Purpose

The purpose of this policy is to ensure that a standardised approach is implemented throughout the company in the event of an information/data breach.

Scope

The policy applies to all company employees, contractors and third parties (‘staff’) that access, use, store or process information on behalf of the company.

The policy applies to:

• all personal data created or received by the company in any format (including paper), whether used in the company, stored on portable devices and media, transported from the company physically or electronically or accessed remotely;
• personal data held on all company IT systems; and
• any other IT systems on which company data is held or processed.

A data breach defined here refers to:

• the disclosure of confidential data to unauthorised individuals;
• improper disposal of documents leaving personal data deposited in a bin that can be accessed by the general public;
• loss or theft of data or equipment on which data is kept;
• loss or theft of paper records;
• inappropriate access controls allowing unauthorised use of information;
• suspected breach of the company’s IT security and related policies;
• attempts to gain unauthorised access to computer systems, e.g. hacking;
• viruses or other security attacks on company IT equipment systems or networks;
• breaches of physical security;
• confidential information left unlocked in accessible areas; and
• emails containing personal or sensitive information sent in error to the wrong recipient.

Roles and responsibilities

The company directors (management team) are responsible for implementation of this policy day-to-day within the areas of the business they oversee, and for ensuring that employees they manage are informed of their responsibilities.

The company data security team (Managing Director or nominated deputy), working with third party suppliers as required, are responsible for the technical aspects of investigating, containing and recovering from a breach. The Managing Director or assigned deputy has responsibility for liaising with the ICO in the event of a breach.

It is the responsibility of everyone in the company to familiarise themselves with the company policies on information security, data protection and breach notification, and to adhere promptly to these policies in the event of an incident.

Policy

Identification and Classification

The company encourages staff to report any information/data security breach and all officers, voluntary assistants and employees are aware to whom they should report such a breach. Having such procedures in place permits early recognition of breaches so that they can be dealt with in the most fitting manner.

Details of breaches should be recorded accurately, including:

• the date and time the breach occurred;
• the date and time it was discovered;
• who/what reported the breach;
• description of the breach;
• details of any ICT systems involved;
• and any other substantiating material.

Staff are made fully aware as to what constitutes a breach and in respect of this policy a breach can be defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Containment and Recovery

Containment comprises restricting both the scope and impact of the breach. If a breach occurs, the company will decide on who will take the lead in investigating the breach – likely to be the Managing Director or another director and ensure that the appropriate resources are available to the nominated person for investigation.

The nominated person will establish who in the company needs to be alerted to the breach and inform them of what they are expected to do to support in containing same.

The nominated person will then establish whether there is anything that can be done to recoup losses and/ limit the damage the breach may cause.

Details of the facts relating to the breach, its effects and remedial action taken are then entered in the company internal breach register.

Risk Assessment

In assessing the risk arising from the breach, the company should consider what would be the potential adverse consequences for individuals. In assessing the risk, the company will consider the following:

• Nature of information/data involved?
• Sensitivity of the information/data?
• Any security mechanisms in place (e.g. password, encryption)?
• What could the information/data convey to a third party about the individual?
• How many individuals are affected by the breach?

Notification of Breach

All information/data breaches must be reported to a member of the management team immediately and an incident report must be completed. The nominated person will notify the Information Commissioner’s Office within 72 hours of the breach if required (i.e. unless the data was anonymised or encrypted) and should consider notifying third parties including police if necessary.

This will include:

• Date incident was discovered:
• Date(s) of incident:
• Place of incident:
• Name of person reporting incident:
• Contact details of person reporting incident (email address, telephone number):
• Brief description of incident or details of the information lost:
• Number of Data Subjects affected, if known:
• If any personal data has been placed at risk and brief details of same:
• Brief description of any action taken at the time of discovery etc.

Evaluation and Response

Subsequent to any information/data security breach a thorough review of the event should be undertaken by the nominated person who will consider:

• What action needs to be taken to reduce the risk of future breaches and minimise their impact?
• Whether policies, procedures or reporting lines need to be amended to increase the
• effectiveness of the response to the breach?
• Are there weak points in security controls that need to be strengthened?
• Are all officers, voluntary assistants and employees cognisant of their responsibilities for information security and adequately trained?
• Is additional investment required to lessen exposure and if so what are the resource
• implications?
• Any recommended changes to policies and/or procedures must be documented and
• implemented as soon as possible thereafter by the board of directors.

Enforcement

The company reserves the right to take such action as it deems appropriate against users who breach this policy. Staff who breach this policy may be subject to disciplinary action, including suspension and dismissal as provided for in the company disciplinary procedure described in the staff handbook.

Review and update

This policy will be reviewed and updated annually or more frequently if necessary, to ensure that any changes to the company’s business practices are accurately reflected.