Introduction
Performance Accountancy holds, processes, and shares a large amount of personal data, a valuable asset that needs to be suitably protected. Every care is taken to protect personal data from incidents (either accidentally or deliberately) to avoid a data protection breach that could compromise security. Compromise of information, confidentiality, integrity, or availability may result in harm to individual(s), reputational damage, detrimental effect on service provision, legislative noncompliance, and/or financial costs.
Purpose
We are obliged under the Data Protection Act and the GDPR to have in place a framework designed to ensure the security of all personal data during its lifecycle. This Policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents.
Scope
This Policy relates to all personal and sensitive data held by the business regardless of format. The policy applies to all staff and contractors, whether temporary, casual or agency staff and contractors, consultants, suppliers and data processors working for, or on behalf of Performance Accountancy. The objective of this Policy is to contain any breaches, to minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches.
Types of Breach
Data security breaches include both confirmed and suspected incidents. A personal data breach is one that leads to the accidental or unlawful destruction, loss alteration, unauthorised disclosure of, or access to, personal data. In short it is any breach of security that affects the confidentiality, reliability or availability of personal data. Data that is even temporarily unavailable can be seen as a breach and may need us to notify the local regulatory authority if it could have a significant negative effect on individuals.
Personal data breaches can include:
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission; and
- loss of availability of personal data.
Reporting an Incident
Any individual who accesses, uses or manages the business information is responsible for reporting data breach and information security incidents immediately to the Security Officer. If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable.
The report will include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, if the data relates to people, the nature of the information, and how many individuals are involved. An Incident Report Form should be completed as part of the reporting process.
Investigation & risk assessment
An investigation will be undertaken by the Security Office immediately and wherever possible within 24 hours of the breach being discovered / reported. They will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur.
The investigation will need to take into account the following:
- the type of data involved
- its sensitivity
- the protections are in place (e.g. encryptions)
- what’s happened to the data, has it been lost or stolen
- whether the data could be put to any illegal or inappropriate use
- who the individuals are, number of individuals involved and the potential effects on those data subject(s)
- whether there are wider consequences to the breach
Notification
The security officer will determine who needs to be notified of the breach
Every incident will be assessed on a case by case basis; however, the following will need to be considered:
- Whether there are any legal/contractual notification requirements;
- Whether notification would assist the individual affected – could they act on the information to mitigate risks?
- Whether notification would help prevent the unauthorised or unlawful use of personal data?
Notification to the individuals whose personal data has been affected by the incident will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves, and include what action has already been taken to mitigate the risks.
How to notify ICO is available from their website at: https://ico.org.uk/media/1536/breach_reporting.pdf
Not every incident warrants notification and over notification may cause disproportionate enquiries and work. Most incidents can be dealt with internally.