Data Breach Policy

The General Data Protection Regulation (GDPR) aims to protect the rights of individuals about whom data is obtained, stored, processed or supplied and requires that organisations take appropriate security measures against unauthorised access, alteration, disclosure or destruction of personal data.

The GDPR places obligations on staff to report actual or suspected data breaches and our procedure for dealing with breaches is set out below. All members of staff are required to familiarise themselves with its content and comply with the provisions contained in it. Training will be provided to all staff to enable them to carry out their obligations within this policy.

Data Processors will be provided with a copy of this policy and will be required to notify the College of any data breach without undue delay after becoming aware of the data breach. Failure to do so may result in a breach to the terms of the processing agreement.

Breach of this policy will be treated as a disciplinary offence which may result in disciplinary action under the College’s Disciplinary Policy and Procedure up to and including summary dismissal depending on the seriousness of the breach.

This policy does not form part of any individual’s terms and conditions of employment with the College and is not intended to have contractual effect. Changes to data protection legislation will be monitored and further amendments may be required to this policy in order to remain compliant with legal obligations.

Definitions

Personal Data

Personal data is any information relating to an individual where the individual can be identified (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. This includes special category data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed.

Personal data can be factual (for examples a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

Personal data will be stored either electronically or as part of a structured manual filing system in such a way that it can be retrieved automatically by reference to the individual or criteria relating to that individual.

Special Category Data

Previously termed “Sensitive Personal Data”, Special Category Data is similar by definition and refers to data concerning an individual’s racial or ethnic origin, political or religious beliefs, trade union membership, physical and mental health, sexuality, biometric or genetic data and personal data relating to criminal offences and convictions.

Personal Data Breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data or special category data transmitted, stored or otherwise processed.

Data Subject

Person to whom the personal data relates.

ICO

ICO is the Information Commissioner’s Office, the UK’s independent regulator for data protection and information.

Responsibility

The Principal has overall responsibility for breach notification within the College. They are responsible for ensuring breach notification processes are adhered to by all staff and are the designated point of contact for personal data breaches.

In the absence of the Principal please do contact the Deputy Principal and the Office Manager.

The Data Protection Officer (DPO) is responsible for overseeing this policy and developing data-related policies and guidelines.

Please contact the DPO with any questions about the operation of this policy or the GDPR or if you have any concerns that this policy is not being or has not been followed.

Data Protection Officer: Craig Stilwell
Address: Judicium Consulting Ltd, 72 Cannon Street, London, EC4N 6AE
Email: dataservices@judicium.com
Telephone: 0203 326 9174

Security and Data-Related Policies

Staff should refer to the following policies that are related to this data protection policy: –

  • Security Policy which sets out the College’s guidelines and processes on keeping personal data secure against loss and misuse.
  • Data Protection Policy which sets out the College’s obligations under GDPR about how they process personal data.

These policies are also designed to protect personal data and can be obtained from the College office.

Data Breach Procedure

What Is a Personal Data Breach?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data or special category data transmitted, stored or otherwise processed.

Examples of a data breach could include the following (but are not exhaustive): –

  • Loss or theft of data or equipment on which data is stored, for example loss of a laptop or a paper file (this includes accidental loss);
  • Inappropriate access controls allowing unauthorised use;
  • Equipment failure;
  • Human error (for example sending an email or SMS to the wrong recipient);
  • Unforeseen circumstances such as a fire or flood;
  • Hacking, phishing and other “blagging” attacks where information is obtained by deceiving whoever holds it.

When Does It Need to Be Reported?

The College must notify the ICO of a data breach where it is likely to result in a risk to the rights and freedoms of individuals. This means that the breach needs to be more than just losing personal data and if unaddressed the breach is likely to have a significant detrimental effect on individuals.

Examples of where the breach may have a significant effect includes: –

  • potential or actual discrimination;
  • potential or actual financial loss;
  • potential or actual loss of confidentiality;
  • risk to physical safety or reputation;
  • exposure to identity theft (for example through the release of non-public identifiers such as passport details);
  • the exposure of the private aspect of a person’s life becoming known by others.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, then the individuals must also be notified directly.

Reporting A Data Breach

If you know or suspect a personal data breach has occurred or may occur which meets the criteria above, you should: –

Complete a data breach report form which can be obtained from the college administrator.

