DATA BREACH NOTIFICATION POLICY

DATA BREACH NOTIFICATION POLICY

 

A) AIM

We are aware of the obligations placed on us by the General Data Protection Regulation (GDPR) in relation to processing data lawfully and to ensure it is kept securely.

 

One such obligation is to report a breach of personal data in certain circumstances and this policy sets out our position on reporting data breaches.

 

B) PERSONAL DATA BREACH

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or processed.

 

The following are examples of data breaches:

 

  1. access by an unauthorised third party;
  2. deliberate or accidental action (or inaction) by a data controller or data processor;
  3. sending personal data to an incorrect recipient;
  4. computing devices containing personal data being lost or stolen;
  5. alteration of personal data without permission;
  6. loss of availability of personal data.

 

C) BREACH DETECTION MEASURES

We have implemented the following measures to assist us in detecting a personal data breach:

Our Breach Detection Team will investigate any breaches.

 

D) INVESTIGATION INTO SUSPECTED BREACH

In the event that we become aware of a breach, or a potential breach, an investigation will be carried out. This investigation will be carried out by Mark Day - Practice Manager who will make a decision over whether the breach is required to be notified to the Information Commissioner. A decision will also be made over whether the breach is such that the individual(s) must also be notified.

 

E) WHEN A BREACH WILL BE NOTIFIED TO THE INFORMATION COMMISSIONER

In accordance with the GDPR, we will undertake to notify the Information Commissioner of a breach which is likely to pose a risk to people’s rights and freedoms.  A risk to people’s freedoms can include physical, material or non-material damage such as discrimination, identity theft or fraud, financial loss and damage to reputation.

 

Notification to the Information Commissioner will be done without undue delay and at the latest within 72 hours of discovery. If we are unable to report in full within this timescale, we will make an initial report to the Information Commissioner, and then provide a full report in more than one instalment if so required.

 

The following information will be provided when a breach is notified:

 

  1. a description of the nature of the personal data breach including, where possible:
    1. the categories and approximate number of individuals concerned; and
    2. the categories and approximate number of personal data records concerned
  2. the name and contact details of the (data protection officer) where more information can be obtained;
  3. a description of the likely consequences of the personal data breach; and
  4. a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

F) WHEN A BREACH WILL BE NOTIFIED TO THE INDIVIDUAL

In accordance with the GDPR, we will undertake to notify the individual whose data is the subject of a breach if there is a high risk to people’s rights and freedoms. A high risk may be, for example, where there is an immediate threat of identity theft, or if special categories of data are disclosed online.

 

This notification will be made without undue delay and may, dependent on the circumstances, be made before the supervisory authority is notified.

 

The following information will be provided when a breach is notified to the affected individuals:

 

  1. a description of the nature of the breach
  2. the name and contact details of the (data protection officer) where more information can be obtained
  3. a description of the likely consequences of the personal data breach and
  4. a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

 

G) RECORD OF BREACHES

The Company records all personal data breaches regardless of whether they are notifiable or not as part of its general accountability requirement under GDPR. It records the facts relating to the breach, its effects and the remedial action taken.