DATA PROCESSING BREACH MANAGEMENT
Inevitably there may be some data-processing and personal data implications to any security incident, either minor or major.
Therefore personal data considerations are a component of both Incident Management and Major Incident Management, as well as Disaster Recovery and Business Continuity Planning.
This should apply to the [Organisation name]and any supplier who hold or process personal data (necessarily under a data-processor agreement)
DATA BREACH GUIDANCE
Being Prepared
You should ensure you have robust breach detection, investigation and internal reporting procedures in place.
For example
Some IT systems can send warnings or alerts if data is being deleted or emailed outside the organisation, or if someone is attempting to login but is guessing the password.
If you have an IT helpdesk or service desk you might use that team to investigate and report on issues that risk personal data.
If you share data with others, you may require as part of their contract that they notify you about any potential breach detection, investigation and reporting.
Talk with your team and IT professionals about breach detection, investigation and internal reporting tools. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
NOTIFYING THE INFORMATION COMMISSION OFFICER
You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.
When reporting a breach, the GDPR says you must provide:
Item a) a description of the nature of the personal data breach including, where possible:
Item b) the categories and approximate number of individuals concerned and
Item c) the categories and approximate number of personal data records concerned
Item d) the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained
Item f) a description of the likely consequences of the personal data breach and
Item e) a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
Failing to notify a breach when required to do so can result in a fine. The fine can be combined with the ICOs other corrective powers.
NOTIFYING THE DATA SUBJECTS
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.
You need to describe, in clear and plain language, the nature of the personal data breach and, at least:
Item 1) the name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained
Item 2) a description of the likely consequences of the personal data breach and
Item 3) a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, the measures taken to mitigate any possible adverse effects.
You do not need to notify the Data Subjects if
Item a) There are proportionate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular, measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption
Item b) subsequent measures have been taken which ensure that the high risk to the rights and freedoms of data subjects are no longer likely to materialize
Item c) it would involve disproportionate effort, in which case there must instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
DATA BREACH PROCEDURES
The procedure outlined below is designed to satisfy the requirements of the ICO
Item a) Know how to recognise a personal data breach. (A personal data breach isnt only about loss or theft of personal data.)
Item b) Staff knowledge of how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.
Item c) Supplier knowledge of how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.
Item d) Allocated responsibility for managing breaches to a dedicated person or team.
Item f) A prepared response plan for addressing any personal data breaches that occur.
RECOGNISING A PERSONAL DATA BREACH
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed if someone accesses the data or passes it on without proper authorisation or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
STAFF KNOWLEDGE HOW TO ESCALATE A SECURITY INCIDENT
All staff are aware of how to escalate a security incident by virtue of regular training and GDPR Awareness.
SUPPLIER KNOWLEDGE HOW TO ESCALATE A SECURITY INCIDENT
All suppliers are aware of how to escalate a security incident by virtue of the data controller-processor agreement that exists between [Organisation name] and the supplier and which sets out the responsibilities of each party.
RESPONSIBILITY FOR MANAGING BREACHES
All aspects of breaches to be managed, controlled and co-ordinated by the nominated Data Protection Representative.
When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to peoples rights and freedoms. If it is likely that there will be a risk, then you must notify the ICO If it is unlikely then you do not have to report it. However, if you decide you do not need to report the breach, you need to be able to justify this decision, so you should document it.
Example: The theft of a customer database, the data of which may be used to commit identity fraud, would need to be notified, given the impact this is likely to have on those individuals who could suffer financial loss or other consequences. On the other hand, you would not normally need to notify the ICO, for example, about the loss or inappropriate alteration of a staff telephone list.
Within [Organisation name] the Data Protection Representative may have regard to the data-processing-impact assessments and data classification when considering the risk and impact and need to notify ICO.
Note the data-processing-impact assessments and data classification are in other documents.
A RESPONSE PLAN
Inevitably there may be some data-processing and personal data implications to any security incident, either minor or major.
Therefore the Data Protection Representative and personal data considerations are a component of both incident management, as well as disaster recovery and business continuity planning.
REGULATORY GUIDANCE (JERSEY)
The initial notification (within 72 hours) should ordinarily include the following summary information:
Item a) The name of the data controller
Item b) The name and contact details of the DPO or other point of contact where more information can be obtained
Item c) Whether it is a first or subsequent notification
Item d) The date and time of the breach (or best estimate)
Item f) The date and time of the controller becoming aware of the breach
Item e) The nature and content of the personal data concerned
Item g) Technical and organisational measures applied (or that will be applied) to the affected personal data
Item h) The name of the organisation affected by the data breach (if different from the data controller)
If possible, the initial notification should also include the more detailed information set out below. Otherwise, this should be included in any second notification:
Item 1) A summary of the incident that caused the breach, including the physical location of the breach
Item 2) The number and category of data subjects concerned
Item 3) The number and category of personal data records concerned
Item 4) The likely consequences of the personal data breach and potential adverse effects on the data subjects
Item 5) The technical and organisational measures taken or proposed to be taken to mitigate those potential adverse effects
Item 6) The content of any notification provided to affected data subjects
Item 7) The means of communication used to notify the affected data subjects
Item 8) The number of data subjects notified
Item 9) Whether the breach affects data subjects in any jurisdiction other than Jersey
Item 10) Details relating the notification with any other data protection authorities
Item 11) If these details cannot be included in any second notification, a reasoned justification for the further delay
The Regulator has a secure notification web form for data controllers. Additional documentation or information can be emailed separately using breach
notification email address: breach@OICJersey.org.
TEMPLATE FOR NOTIFYING DATA SUBJECTS
Dear {Customer Name}
Urgent Message re Information Security
It has been brought to our attention that your data may have been compromised in a security incident. We are writing to alert you to this and explain the implications and actions that we recommend that you take immediately.
What data is affected
The following data may be affected
What actions that we are taking
We take information security seriously and we have launched an immediate investigation which is on-going. We will announce updates on-line on our website here: [website name]..
What actions that we recommend that you take immediately.
Pending the outcome of our investigation and further guidance we recommend that you immediately
Change your password for all systems that use this password
Alert your bank and check your account
Alert your credit card provider and check your account
How to find out more
We will announce updates on-line on our website here:
Website address [website name].
You can also contact our Data Protection Representative, [Data Processing Representative] Telephone 123456789
