All users need to read, understand, and comply with this Policy.
The Company collects, holds, processes and shares large amounts of personal data and has an obligation to ensure that it is kept secure and appropriately protected.
Information is a key Company asset and as such ensuring the continued confidentiality, integrity and availability is essential to support the Company operations. The Company is also required to operate within the law, specifically the expectations set out in the Data Protection Act 1998 (DPA) and the General Data Protection Regulation (UK-GDPR).
Data security breaches are increasingly common occurrences whether these are caused through human or technical error or via malicious intent. As technology trends change and the volume of data and information created grows, there are more emerging ways by which data can be breached. The Company needs to have in place a robust and systematic process for responding to any reported potential data security breach, to ensure it can act responsibly, protect individual’s data, Company information assets and reputation as far as possible.
Data security breaches will vary in impact and risk depending on the content and quantity of data involved, the circumstances of the loss and the speed of response to the incident. By managing all perceived data security breaches in a timely manner, it may be possible to contain and recover the data before it an actual breach occurs, reducing the risks and impact to both individuals and the Company. Breaches can result in fines for loss of personal information and significant reputational damage, and may require substantial time and resources to rectify the breach. As of May 2018, the GDPR replaced the DPA with fine limits increasing up to €20 million for a breach. Breach reporting within 72 hours of identifying a breach is mandatory under the GDPR, with fines of up to €10 million for failing to report a breach.
2.1. The purpose of this procedure is to ensure that:
2.2. This document sets out the procedure to be followed to ensure a consistent and effective approach in managing personal data security breaches across the Company.
3.1. This procedure applies to all staff, partner organisations and partner staff, suppliers, contractors, consultants, representatives and agents that work for or process, access, use or manage personal data on behalf of the Company.
3.2. This procedure relates to all personal and special category (‘sensitive’) information handled, stored, processed or shared by the Company whether organised and stored in physical or IT based record systems.
4.1. What is a data security breach?
A personal data security breach means “a breach of security leading to the loss, unauthorised destruction, alteration or disclosure of, or access to, personal data transmitted, stored or otherwise processed”</strong >.
A data security breach is considered to be any loss of, or unauthorised access to, Company data, normally involving Personal or Confidential information including intellectual property.
Data security breaches include the loss, modification, or theft of data or equipment on which data is stored, inappropriate access controls allowing unauthorised use, human error (e.g. information sent to the incorrect recipient), hacking attacks and ‘blagging’ where information is obtained by deception.
A personal data breach in the context of this procedure is an event or action that has affected the confidentiality, integrity or availability of personal data, either accidentally or deliberately, that results in its security being compromised, and has caused or has the potential to cause damage to the Company and/or the individuals to whom the information relates to.
4.2. What is a data security incident?
A data security incident is where there is the risk of a breach but a loss or unauthorised access has not actually occurred.
It is not always clear if an incident has resulted in a breach; by reporting all perceived data breaches quickly, steps can be taken to investigate, secure the information and prevent the incident becoming an actual breach (e.g. by reporting an email IT can remove the email before it has been read and therefore the data has been contained and not been seen by the incorrect recipient).
For the purposes of this policy, data security breaches include both confirmed and suspected incidents and breaches.
4.3. A data breach incident includes, but is not limited to:
5.1. The Company adopts a culture in which data protection breaches are reported. Any staff, contractor, partnership organisation, partner staff or individual that processes, accesses, uses or manages personal data on behalf of the Company is responsible for reporting information security incidents and data breaches immediately or within 24 hours of being aware of a breach to their supervisor or to the Data Protection Officer at dpo@topimpact.co.uk, who will investigate the potential breach.
5.2. If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable.
5.3. A Data Breach Report Form (see Appendix 1) should be completed as part of the reporting process. The report will include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, the nature of the information and how many individuals are involved.
6.1. The Data Protection Officer in liaison with the Head of Information Systems and Technology will determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the breach.
6.2. An initial assessment will be made to establish the severity of the breach, who will take the lead as designated Investigating Officer to investigate the breach (this will depend on the nature of the breach) and determine the suitable course of action to be taken to ensure a resolution to the incident.
6.3. The Investigating Officer will establish whether there is anything that can be done to recover any losses and limit the damage the breach could cause.
6.4. The Investigating Officer will establish who may need to be notified as part of the initial containment.
6.5. Advice from experts across the Company such as IT, HR and legal and in some cases contact with external third parties may be sought in resolving the incident promptly.
7.1. An investigation will be undertaken by the Investigating Officer immediately and wherever possible within 24 hours of the breach being discovered/reported.
7.2. The Investigating Officer will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how likely they are to happen and how serious or substantial they are.
7.3. The level of risk associated with a breach can vary depending on the type of data and its sensitivity.
7.4. The investigation will need to consider the following:
8.1.The Investigating Officer in consultation with the Data Protection Officer, Head of Information Systems and Technology, will determine who needs to be notified of the breach.
8.2. Any notification must be agreed by the management.
8.3. Every incident will be assessed on a case-by-case basis.
8.4. Not every incident merit notification and over notification may cause disproportionate enquiries and work.
The following will need to be considered:
8.5. If a breach is likely to result in a high risk to the rights and freedoms of individuals, notification to the individuals whose personal data has been affected by the incident must be without undue delay describing:
8.6. If the Company decides not to notify the individuals affected, it will still need to notify the ICO unless it can demonstrate that the breach is unlikely to result in a risk to rights and freedoms.
8.7. The Investigating Officer and/or Data Protection Officer and Registrar must consider notifying third parties such as the police, insurers, professional bodies, bank or credit card companies who can help reduce the risk of financial loss to individuals. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.
8.8 The Investigating Officer and/or Data Protection Officer will consider whether the Marketing and Communications Team should be informed regarding a press release and to be ready to handle any incoming press enquiries.
8.9. All personal data breaches and actions will be recorded by the Data Protection Officer regardless of whether or not they need to be reported to the ICO.
9.1. Data protection breach management is a process of continual review. Once the initial incident is contained, the Data Protection Officer will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.
9.2. Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.
9.3. The review will consider:
9.4. Regardless of the type and severity of incident, there will always be recommendations to be made even if it is only to reinforce existing procedures.
9.5. All recommendations will be assigned an owner and have a timescale by when they should be implemented which has a dual purpose. The first is to ensure that the Company puts in place whatever measures have been identified and that there is an individual that can report back to the Data Protection Officer on progress. The second is that where incidents are reported to the ICO, the Company can demonstrate that the measures have either been put in place or that there is a documented plan to do so.
9.6. Identifying recommendations is more than just damage control. The knowledge of what has happened together with the impact is a fundamental part of learning and continual improvement which can then be disseminated throughout the Company.