1 PURPOSE
1.1 This document sets out how we deal with an incident and breach reporting. It should be read in conjunction with our General Data Protection Policy.
1.2 This policy is not contractual and therefore may be subject to change. However, it does set out how we normally deal with such issues and therefore the content should be regarded as a reasonable management instruction.
2 SCOPE
2.1 This document covers how incidents and breaches should be detected, our expectations on how they should be handled and our policy for notifying necessary parties.
2.2 This is an internal policy and it applies to all employees, workers and any other internal persons who may have responsibility for or a vested interest in the operations of the organisation.
2.3 The document may be shared with third parties, contractors and other self-employed persons who will be asked to comply with the policy.
3 CULTURE
3.1 The Company is keen to promote an open reporting culture for all incidents and breaches of personal data. We are legally bound to record every event, and this requires the cooperation of every member of staff.
3.2 Therefore, we encourage everyone to be continually and actively aware of potential incidents and breaches. Anything that is witnessed or discovered should be documented under the respective procedure as set out in this document.
3.3 No one will be penalised or should suffer detrimental treatment for correctly reporting a suspected incident or breach which is made in good faith.
3.4 The Company advocates honesty and will take into account prompt, upfront and cooperative conduct in respect of any significant incidents or breaches where appropriate.
4 INCIDENTS
4.1 What is an incident?
4.1.1 An incident is something which could be perceived as a lapse or weakness in the protection of personal data.
4.2 Examples of incidents
4.2.1 Incidents may take many forms and so staff are encouraged to continually be aware of privacy and any situations or areas of the business which could be considered an incident.
4.2.2 Examples of incidents include; leaving a secure door open, a confidential document disposed of in a bin rather than a secure bin or shredder or leaving a computer screen unlocked and unattended.
4.3 Why we log them
4.3.1 Data protection laws require us to ensure that every incident regarding personal data is logged.
4.3.2 Incidents are reviewed periodically. There are several reasons for this including; the identification of trends and common areas of weakness, the identification of training needs and reviewing the appropriateness and effectiveness of privacy and security measures.
4.4 Employee responsibilities
4.4.1 Everyone is responsible for ensuring that they avoid creating an incident.
4.4.2 Everyone is responsible for ensuring that every incident they are aware of has been logged. This is never more vital than when an incident seems to be ‘unusual’.
4.5 Logging an incident
4.5.1 In the event of an incident this should be logged by the Data Controller.
4.5.2 If you are not sure whether an incident should be logged, you are advised to do so. If you are not sure whether an incident is a breach, you are advised to report it as a breach.
4.5.3 The most appropriate person to log an incident will usually be the individual who witnessed it.
5 BREACHES
5.1 What is a breach?
5.1.1 A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or inappropriate use of, personal data.
5.2 Examples of breaches
5.2.1 Breaches may take many forms and so staff are encouraged to continually be aware of privacy and any situations or areas of the business which could be considered a breach.
5.2.2 A breach may be anything which has, or could result in, a form of damage such as; the loss of control over personal data and its circulation, discrimination, theft, fraud, financial loss, reputation or the restriction of a data subject’s rights. This is not an exhaustive list.
5.3 Why they must be reported
5.3.1 Data protection laws require us to ensure that every potential or actual breach to personal data is logged so that we can review any weaknesses in security etc. However, they also require us to notify the relevant supervisory authority without delay and not later than 72 hours of awareness, if an actual breach has, or is likely to, put a data subject at risk of detriment.
5.3.2 The Company has a legal obligation to ensure that every reasonable step is taken to mitigate any risks a breach may cause a data subject, without delay.
5.4 Employee responsibilities
5.4.1 Everyone is responsible for ensuring they take every reasonable step to avoid creating a breach. This includes ensuring that the appropriate available tools, processes, knowledge and any other resources available which protect privacy and security of personal data, are utilised correctly.
5.4.2 Everyone is responsible for ensuring that if they are in doubt about the most appropriate or effective way to protect personal data, that they seek advice from a senior colleague before putting data at risk. This should happen in a timely manner to prevent disruption to your duties.
5.4.3 Everyone is responsible for ensuring that every potential or actual breach they are aware of has been reported using the relevant reporting process
5.4.4 Any person acting as a processor within the Company is responsible for ensuring that the controller is notified without undue delay after becoming aware of a personal data breach.
5.5 Reporting a breach
5.5.1 In the event of a breach, the breach notification form should be completed and the instructions within it must be followed. This can be found at the end of this policy.
5.5.2 Even if you are not sure whether a breach should be reported to the relevant supervisory authority, you are required to report this to the Controller.
5.5.3 The most appropriate person to report a breach will usually be the individual who witnessed it.
6 NOTIFYING THE SUPERVISORY AUTHORITY
6.1 Notify within 72 hours
6.1.1 A breach must be notified to the relevant supervisory authority, namely the Information Commissioner’s Office within 72 hours of awareness.
6.1.2 Everyone is expected to do what they can to ensure that such a breach is made known to the Controller without delay. It should take priority over immediate duties.
