Data Breach Policy
(Name of organisation) holds and processes personal data. Every care is taken to protect
such data from incidents (either accidental or deliberate) which may result in a data
protection breach that could compromise security. We recognise that any compromising of
the information we hold, whether in terms of breach of confidentiality, integrity or
availability, may result in harm to individual(s), reputational damage and/or a detrimental
effect on service provision. It may also amount to legislative non-compliance and/or result
in financial costs.
Our objective is to contain any breaches, to minimise the risk associated if a breach does
occur and to consider what action is necessary to secure the relevant data and prevent
further such incidents.
Purpose of the Policy
This policy recognises the duty imposed by the General Data Protection Regulation (GDPR)
to report certain types of personal data breach to the relevant supervisory authority (the
Information Commissioner’s Office (ICO)) within 72 hours of becoming aware of the
incident. It sets out how we plan to prevent such a breach, the steps we will take if it
nevertheless becomes apparent that one has occurred and the responsibilities of various
members of staff within this process.
Scope of the Policy
This policy relates to all personal and special categories of data (including commercially
sensitive information) held by (name of organisation) regardless of format. It applies to all
staff including temporary, casual or agency workers and contractors, consultants, suppliers
and data processors working for, or on behalf of the organisation.
Under GDPR, personal data is “any information relating to an identified or identifiable
natural person (data subject); an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one or more factors specific
to the physical, physiological, genetic, mental, economic, cultural or social identity of that
Identifying a Data Breach
A personal data breach means a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This
includes breaches that are the result of both accidental and deliberate causes. It also means
that a breach is more than just about losing personal data as it can include:
1. access by an unauthorised third party2. attacks on a website
3. deliberate or accidental action (or inaction) by a controller or processor
4. sending personal data to an incorrect recipient
5. computing devices (laptops, USB sticks, etc) or paper records containing personal data being lost or stolen
6. accidental destruction of such equipment or files in a fire or flood
7. “blagging” offences where information is obtained by deceiving the organisation which holds it
8. alteration of personal data without permission
9. loss of availability of personal data.
In the context of the above examples, (name of organisation) recognises that there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example when it has been encrypted by ransomware.
While there is a corporate responsibility to ensure that all data is processed in accordance with GDPR and other relevant legislation, including the Data Protection Act 2018, certain members of the organisation have particular responsibilities in the event of a data breach. All persons covered by the scope of this policy are responsible for reporting actual, suspected, threatened or potential data breaches and for assisting with investigations as required, particularly if urgent action must be taken to prevent any or further damage.
However, the Data Protection Officer (DPO) (insert name and contact details) must be involved at the earliest opportunity and will be initially responsible for calculating the extent of the breach.
If the organisation does not have a nominated DPO, it should allocate these responsibilities to one person whose details should be included in this policy.
The steps to be taken in the event of an actual or suspected breach, including the immediate necessity of informing the DPO or the nominated person, must be included in any introductory briefing on information management and security procedures delivered to all new staff. It must be made clear at this early stage that failure to comply with these requirements may result in disciplinary action.
When a Breach Is Discovered
It is the responsibility of whoever discovers a breach, or potential breach, to collect full details (including dates and times) and, if known, the type of data and the number of data subjects involved. This information must be passed immediately, or, if the breach is discovered outside normal working hours, as soon as possible, to the DPO or the person responsible for data protection in the organisation.
Initial Action to Be Taken
Either the DPO or the person responsible for data protection must then take the following actions.
10. Ascertain if the problem is still ongoing and, if so, take the necessary steps to stop the breach continuing.
11. Make an initial assessment of the extent of the breach.
12. Decide, in consultation with the organisation’s management, who will carry out further investigation of the causes and likely impact of the incident.
13. Decide if it is of a level of seriousness that requires notification to the ICO (is there a risk to people’s rights and freedoms?) or the police (has the data been compromised/stolen by a criminal act?).
14. Establish whether there is anything that can be done to recover any losses and limit the damage the breach could cause.
If it is decided that the breach is not of a level of seriousness that would require it to be reported, (name of organisation) will document and retain any evidence which justified this decision.
The person responsible for carrying out the investigation into a data breach will, within the first 24 hours (if possible), carry out an initial assessment of the extent of potential harm. This will focus on the:
15. type of data involved and its level of sensitivity
16. volume of data stolen, copied or compromised
17. number of data subjects involved (ie the persons affected or likely to be affected)
18. individuals/organisations that carried out the breach (if known)
19. extent to which the files involved were encrypted or password-protected.
Information to Be Supplied
If it is decided that a serious breach has occurred that must be reported to the ICO, the following information will be made available.
20. A description of the nature of the personal data breach including, where possible, the categories and approximate number of individuals concerned.
21. The categories and approximate number of personal data records concerned.
22. The name and contact details of the DPO or the person chosen to liaise with the authorities.
23. A description of the likely consequences of the personal data breach.
24. A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
It is accepted that organisations may not be able to carry out all the necessary checks, or to supply all the required information, within the laid-down 72-hour period. It is important, however, that initial contact is made within that period, even if it is only to explain why there will be a delay in supplying full details. In this event, the organisation should emphasise that it has made dealing with the breach a priority and is devoting all possible resources to the investigation. If in doubt, call the ICO helpline: 0303 123 1113.
Levels of Seriousness
When deciding whether a breach is sufficiently serious to be notified to the ICO, the following points should be borne in mind.
25. Is there a high risk of it adversely affecting the rights of data subjects?
26. Would notification enable them or others on their behalf to take mitigating action?
27. Would notification help to prevent the unauthorised or unlawful use of the data concerned?
28. Does this organisation have a contractual duty to take such action?
Not all breaches will merit being reported to the authorities but in all cases the persons affected should be informed of how and when the breach occurred, what has been done to correct the situation and what they may wish to do to further safeguard themselves. A contact within the organisation must be provided so that those affected have access to further information.
During the aftermath of a breach, in the reporting and investigation stages, the required information should not only be gathered and supplied as appropriate but should also be recorded. This should form the basis of a final report into the breach, to be prepared by the DPO or the person responsible for data protection, which will be considered at the highest level within the organisation (board, senior management, owner, etc.).
This report should include recommendations for remedial action and improvements in the organisation’s data protection policy as appropriate and should consider the need for further training of relevant staff.