevent a recurrence of the incident.
4.4. Reporting Breach to the Information Commissioner and/or Data Subject
The DPO will co-ordinate breach reporting to the ICO within 72 hours of becoming aware of a relevant breach. The DPO will also evaluate whether the breach is ‘likely to result in a high risk to the rights and freedoms’ of the data subject. If this is determined to be the case the incident it will also be reportable to the data subjects without undue delay. Any such report will be coordinated by the DPO. Partners will be informed.
5. Associated documents and policies
This policy is to be read in conjunction with the related documents;
• Data Privacy Notice
• Data Security Policy
• Breach Reporting Form