6.1.3 It is the Controller’s ultimate responsibility to ensure the breach has been notified to the authority.
6.1.4 A breach must be reported if it is likely to result in a risk to a data subject. Therefore, a breach must be reported regardless of whether or not the risk is considered to be high.
6.1.5 A breach would not need to be notified to the supervisory authority if the Controller determines that it is unlikely to result in a risk to the data subject.
6.2 Notification requirements
6.2.1 The notification must include at least:
- the nature of the personal data breach
- where possible, the categories of data subjects concerned (eg employees)
- where possible, the approximate number of data subjects concerned
- where possible, the categories and approximate number of records concerned
- the name and contact details of a point of contact
- a description of the likely consequences of the breach
- a description of the measures that have been taken, or will be taken, to address the breach or mitigate any adverse effects
6.2.2 If an exceptional circumstance should arise in which it is not possible to provide all the required information at the same time, the information may be provided to the authority in stages so long as there is no further undue delay. Reasons for any delay, especially a delay that exceeds the 72-hour deadline, must be explained to the authority as part of the notification.
6.2.3 The Controller is responsible for ensuring that the facts relating to the breach, its effects and the remedial action taken are documented in order to demonstrate compliance with data protection laws.
6.2.4 Any subsequent instructions or guidance issued by the supervisory authority must be followed without delay where reasonably possible.
7 NOTIFYING DATA SUBJECTS
7.1 Notify a high risk without delay
7.1.1 A breach must be notified to a data subject, but only if it is likely to result in a high risk.
7.1.2 It is the Controller’s ultimate responsibility to ensure that the data subject is notified without delay and in cooperation with the supervisory authority.
7.2 Notification requirements
7.2.1 The notification must be in clear and plain language and must include at least:
- the name and details for a point of contact
- a description of the likely consequences of the breach
- a description of the measures that have been taken, or will be taken, to address the breach or mitigate any adverse effects
- where possible, recommendations on how the individual may take further precautions to mitigate any adverse effects
7.3 Exceptions
The data subject will not be notified if any of the following conditions apply:
7.3.1 Measures have been applied which make the personal data unintelligible to anyone who is not authorised to access it. For example, if the data has been encrypted.
7.3.2 Subsequent to the breach, measures have been taken which make the high risks identified unlikely to materialise.
7.3.3 Notification to individuals would require a disproportionate effort, such that a public broadcast or similar would be more appropriate.
8 THIRD PARTIES
8.1 Any third party acting as a processor on behalf of the Company is responsible for ensuring that the controller is notified without undue delay after becoming aware of a personal data breach.
8.2 If any self-employed person, contractor or third-party notifies the Company of an incident or breach, then the incident must be logged, or the breach reported immediately in accordance with the respective procedures set out in this document. The most appropriate person to do this will usually be the person whom the third party notified.
9 BREACH AND INCIDENT RESPONSE MANAGEMENT POLICY
9.1 A team made up of representatives across the Company regularly review the incidents and breaches that are logged and reported. This team is responsible for ensuring that our processes for detecting and responding to incidents and breaches are stress tested. Tests and reviews are conducted periodically and when any new technologies or systems could impact or improve our ability to deal with incidents and breaches.
9.2 Particularly in the event a breach is reported, the breach will be investigated by the Data Controller. The Managing Director will determine the Company’s obligations for compliance with the relevant supervisory authority, and data protection laws.
9.3 Breaches are reviewed by the Controller to determine whether there are any which are likely to result in a risk.
9.4 Whether or not a breach is considered to be ‘likely to result in a risk’ shall be determined by whether the rights and freedoms of a data subject could be jeopardised. It will not be determined by how severe the perceived consequences are.
9.5 Whether or not a breach is ‘high risk’ will be determined by either the potential or actual impact to a large number of data subjects or the potential or actual severity and significance of damage to an individual.
9.6 The Controller has ultimate responsibility for ensuring that the Company records every breach that occurs. This record must mirror the information that would be required in a notification to a supervisory authority. This includes breaches which the Company has decided do not need to be notified to the authority as well as breaches that do need to be notified. Breaches which the Company decides do not need to be notified are stored with the justification for that decision.
10 NON-COMPLIANCE
10.1 This policy, along with associated documents, seeks to guide and instruct all members of staff on how they should ensure compliance with data protection laws which the Company is subject to.
10.2 Any non-compliance will be treated as per the General Data Protection Policy and in accordance with the Disciplinary Policy.
11 RELATED POLICIES AND DOCUMENTS
- Disciplinary policy
- General data protection policy
- IT policy
- Retention and destruction policy
- Whistleblowing policy
The above list is not exhaustive.
12 FURTHER INFORMATION
Any queries or comments about this policy should be addressed to the HR Team.
13 POLICY OWNER
This policy is owned and maintained by the Managing Director.
14 POLICY REVIEW DATE
Date of implementation:
15 SERIOUS BREACH NOTIFICATION FORM
15.1 In the event of a potentially serious or significant data breach please follow the instructions within this form. First complete section 1.