...
Suspected data breaches should be reported promptly to the DPO as the primary point of contact: dataprotection@nescol.ac.uk and to the IT helpdesk: helpdesk@nescol.ac.uk . our HelpDesk channel: https://magestore-service.atlassian.net/servicedesk/customer/portal/14 .
The report must contain full and accurate details of the incident including who is reporting the incident and what kind of data is involved. The incident report form should be completed as part of the reporting process (Appendix 1).
If a breach occurs or is discovered outside normal working hours it must be reported as soon as is practicable, taking into account the potential severity of the incident. Once a data incident has been reported an initial assessment will be made to establish whether it is a breach, and the severity of the breach (see Appendix 2 – matrix for assessing severity of incident). All data breaches will be centrally logged by the DPO Product Team to ensure appropriate oversight in the types and frequency of confirmed incidents for management and reporting purposes. Invigilation of assessment is carried out by a designated person where this is necessary to meet specified assessment conditions.
2
...
.
...
Containment and recovery
The DPO and Info Sec Lead Product Team will identify who should lead on investigating and managing the breach.
• The DPO and Info Sec Lead Product Team will determine whether the breach is still occurring and if so, ensure appropriate steps are taken immediately to identify and implement any steps to contain the breach and minimise the effect.
• An initial assessment will be made, with relevant staff, to establish the severity of the breach.
• The DPO and Info Sec Lead Product Team will establish whether anything can be done to recover any losses and limit damage © North East Scotland College. All rights reserved.
• The DPO and Info Sec Lead Product Team will establish who may need to be notified as part of the initial containment
• The DPO and Info Sec LeadProduct Team, in liaison with relevant staff, will determine a suitable course of action to ensure resolution of the incident
• The DPO and Info Sec Lead Product Team should consider whether the Director of Marketing and Communications should be informed at this stage, to prepare external or internal communications and be ready to handle enquiries
...
3. Assessment of risks
• An investigation will be undertaken by the DPO or Info Sec Lead Product Team immediately and whenever possible within 24 hours of the breach being discovered/reported.
• All data security breaches will be managed according to risk. After the identification of the breach, the risks associated with the breach will be assessed in order to identify an appropriate response. Appendix 1 should be used to identify the exact nature of the breach and the severity; this information can then be used to establish the action required.
• The investigation will take into account:
o the type of data involved and its sensitivity
o the protections which are in place (e.g. encryption)
o what’s happened to the data, has it been lost or stolen
o whether the data could be put to any illegal or inappropriate use
o who the individuals are, number of individuals involved and the potential effects on those data subject(s)
o whether there are wider consequences to the breach
...
4. Consideration of further notification
• The DPO and College Lead and/or Info Sec Lead Product Team and CEO and the Senior IT management team will, in consultation with the Vice Principal – Access and Partnerships, determine who needs to be notified of the breach. • Ultimately, the DPO will decide whether the ICO should be notified of the breach within the required 72 hours • Use of the severity matrix will help determine the risk to people’s rights and freedoms and will aid the decision to notify the ICO (and the data subject(s)).
• Every incident will be assessed on a case by case basis, considering:
o Whether there are any legal/contractual notification requirements
o Whether notification would assist the individual affected – could they act on the information to mitigate risks?
o Whether notification would help prevent the unauthorised or unlawful use of personal data?
...
o The dangers of over notifying. Not every incident warrants notification and over notification may cause disproportionate enquiries and work.
• The DPO and/or College Lead Product Team will also consider notifying third parties such as the police, insurers and trade unions. This would be appropriate where illegal activity is known or believed to have occurred, or there is a risk of illegal activity happening in the future.
• Notification to the individual(s) whose personal data has been affected by the incident will include a factual description of how and when the breach occurred and the data involved, along with actions taken by the College. Individuals will also be provided with the name and contact details of the College DPO for further information. Product Team Magestore.
• All decisions and actions will be documented by the DPOProduct Team.
...
5. Evaluation and response
• Once the initial incident is contained, the DPO Product Team and/or Info Sec Lead will carry out a full review of the causes of the breach, the effectiveness of the response and determine whether any changes to systems, policies or procedures should be made
...
o Implementing a data breach plan and identifying a group of individuals responsible for reacting to reported breaches
o If deemed necessary a report recommending any changes to systems, policies and procedures will be considered by College’s Senior Management Team and in more serious cases it may be appropriate to report to the College Board or appropriate Committee.
Throughout the breach management process a record should be kept of actions taken and by whom. An activity log recording the timeline of the incident management will also be completed. Appendix 4 provides an activity log template to record this information. Copies of any correspondence relating to the breach should also be retained.
7. Breaches received as complaints
There are occasions when a data subject may make the college aware of a data breach by using the college’s complaints procedure. If this is the case, the Head of Quality Enhancement & Transitions will forward the complaint to the Data Protection Officer to be dealt with as a data breach. The complainant will receive acknowledgment from the College informing them that this will be handled in line with the College’s Breach Reporting Procedure. The dataprotection@nescol.ac.uk inbox will be copied into all communications with the complainant. The complaint will be sent to the DPO and this will not be counted in the complaint reporting process.
...
.
6. Disciplinary
Staff, students, contractors, visitors or partner organisations who act in breach of college Product Team policy and procedure may be subject to disciplinary procedures or other appropriate sanctions.
...
7. Contacts Data Protection Officer
...
& Support Channel
Data Protection: luna@magestore.com
IT Helpdesk: helpdesk@nescol.ac.uk
eSupport Channel: https://magestore-service.atlassian.net/servicedesk/customer/portal/14