Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Data breaches

Data breach is a breach of security leading to the unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.” It is important to note that a potential data breach does not always involve technical systems or IT devices. Breaches can also involve paper-based and verbal information, for example a diary with personal details left in a coffee shop, or inappropriate disclosure of someone’s information through conversation

A data breach can come in many forms, but the most common are as follows:

• Loss or theft of paper or other hard copy

• Human error - e-mailed, posted or faxed to the incorrect recipient

• Loss or theft of equipment on which data is stored

• inappropriate sharing or dissemination and/or inappropriate access controls - staff accessing information to which they are not entitled

• Hacking, malware and data corruption

• Information is obtained by deception or “blagging”

• Equipment failure, fire or flood

• Unescorted visitors accessing data

• Non-secure disposal of data

Procedure

1. Reporting a breach – internal reporting

Suspected data breaches should be reported promptly to the DPO as the primary point of contact: dataprotection@nescol.ac.uk and to the IT helpdesk: helpdesk@nescol.ac.uk . The report must contain full and accurate details of the incident including who is reporting the incident and what kind of data is involved. The incident report form should be completed as part of the reporting process (Appendix 1). If a breach occurs or is discovered outside normal working hours it must be reported as soon as is practicable, taking into account the potential severity of the incident. Once a data incident has been reported an initial assessment will be made to establish whether it is a breach, and the severity of the breach (see Appendix 2 – matrix for assessing severity of incident). All data breaches will be centrally logged by the DPO to ensure appropriate oversight in the types and frequency of confirmed incidents for management and reporting purposes. Invigilation of assessment is carried out by a designated person where this is necessary to meet specified assessment conditions.

2. Reporting a breach – external reporting

Article 33 of the GDPR requires the College to notify the ICO only when the breach “is likely to result in a risk to the freedoms and rights of natural persons”. Such a breach also must be communicated to the data subject (with certain exceptions). Notification must be made “without undue delay” and within 72 hours of becoming aware of it. If the College fails to do this, it must explain the reason for the delay. A report to the ICO will be made by the DPO and must contain information as to the nature of the breach, categories of data, number of data records, number of people affected, name and contact details of DPO, likely consequences of the breach and action taken.

3. Containment and recovery

The DPO and Info Sec Lead will identify who should lead on investigating and managing the breach. 

• The DPO and Info Sec Lead will determine whether the breach is still occurring and if so, ensure appropriate steps are taken immediately to identify and implement any steps to contain the breach and minimise the effect.

• An initial assessment will be made, with relevant staff, to establish the severity of the breach.

• The DPO and Info Sec Lead will establish whether anything can be done to recover any losses and limit damage © North East Scotland College. All rights reserved.

• The DPO and Info Sec Lead will establish who may need to be notified as part of the initial containment

• The DPO and Info Sec Lead, in liaison with relevant staff, will determine a suitable course of action to ensure resolution of the incident

• The DPO and Info Sec Lead should consider whether the Director of Marketing and Communications should be informed at this stage, to prepare external or internal communications and be ready to handle enquiries

4. Assessment of risks

• An investigation will be undertaken by the DPO or Info Sec Lead immediately and whenever possible within 24 hours of the breach being discovered/reported.

• All data security breaches will be managed according to risk. After the identification of the breach, the risks associated with the breach will be assessed in order to identify an appropriate response. Appendix 1 should be used to identify the exact nature of the breach and the severity; this information can then be used to establish the action required.

• The investigation will take into account: o the type of data involved and its sensitivity o the protections which are in place (e.g. encryption) o what’s happened to the data, has it been lost or stolen o whether the data could be put to any illegal or inappropriate use o who the individuals are, number of individuals involved and the potential effects on those data subject(s) o whether there are wider consequences to the breach

5. Consideration of further notification

• The DPO and College Lead and/or Info Sec Lead and the Senior IT management team will, in consultation with the Vice Principal – Access and Partnerships, determine who needs to be notified of the breach.

• Ultimately, the DPO will decide whether the ICO should be notified of the breach within the required 72 hours

• Use of the severity matrix will help determine the risk to people’s rights and freedoms and will aid the decision to notify the ICO (and the data subject(s)).

• Every incident will be assessed on a case by case basis, considering: o Whether there are any legal/contractual notification requirements

o Whether notification would assist the individual affected – could they act on the information to mitigate risks?

o Whether notification would help prevent the unauthorised or unlawful use of personal data?

Would notification help the College meet its obligations under the seventh data protection principle? o The dangers of over notifying. Not every incident warrants notification and over notification may cause disproportionate enquiries and work.

• The DPO and/or College Lead will also consider notifying third parties such as the police, insurers and trade unions. This would be appropriate where illegal activity is known or believed to have occurred, or there is a risk of illegal activity happening in the future.

• Notification to the individual(s) whose personal data has been affected by the incident will include a factual description of how and when the breach occurred and the data involved, along with actions taken by the College. Individuals will also be provided with the name and contact details of the College DPO for further information.

• All decisions and actions will be documented by the DPO.

6. Evaluation and response

• Once the initial incident is contained, the DPO and/or Info Sec Lead will carry out a full review of the causes of the breach, the effectiveness of the response and determine whether any changes to systems, policies or procedures should be made

• The review will consider:

o Where and how personal data is held and where and how it is stored

o Where the biggest risks lie, and will identify any further potential weak points within its existing measures

o Whether methods of transmission are secure; sharing minimum amount of data necessary o Identifying weak points within existing security measures

o Staff awareness

o Implementing a data breach plan and identifying a group of individuals responsible for reacting to reported breaches

o If deemed necessary a report recommending any changes to systems, policies and procedures will be considered by College’s Senior Management Team and in more serious cases it may be appropriate to report to the College Board or appropriate Committee.

Throughout the breach management process a record should be kept of actions taken and by whom. An activity log recording the timeline of the incident management will also be completed. Appendix 4 provides an activity log template to record this information. Copies of any correspondence relating to the breach should also be retained.

7. Breaches received as complaints

There are occasions when a data subject may make the college aware of a data breach by using the college’s complaints procedure. If this is the case, the Head of Quality Enhancement & Transitions will forward the complaint to the Data Protection Officer to be dealt with as a data breach. The complainant will receive acknowledgment from the College informing them that this will be handled in line with the College’s Breach Reporting Procedure. The dataprotection@nescol.ac.uk inbox will be copied into all communications with the complainant. The complaint will be sent to the DPO and this will not be counted in the complaint reporting process.

8. Disciplinary

Staff, students, contractors, visitors or partner organisations who act in breach of college policy and procedure may be subject to disciplinary procedures or other appropriate sanctions.

9. Contacts Data Protection Officer:

Data Protection: luna@magestore.com

IT Helpdesk: helpdesk@nescol.ac.uk

e

  • No labels