Data Breach Reporting Procedure

Owned by Emmy Le (Unlicensed)
Last updated: Apr 26, 2023
4 min read

Data breaches

Data breach is a breach of security leading to the unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.” It is important to note that a potential data breach does not always involve technical systems or IT devices. Breaches can also involve paper-based and verbal information, for example a diary with personal details left in a coffee shop, or inappropriate disclosure of someone’s information through conversation

A data breach can come in many forms, but the most common are as follows:

• Loss or theft of paper or other hard copy

• Human error - e-mailed, posted or faxed to the incorrect recipient

• Loss or theft of equipment on which data is stored

• inappropriate sharing or dissemination and/or inappropriate access controls - staff accessing information to which they are not entitled

• Hacking, malware and data corruption

• Information is obtained by deception or “blagging”

• Equipment failure, fire or flood

• Unescorted visitors accessing data

• Non-secure disposal of data

Procedure

1. Reporting a breach – internal reporting

Suspected data breaches should be reported promptly to our HelpDesk channel: https://magestore-service.atlassian.net/servicedesk/customer/portal/14 .

The report must contain full and accurate details of the incident including who is reporting the incident and what kind of data is involved.

If a breach occurs or is discovered outside normal working hours it must be reported as soon as is practicable, taking into account the potential severity of the incident. Once a data incident has been reported an initial assessment will be made to establish whether it is a breach, and the severity of the breach. All data breaches will be centrally logged by the Product Team to ensure appropriate oversight in the types and frequency of confirmed incidents for management and reporting purposes. Invigilation of assessment is carried out by a designated person where this is necessary to meet specified assessment conditions.

2. Containment and recovery

The Product Team will identify who should lead on investigating and managing the breach. 

• The Product Team will determine whether the breach is still occurring and if so, ensure appropriate steps are taken immediately to identify and implement any steps to contain the breach and minimise the effect.

• An initial assessment will be made, with relevant staff, to establish the severity of the breach.

• The Product Team will establish whether anything can be done to recover any losses and limit damage. All rights reserved.

• The Product Team will establish who may need to be notified as part of the initial containment

• The Product Team, in liaison with relevant staff, will determine a suitable course of action to ensure resolution of the incident

• The Product Team should consider whether the Director of Marketing and Communications should be informed at this stage, to prepare external or internal communications and be ready to handle enquiries

3. Assessment of risks

• An investigation will be undertaken by the Product Team immediately and whenever possible within 24 hours of the breach being discovered/reported.

• All data security breaches will be managed according to risk. After the identification of the breach, the risks associated with the breach will be assessed in order to identify an appropriate response.

• The investigation will take into account:

o the type of data involved and its sensitivity

o the protections which are in place (e.g. encryption)

o what’s happened to the data, has it been lost or stolen

o whether the data could be put to any illegal or inappropriate use

o who the individuals are, number of individuals involved and the potential effects on those data subject(s)

o whether there are wider consequences to the breach

4. Consideration of further notification

• The Product Team and CEO and the Senior IT management team will, in consultation with the Vice Principal – Access and Partnerships, determine who needs to be notified of the breach.

• Every incident will be assessed on a case by case basis, considering:

o Whether there are any legal/contractual notification requirements

o Whether notification would assist the individual affected – could they act on the information to mitigate risks?

o Whether notification would help prevent the unauthorised or unlawful use of personal data?

o The dangers of over notifying. Not every incident warrants notification and over notification may cause disproportionate enquiries and work.

• The Product Team will also consider notifying third parties such as the police, insurers and trade unions. This would be appropriate where illegal activity is known or believed to have occurred, or there is a risk of illegal activity happening in the future.

• Notification to the individual(s) whose personal data has been affected by the incident will include a factual description of how and when the breach occurred and the data involved, along with actions taken by Product Team Magestore.

• All decisions and actions will be documented by the Product Team.

5. Evaluation and response

• Once the initial incident is contained, the Product Team and/or Info Sec Lead will carry out a full review of the causes of the breach, the effectiveness of the response and determine whether any changes to systems, policies or procedures should be made

• The review will consider:

o Where and how personal data is held and where and how it is stored

o Where the biggest risks lie, and will identify any further potential weak points within its existing measures

o Whether methods of transmission are secure; sharing minimum amount of data necessary o Identifying weak points within existing security measures

o Staff awareness

o Implementing a data breach plan and identifying a group of individuals responsible for reacting to reported breaches

Throughout the breach management process a record should be kept of actions taken and by whom. An activity log recording the timeline of the incident management will also be completed.

6. Disciplinary

Staff, students, contractors, visitors or partner organisations who act in breach of Product Team policy and procedure may be subject to disciplinary procedures or other appropriate sanctions.

7. Contacts Data Protection Officer & Support Channel

Data Protection: luna@magestore.com

Support Channel: https://magestore-service.atlassian.net/servicedesk/customer/portal/14