Although we understand that not all risks can be completed mitigated, we operate a robust and structured system of controls, measures and processes to help protect data subjects and their personal information from the risks associated with processing data. The protection and security of the data that we hold and use, including personal information, is paramount to us.
The purpose of this policy is to set out the Company’s intent, objectives and procedures regarding data breaches involving personal information. As a regulated company, we have developed this dedicated data breach policy that is specific to personal information and the breach requirements set out in the GDPR.
As we have obligations under the GDPR and UK data protection law, we also have a requirement to ensure that the correct procedures, controls and measures are in place and disseminated to all employees if a personal information breach occurs. This policy also notes our processes for reporting, communicating and investigating any such breach.
Whilst it is the Company’s aim to prevent data breaches where possible, we do recognise that human error and risk elements occur in business that prevent the total elimination of any breach occurrence. We also have a duty to develop protocols for data breaches to ensure that employees, the supervising authority and regulating and/or accreditation bodies are aware of how we handle any such breach.
This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas), and pertains to the processing of personal information.
Data security incidents and breaches should always be reported and investigated without delay. The Company has obligations to:
- take appropriate technical and organisational measures to prevent accidental or unlawful loss, destruction, alteration, unauthorised disclosure and unauthorised access to data
- investigate quickly
- report certain breaches promptly to the Information Commissioners Office (ICO)
- in some circumstances to tell those affected by a breach
- make sure we contain the situation and prevent the situation from escalating
- take remedial action
- take measures to prevent the same sort of incident from happening again
- in some cases inform third parties , for example the police or our insurers
A security incident is an event that may indicate that the Company’s systems or data may have been compromised. This may or may not lead to a personal information breach however security incidents should always be reported so that we can check to see if a breach has occurred or take action to prevent a similar incident leading to a breach in future. Examples of incidents include:
- unauthorised disclosure of information;
- unauthorised access to information;
- unauthorised modification of information;
- loss of information;
- unauthorised access to premises where information is kept;
- IT systems back-up process failure;
- theft of an asset on which information is stored (hardware or information in electronic format);
- introduction of malicious (malware, virus) software on to the Company’s IT systems/network;
- wilful damage to an information asset;
- events which have an impact on business continuity e.g. denial of service attacks, data centre outages, utilities failures, building closures etc, and which may adversely affect the availability of information.
A personal information breach is a data security incident which as a result of:
- a failure in a technical measure to prevent a breach; and/or
- a failure in an organisational measure to prevent a breach;
which leads to the accidental or unlawful loss, destruction, alteration, unauthorised disclosure and unauthorised access to personal information.
- A manager sends a spreadsheet containing details of employee’s bank details to a benefits provider who is going to send an annual statement to the employees. The benefits provider clearly does not need this information to perform their role. This is a security breach as the member of management should have known not to send the information and it has led to the unauthorised disclosure of personal information.
- A Company employee e-mails a confidential personal data about a number of guests/customers to their private Gmail account in order to work on it at home. This is a security breach as personal data has been sent to an unsecure e-mail account in breach of Company’s policy. As we have no way of knowing if this data has been intercepted we have to treat this data as lost. Also, the data could be downloaded to the employee computer which may not be secure and might be used by other members of the household.
- A Company employee leaves the organisation but their access to a web based system containing personal information has not been removed. Either can show that the leaver has accessed the system or we don’t know whether the system has been accessed or not. This is a security breach as there has been, or may have been, unauthorised access to personal information and Company’s organisational measures have failed.
- A Company employee leaves a paper copy of a candidates application form on public transport. This is a breach as personal data has been lost and rendered vulnerable as a result.
The earlier the breach or incident is reported the more likely it is that the situation can be contained and data can be recovered or if not possible the breach can be managed and the appropriate people informed. The impact on, and consequences for, the person who may have caused the breach, the Company and the person whose data has been disclosed are likely to be worse if there is a delay in reporting or an attempt is made to conceal the breach.
Reporting an incident is the first step in recovering any incident and preventing further damage. As soon as you become aware of a breach or an incident you MUST report it.
This does not mean that if you make a mistake and cause a breach there will be no consequences for you if you report it quickly however matters will be far more serious for you if you fail to notify it and it is subsequently discovered.
