Data Breach Notification Policy and Procedure
July 10th 2018
MSKnote holds, processes, and shares a large amount of personal data, a valuable asset that needs to be suitably protected.
Every care is taken to protect personal data from incidents (either accidentally or deliberately) to avoid a data protection breach that could compromise security.
Compromise of information, confidentiality, integrity, or availability may result in harm to individual(s), reputational damage, detrimental effect on service provision, legislative noncompliance, and/or financial costs.
MSKnote is obliged under the Data Protection Legislation to have in place an institutional framework designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility.
This Policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents across the company.
This Policy relates to all personal and sensitive data held by the company regardless of format.
This Policy applies to all staff within our organisation. This includes temporary, casual or agency staff and contractors, consultants, suppliers and data processors working for, or on behalf of the company.
The objective of this Policy is to contain any breaches, to minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches.
Definition / Types of Breach
For the purpose of this Policy, data security breaches include both confirmed and suspected incidents.
An incident in the context of this Policy is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to the organisation’s information assets and/or reputation.
An incident includes but is not restricted to, the following:
Reporting an incident
Any individual who accesses, uses or manages the company’s data information is responsible for reporting data breach and information security incidents immediately to the Data Protection Officer – Tim Simms
If the breach occurs or is discovered outside normal working hours, it must be reported at 8am the following day
The report will include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, if the data relates to people, the nature of the information, and how many individuals are involved. An Incident Report Form should be completed as part of the reporting process. All staff should be aware that any breach of the Data Protection Act will result in the company’s Disciplinary Procedures being instigated.
Containment and Recovery
The Data Protection Officer (DPO) will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the breach.
An initial assessment will be made by the DPO in liaison with relevant officers to establish the severity of the breach and who will take the lead investigating the breach (this will depend on the nature of the breach in some cases it could be the DPO).
The Lead Investigation Officer or Management Subordinate (LIO) will establish whether there is anything that can be done to recover any losses and limit the damage the breach could cause.
The LIO will establish who may need to be notified as part of the initial containment and will inform the police, where appropriate.
Advice from experts across the company may be sought in resolving the incident promptly.
The LIO, in liaison with the relevant officer(s) will determine the suitable course of action to be taken to ensure a resolution to the incident.
Investigation and Risk Assessment
An investigation will be undertaken by the LIO immediately and wherever possible within 24 hours of the breach being discovered / reported.
The LIO will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur.
The investigation will need to take into account the following:
The LIO and / or the DPO, in consultation with the Company Director - Governance, will determine who needs to be notified of the breach.
Every incident will be assessed on a case by case basis; however, the following will need to be considered:
The dangers of over notifying.
Not every incident warrants notification and over notification may cause disproportionate enquiries and work.
Notification to the individuals whose personal data has been affected by the incident will include a description of how and when the breach occurred, and the data involved. Specific and clear advice will be given on what they can do to protect themselves and include what action has already been taken to mitigate the risks. Individuals will also be provided with a way in which they can contact the DPO for further information or to ask questions on what has occurred.
The LIO and or the DPO must consider notifying third parties such as the police, insurers, bank or credit card companies, and trade unions. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.
The LIO and or the DPO will consider whether a press release is necessary and to be ready to handle any incoming press enquiries.
All actions will be recorded by the DPO.
Evaluation and response
Once the initial incident is contained, the DPO will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.
Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring. The review will consider:
If deemed necessary a report recommending any changes to systems, policies and procedures will be considered by a Company Director or Operations Manager.
APPENDIX 1 DATA BREACH REPORT FORM
Please act promptly to report any data breaches. If you discover a data breach, please notify your Line Manager immediately, complete Section 1 of this form and email it to the Data Protection Officer where appropriate – firstname.lastname@example.org
Section 1: Notification of Data Security Breach
To be completed by Line Manager of person reporting incident
Date incident was discovered:
Date(s) of incident:
Place of incident:
Name of person reporting incident:
Contact details of person reporting incident (email address, telephone number):
Brief description of incident or details of the information lost:
Number of Data Subjects affected, if known:
Has any personal data been placed at risk? If, so please provide details:
Brief description of any action taken at the time of discovery:
For use by the Data Protection Officer
Forwarded for action to
Section 2: Assessment of Severity
To be completed by the Lead Investigation Officer in consultation with the Manager of the department affected
Details of the IT systems, equipment, devices, records involved in the security breach:
Details of information loss:
What is the nature of the information lost?
How much data has been lost?
If laptop lost/stolen: how recently was the laptop backed up onto central IT systems?
Is the information unique?
Will its loss have adverse operational, research, financial legal, liability or reputational consequences for the company or third parties?
How many data subjects are affected?
Is the data bound by any contractual security arrangements?
What is the nature of the sensitivity of the data?
Please provide details of any types of information that fall into any of the following categories:
HIGH RISK personal data
Section 3: Action taken to be completed by Data Protection Officer and/or Lead Investigation Officer
Incident number e.g. year/001
Report received by:
Action taken by responsible officer/s:
Was incident reported to Police? Yes/No
If YES, notified on (date): Follow up action required/recommended:
Reported to Data Protection Officer and Lead Officer on (date):
Reported to other internal stakeholders (details, dates):
Notification to ICO YES/NO If YES, notified on: Details:
Notification to data subjects YES/NO If YES, notified on: Details:
Notification to other external, regulator/stakeholder YES/NO
If YES, notified on:
MSKnote Data Breach Notification Policy 2018