Email the completed form to office@theparkcollege.org

Where appropriate, you should liaise with your line manager about completion of the data report form. Breach reporting is encouraged throughout the College and staff are expected to seek advice if they are unsure as to whether the breach should be reported and/or could result in a risk to the rights and freedom of individuals. They can seek advice from the SMT, the Principal or the DPO.

Once reported, you should not take any further action in relation to the breach. In particular, you must not notify any affected individuals or regulators or investigate further. The Principal will acknowledge receipt of the data breach report form and take appropriate steps to deal with the report in collaboration with the DPO.

Managing and Recording the Breach

On being notified of a suspected personal data breach, the Principal will notify the DPO. Collectively they will take immediate steps to establish whether a personal data breach has in fact occurred. If so they will take steps to:

  • Where possible, contain the data breach;
  • As far as possible, recover, rectify or delete the data that has been lost, damaged or disclosed;
  • Assess and record the breach in the College’s data breach register;
  • Notify the ICO;
  • Notify data subjects affected by the breach;
  • Notify other appropriate parties to the breach;
  • Take steps to prevent future breaches.

Notifying the ICO

The Principal will notify the ICO when a personal data breach has occurred which is likely to result in a risk to the rights and freedoms of individuals.

This will be done without undue delay and, where possible, within 72 hours of becoming aware of the breach. The 72 hours deadline is applicable regardless of College holidays (I.e. it is not 72 working hours). If the College are unsure of whether to report a breach, the assumption will be to report it.

Where the notification is not made within 72 hours of becoming aware of the breach, written reasons will be recorded as to why there was a delay in referring the matter to the ICO.

Notifying Data Subjects

Where the data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Principal will notify the affected individuals without undue delay including the name and contact details of the DPO and ICO, the likely consequences of the data breach and the measures the College have (or intended) to take to address the breach.

When determining whether it is necessary to notify individuals directly of the breach, the Principal will co-operate with and seek guidance from the DPO, the ICO and any other relevant authorities (such as the police).

If it would involve disproportionate effort to notify the data subjects directly (for example, by not having contact details of the affected individual) then the College will consider alternative means to make those affected aware (for example by making a statement on the College website).

Notifying Other Authorities

The College will need to consider whether other parties need to be notified of the breach. For example: –

  • Insurers;
  • Parents;
  • Third parties (for example when they are also affected by the breach);
  • Local authority;
  • The police (for example if the breach involved theft of equipment or data).

This list is non-exhaustive.

Assessing The Breach

Once initial reporting procedures have been carried out, the College will carry out all necessary investigations into the breach.

The College will identify how the breach occurred and take immediate steps to stop or minimise further loss, destruction or unauthorised disclosure of personal data. We will identify ways to recover correct or delete data (for example notifying our insurers or the police if the breach involves stolen hardware or data).

Having dealt with containing the breach, the College will consider the risks associated with the breach. These factors will help determine whether further steps need to be taken (for example notifying the ICO and/or data subjects as set out above). These factors include: –

  • What type of data is involved and how sensitive it is;
  • The volume of data affected;
  • Who is affected by the breach (i.e. the categories and number of people involved);
  • The likely consequences of the breach on affected data subjects following containment and whether further issues are likely to materialise;
  • Are there any protections in place to secure the data (for example, encryption, password protection, pseudonymisation);
  • What has happened to the data;
  • What could the data tell a third party about the data subject;
  • What are the likely consequences of the personal data breach on the College; and
  • Any other wider consequences which may be applicable.

Preventing Future Breaches

Once the data breach has been dealt with, the College will consider its security processes with the aim of preventing further breaches. In order to do this, we will: –

  • Establish what security measures were in place when the breach occurred;
  • Assess whether technical or organisational measures can be implemented to prevent the breach happening again;
  • Consider whether there is adequate staff awareness of security issues and look to fill any gaps through training or tailored advice;
  • Consider whether it is necessary to conduct a privacy or data protection impact assessment;
  • Consider whether further audits or data protection steps need to be taken;
  • To update the data breach register;
  • To debrief governors/management following the investigation.

Reporting Data Protection Concerns

Prevention is always better than dealing with data protection as an after-thought. Data security concerns may arise at any time and we would encourage you to report any concerns (even if they don’t meet the criteria of a data breach) that you may have to the Principal or the DPO. This can help capture risks as they emerge, protect the College from data breaches and keep our processes up to date and effective.

Monitoring

We will monitor the effectiveness of this and all of our policies and procedures and conduct a full review and update as appropriate.

Our monitoring and review will include looking at how our policies and procedures are working in practice to reduce the risks posed to the College.