For example if a breach containing employee, guest or customer data is not reported the personal data could be disclosed further or the breach might be discovered by the data subject or a third party before the Company has had a chance to do anything about it. Someone might make a complaint; go to the press or the Information Commissioner. The data subject may suffer further distress, loss or embarrassment as a result of the breach not being contained. The Company may suffer reputational damage if reported in the press. The Company may also be held to account by the Information Commissioner for, not only having a data breach, but for not dealing with the breach quickly enough or not having adequate breach procedures and incur substantial fines. These matters will make the situation more serious for the person who caused the breach and anyone else who knew about it and didn’t report it so it is always in everyone’s best interests to report immediately.
Breach incident procedure
It is everyone’s responsibility to report incidents.
If you have caused the breach or incident you must treat it as a priority and immediately report the matter your line manager, the Privacy Officer and the Managing Director. This applies within and outside office hours (i.e. on a 24×7 basis). If for any reason you feel you cannot tell your line manager, Privacy Officer or the Managing Director please refer to the Whistleblowing Policy.
If you someone reports a breach to you as a line manager you must treat it as a priority and immediately inform the Privacy Officer and the Managing Director. You need to gather all relevant information about the breach and the circumstances of the breach, including (but not limited to):
- The nature of the breach
- The categories and approximate numbers of individuals and personal data records concerned
- What caused the breach (if immediately apparent)
The Company Breach Incident Form will be completed for any data breach, regardless of severity or outcome. Completed forms are logged in the Company’s Breach Incident Folder and reviewed against existing records to ascertain patterns or reoccurrences.
Do not discuss any cases of personal data breaches or near misses, with anyone other than in accordance with this procedure, especially anyone outside of Company. If anyone enquires about a data breach please refer them to the Privacy Officer in the first instance.
Assessing and investigating the breach
Once a breach or incident has been reported the Privacy Officer for the Company will make an initial assessment of the breach or incident.
Given the time constraints of reporting to the ICO the most crucial issue will be to get the relevant information quickly. The level of the investigation will be kept under review as the seriousness may increase or decrease as more information is gathered.
The type of breach or incident and how serious or complicated it is will determine who should lead on the investigation.
The factors taken into consideration as to how serious a breach is will include:
- If unaddressed the breach is likely to have a detrimental effect on data subjects e.g. it may result in distress, discrimination, damage to reputation, fraud risk, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
- How may data subjects have been affected
- There is a significant risk of legal action against the Company or to the reputation of the Company
- The incident highlights significant technical or organisational failures in respect of data security
The assessment will
- Identify whether the matter is an incident or a breach
- Make an assessment of whether the incident or breach is low medium or high risk
- Will make a recommendation as to whether the investigation will require specialist expertise such as IT security
- In the case of a data security breach will determine whether notification to the ICO is required
- Will make an initial recommendation with regards to whether data subject need to be informed
- Will make a recommendation as to whether third parties need to be informed such as the police or insurers.
- Will make a recommendation as to who should investigate the breach
- In the case of a high risk breach will recommend that the a security breach team is required and will recommend who should be on this team
Where the initial assessment cannot be carried out due to lack of information a request for further information will be made to the person who reported the matter, their line manager and another Director.
Notification to the ICO
Notification to the ICO is required by law within 72 hours of the organisation becoming aware of the breach in the case of any breach where it is likely to result in a risk to the rights and freedoms of individuals. This means that if it is unaddressed the breach is likely to have a detrimental effect on data subjects e.g. it may result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. There is recognition from the ICO that it may not be possible to investigate a breach fully within this time period and it will be possible to provide information in phases however it is crucial to make the notification within 72 hours.
The Company Privacy Officer person will make any required notifications to the ICO.
At a minimum, any notification to the ICO must include the following:
- A description of the breach, including, where possible
- The categories and approximate number of individuals affected. The level of detail for categorisations might be, for example, children, employees or customers etc.;
- The categories and approximate numbers of personal data records concerned. Again, categorisations might include health data, financial details, bank account numbers, passport numbers etc.;
- The likely consequences of the breach e.g. ID theft, fraud, financial, loss etc;
- The measures taken or proposed to be taken to address the breach, including where possible, to mitigate its effects.
