~ Data Breach Policy & Action Plan ~

Data Breach Policy & Action Plan 2024
Policy Document

Data Breach Policy & Action Plan

This policy deals with actions to be taken in the event of a possible security breach either cyber or physical (e.g. a break-in at the office). You should refer to the Data Breach Action Plan on the following pages.

Version 1.0  ·  November 2024
Section

Background

It is worth noting that not all security breaches are personal data breaches. The test is does the controller no longer control the personal data (i.e. can't ensure compliance with the data protection principles).

If there is uncertainty as to whether the test is met, investigations should be undertaken in accordance with the process below.

There are three types of breach and an incident may be more than one type. All are equally serious.

Confidentiality Breach

Unauthorised or accidental disclosure of or access to personal data.

For example, third party hacking into a computer system, a burglary in the office, an unauthorised member of staff looking at personal data.

Integrity Breach

Unauthorised or accidental alteration of personal data.

For example, member of staff accidentally amending all personnel records.

Availability Breach

Accidental or unauthorised loss of access or destruction of personal data.

For example, fire in the office, loss of device with personal data.
Overview

Action Plan

The following pages contain:

  • Data Breach Action Plan to be followed in the event of a suspected breach
  • Further notes on the Action Plan
  • Pro forma notices to the ICO and data subjects
DATA BREACH ACTION PLAN
Flowchart & Decision Tree
1

Investigation Phase

Learn of possibility of breach
Contact Key Response Team
Appoint lead
After investigating for a short period, have you established with a reasonable degree of certainty that there was a breach?
No
Stand down
Yes
Mark "AWARENESS"
Note time = Zero Hour
2

Protection Phase

Aim: Protect individuals and their data

Contact lawyers
Continue to investigate breach
Extent of breach Technical measures protecting data Age of data Involvement of other parties Data subjects in other countries
Are there immediate steps which can mitigate breach or prevent high risk to individuals from materialising?
3

Communication Phase

ICO
Does breach result in risk to rights and freedoms of individuals?
No
No need to notify ICO
Yes
Must notify ICO within 72 hours of Zero Hour
Use ICO Data Breach Notification (Annex 1)
DATA SUBJECTS
Does breach result in high risk to rights and freedoms of individuals?
No
No need to notify individuals
Yes
Are technological and organisational measures in place to protect data?
No
Have steps been taken so high risk to individuals is no longer likely to materialise?
No
Is it disproportionate to notify all affected individuals?
No
Notify all affected individuals without undue delay
Use Individual Data Breach Notification (Annex 2)
Yes
May use public communication: prominent website banner, social media etc
Must be equally effective
Yes
No need to notify
Yes
No need to notify
Detailed Guidance

Further Notes on the Action Plan

1 Investigation Phase

If there is concern that a breach may have occurred:

  • Contact Key Lead
  • Contact external lawyers
  • Lead holds short period of investigation to establish to a reasonable degree of certainty whether a security incident has occurred. There is no set period to investigate, but initial review should be held after 3–4 hours.

If no security incident: stand down.

If incident or likelihood of incident established — note the time. This is the "awareness" of a breach. Zero Hour marked.

2 Protection Phase

Focus: Protection of individuals and their data

Continue to investigate breach. Documents and correspondence relating to potential breach to cc lawyer.

When investigating consider:

  • Extent of breach
  • Technical measures protecting data
  • Age of data
  • Involvement of other controller/processor
  • Are data subjects in other countries
Are there immediate steps which can be taken which can mitigate the breach or prevent the high risk to individuals from materialising?

3 Communication Phase

Information Commissioner's Office

Need to notify ICO within 72 hours of Zero Hour unless unlikely to result in a risk to rights and freedoms of individuals. So, if likely to risk rights and freedoms of people, then must notify.

Use the pro forma ICO Data Breach Notification — Annex 1

Notification may need to occur before the full extent of the breach is understood or other details are missing. It is acceptable to notify the ICO and include further areas that we will investigate and update.

Communication with Data Subjects

Need to notify data subjects (affected individuals) without undue delay if the breach is likely to result in a high risk to rights and freedoms of individuals.

But, do not need to notify if:

  • We have taken prior technological and organisational measures to protect data
  • Immediate actions have been taken and the high risk is no longer likely to materialize
  • It is disproportionate to notify all affected individuals

Pro forma data breach notification with affected individuals — Annex 2. In the event that we consider it disproportionate to contact the individuals, public communication may be used, but it must be equally effective to direct communication.

Annex 1

Data Breach Notice – ICO

Preferably use ICO online form
To: Information Commissioner
Phone: 0303 123 1113
From:  
Description of breach:  
Type of breach: Confidentiality breach Integrity breach Availability breach
Likely cause of breach:  
Type of data lost:  
Potential number of data subjects:  
Potential number of data records affected:  
Likely Consequences
Description of likely consequences of personal data breach  
Measures Taken
Description of measures taken already or in place at time of breach  
Further Investigation and Follow-up
Description of any further investigation required (if any) and approx time frame  
Description of any follow up action proposed and time frame  
Annex 2

Data Breach Notice – Data Subjects

Notification to affected individuals
To: Data Subject
From:  
Description of breach:  
Type of breach: Confidentiality breach Integrity breach Availability breach
Likely cause of breach:  
Type of data lost:  
Potential number of data subjects:  
Potential number of data records affected:  
Likely Consequences
Description of likely consequences of personal data breach  
Measures Taken
Description of measures taken already or in place at time of breach  
Further Investigation and Follow-up
Description of any further investigation required (if any) and approx time frame  
Description of any follow up action proposed and time frame  

Version 1.0  ·  November 2024

Data Breach Policy & Action Plan — Confidential

Notary

Notary

Typically replies within an hour

I will be back soon

Notary

👋 Hello and welcome to Notary Northampton!

We’re here to help with document witnessing, certification, statutory declarations, and more.

Start Chat with: whatsapp
WhatsApp