Data breach policy

Overview

As an organization that processes personal data, Crick Software must ensure appropriate measures are in place to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. The General Data Protection Regulation specifies that all breaches (except those ‘unlikely to result in a risk to the rights and freedoms of natural persons') should be reported to the Information Commissioner.

In the event of a data breach or an information security incident, it is important that appropriate actions are taken to promptly report the breach to the Data Protection Team who will manage the incident and minimize associated risks.

This procedure is designed to set out the process that should be followed to ensure a consistent and effective approach is in place for managing a data breach and ensure that:

  • Data breach events are detected, reported and monitored consistently
  • Incidents are assessed and responded to appropriately
  • Action is taken to reduce the impact of a breach
  • Relevant breaches are reported to the Information Commissioner within the 72-hour window
  • Improvements are made to prevent recurrence
  • Lessons learned are communicated to the wider organization

Responsibilities

All users of information assets across Crick Software have familiaried themselves with this procedure, and are therefore aware of privacy risks and the need to be vigilant in order to ensure breaches are identified, reported and managed in a timely manner.

Support is provided to ensure everyone has access to the appropriate skills and training to carry out their role effectively. Gross negligence and intentional violations (including not reporting incidents/mistakes) are taken seriously and will lead to disciplinary action.

Procedure

1. Identify a data breach

A data breach can happen for a number of reasons, for example:

  • Loss or theft of data or equipment on which data is stored, or through which it can be accessed
  • Loss or theft of paper files
  • Hacking attack
  • Inappropriate access controls allowing unauthorized access to data
  • Sending personal data to an incorrect recipient
  • Equipment failure
  • Human error
  • Deliberate or accidental action (or inaction) by a controller or processor
  • Unforeseen circumstances such as a fire or flood

2. Reporting an incident

It is important that as soon as a data breach is identified or suspected it is immediately reported to the Data Protection Team. The General Data Protection Regulation requires that all relevant breaches are reported to the Information Commissioner ‘without undue delay….., not later than 72 hours after having become aware of it.’

As much information as is immediately available should be collated and given to the Data Protection Team who will look at the information, update the Personal Data Breach Log and ascertain whether any immediate corrective or containment actions are required.

The GDPR legislation defines a breach as:

“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymization, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.” (Recital 85)

3. Investigating an incident

Depending on the type and severity of the incident the Data Protection Team will assess whether a full investigation into the breach is required. Where required the Data Protection Team will appoint an appropriate investigator who will complete a full breach report.

The investigation will:

  • Establish the nature of the incident, the type and volume of data involved and the identity of the data subjects
  • Consider the extent of a breach and the sensitivity of the data involved
  • Perform a risk assessment
  • Identify actions Crick Software needs to take to contain the breach and recover information
  • Assess the ongoing risk and actions required to prevent a recurrence of the incident.

4. Reporting a breach to the Information Commissioner

The Data Protection Team will co-ordinate breach reporting to the Information Commissioner within 72 hours of becoming aware of a relevant breach.

The GDPR legislation requires that this includes:

  • A description of the nature of the personal data breach including, where possible:
    • the categories and approximate number of individuals concerned
    • the categories and approximate number of personal data records concerned
    • the name and contact details of the data protection team or investigator
    • a description of the likely consequences of the personal data breach
    • a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects

Call the ICO on 0303 123 1113 or report the incident online at: https://ico.org.uk/