Where a number of similar incidents occur, organisations may submit one ‘bundled’ notification in respect of all of them. Any decision as to how to proceed should be taken by the Privacy Officer.
Investigating the breach
The data security breach should be investigated to determine the nature of the breach and any ongoing risk. Following the initial report and during assessment any immediate risks and containment measures should be addressed however the investigation should look into:
- The nature and cause of the breach (human or systems)
- The extent of the damage or harm that results or could result from the breach.
- What type of personal data is involved?
- What caused the breach?
- What is the potential harm?
- Are there wider consequences e.g. reputation, public safety or disciplinary issues?
- Will anyone else be able to provide help or advice to the Company or its employees, guests or customers? (e.g. banks if personal financial details involved)
Where the data breach is the result of human error, an investigation into the root cause is to be conducted and a formal interview with relevant employee(s) held. A review of the procedure(s) associated with the breach will be conducted and a full risk assessment completed in accordance with the Company’s Risk Assessment Procedures. Any identified gaps that are found to have caused/contributed to the breach are revised and risk assessed to mitigate any future occurrence of the same root cause.
Resultant employee outcomes of such an investigation can include, but are not limited to: –
- Re-training in specific/all compliance areas
- Re-assessment of compliance knowledge and understanding
- Suspension from compliance related tasks
- Formal warning (in-line with the Company’s disciplinary procedures)
Where the data breach is the result of a system error/failure, the Company will seek specialist support to assess the risk and investigate the root cause of the breach. A gap analysis is to be completed on the system/s involved and a full review and report to be added to the Breach Incident Form.
Any identified gaps that are found to have caused/contributed to the breach are to be revised and risk assessed to mitigate and prevent any future occurrence of the same root cause. Full details of the incident should be determined and mitigating action such as the following should be taken to limit the impact of the incident: –
- Attempting to recover any lost equipment or personal information
- Shutting down an IT system
- Removing an employee from their tasks
- The use of back-ups to restore lost, damaged or stolen information
- Making the building secure
- If the incident involves any entry codes or passwords, then these codes must be changed immediately and members of staff informed
Alongside the breach investigation will be various actions which will need to be taken, often simultaneously with reporting assessment and investigation. There may be matters which can be dealt with immediately and others which require further investigation.
Containment and recovery
It is imperative to contain the breach (e.g. stop the unauthorised practice, recover the missing records or shut down/limit access to the system responsible). Other departments and possibly external agencies may be called on to assist.
Informing people about the breach
It is a legal requirement to tell people whose data is subject to a breach where the breach is likely to result in a high risk to their rights and freedoms. Such notification should include:
- A description of the nature of the breach;
- A description of the likely consequences of the breach; and
- A description of the measures taken or proposed to be taken by the organisation to address the breach, including, where appropriate, measures to mitigate its possible adverse effects. This might include advice regarding change of passwords etc.
If the breach is sufficiently serious to warrant notification to the public then there must not be undue delay in such notification. Notification to the public will be considered at assessment stage and kept under review through the investigation and a decision to do so will be taken by Privacy Officer and the Managing Director. If telling the person or people concerned is appropriate or required a decision will need to be made about the best way to communicate it to them (e.g. for vulnerable persons a phone call or a home visit may be more appropriate than a formal letter).
Any communication should be focussed solely on the breach and its consequences. It should not, for example, include any marketing content, newsletters or other general content.
It may be appropriate to communicate the occurrence of incidents to other appropriate bodies. These may include:
- Law Enforcement – notifying an incident to law enforcement agencies if any of the conduct concerned may have involved criminal activity; and
- Insurers – it may be a requirement of the Company’s insurers that any incident is notified to them promptly if any relevant insurance is to respond.
Any recommendation as to whether to notify any of these bodies should be identified in the initial assessment of the incident by the Privacy Officer.
Evaluation and response
Once an investigation is complete the investigating officer and the Board of Directors will evaluate the breach response and conclusion of the investigation and make recommendations as to:
- Measures to be taken in response to the breach and to prevent similar breaches
- Measures to improve data security.
- Measures which could improve breach response
Any noncompliance with this policy or any sub policies referenced herein may result in disciplinary action, up to and including dismissal without notice.
Acknowledgement of receipt
You confirm that you have read and understood this Data Breach Procedure