XX Data Breach and Procedure Manual
Document Information
Version: v1
Policy Statement:
-
- XX holds, processes and shares a large amount of personal data; this is a very valuable asset which we need to look after and protect.
- Every care is taken to protect personal data from incidents (either accidentally or deliberately) to avoid a data protection breach that could compromise security.
- A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach in the following circumstances:
- whenever any personal data is lost, destroyed, corrupted or disclosed;
- if someone accesses the data or passes it on without proper authorisation; or
- if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed
- If XX’s data is compromised by a breach, this may result in harm to employee or client data and potentially to the individual(s) whose data is affected, reputational damage, detrimental effect on service provision, legislative non-compliance, and/or financial costs.
- Purpose:
- XX is obliged under the Data Protection Act 2018 to have in place an institutional framework designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility.
- The law makes it clear that when a security incident takes place, you should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the Information Commissioners Office, if required.
- This procedure sets out the process to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents across the Business.
- Scope:
- 3.1 People: This Policy applies to all XX employees who have access to XX Assets both physical and non-physical including data. This includes but is not limited to permanent employees, fixed-term contract employees, agency staff, contractors and third parties authorised to process information on XX’s behalf.
- 3.2 Documentation: The Policy documentation shall consist of this Policy and Procedure Manual and related guidelines.
- 3.3 Document Control: The Policy document and all other referenced documents shall be controlled. Version control shall be to preserve the latest release and the previous version of any document. However, the previous version of the documents shall be retained only for a period of two years for legal and knowledge preservation purpose.
- 3.4 Records: Records being generated as part of the Policy shall be retained for a period of two years. Records shall be in hard copy or electronic media. The records shall be owned by the respective system administrators and shall be audited once a year.
- 3.5 Distribution and Maintenance: The Policy Manual shall be made available to all the employees covered in the scope. All the changes and new releases of this document shall be made available to the persons concerned. The maintenance responsibility of the Policy Manual shall be with the COO/ CISO or equivalent person in the organisation.
- Responsibility:
- A. All employees/workers have a responsibility for reporting data breach and information security incidents as soon as is possible taking into account the severity of the breach.
- B. All employees/workers should report the matter to their line manager and the relevant Director should be made aware of the breach.
- Directors / Line Managers: Responsible for ensuring that their employees/workers have followed this procedure and for ensuring that all relevant information is provided as soon as is practicable to support the breach investigation processor legal action could occur.
- Data Protection Officer:
- A. Responsible with the IT Manager or equivalent person for Infrastructure for ensuring that any reported breach is investigated and for ensuring that these procedures are followed.
- B. Responsible for providing legal and data management advice in relation to the operation of these procedures.
- C. Responsible for liaison with the Information Commissioner’s Office and for reporting the breach, where required.
- D. Responsible for determining the nature and severity of the breach and providing advice to the Business on their legal responsibilities in relation to breach reporting etc.
- Chief Technical Officer (CTO) :or equivalent person in the organisation
- A. Responsible with the Data Protection Officer for ensuring that any reported breach is investigated and for ensuring that these procedures are followed.
- B. Responsible for providing all professional and technical support and risk analysis in relation to the management and containment of any breach.
- C. Responsible for ensuring that all appropriate support and technical expertise is provided to the Data Protection Officer in order that they can determine the nature and severity of the breach and provide advice to the Business on their legal responsibilities in relation to breach reporting etc.
- Lead Investigation Officer :
- A. Responsible for leading investigation of the breach (this will depend on the nature of the breach and is likely to be the DPO or a senior member of ICT employees/workers.)
- B. Responsible for all duties identified at section 8 of this procedure.
- Intended Audience : The intended audience of this document is all XX employees, consultants and sub-contractor. It is the personal responsibility of each employee, consultant and sub-contractor to adhere fully with its requirements. Directors, Heads of Departments, Managers and Team Leaders are responsible for implementing this policy in full within their respective departments and the organisation as a whole and, ensuring appropriate compliance by those under their direction / or supervision.
- Definition – Types of Breaches:
- 6.1 A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
- 6.2. For the purpose of this procedure, data security breaches include both confirmed and suspected incidents.
- 6.3 An incident in the context of this procedure is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately and has caused or has the potential to cause damage to the XX’s information assets and/or reputation.
- 6.4 An incident includes but is not restricted to, the following :
- A. Loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad/tablet device, or paper record)
- B. Equipment theft or failure
- C. Unauthorised use of, access to or modification of data or information systems
- D. Attempts (failed or successful) to gain unauthorised access to information or IT system(s)
- E. Sending personal data to an incorrect recipient
- F. Unauthorised disclosure of sensitive / confidential data
- G. Website defacement
- H. Hacking attack
- I. Unforeseen circumstances such as a fire or flood
- J. Human error
- K. ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it
- Reporting an incident:
- 7.1 Any individual who accesses, uses or manages XX’s information is responsible for reporting data breach and information security incidents to their line Manager in the first instance. If the data breach involves any personal data then the breach must also be reported to the Data Protection Officer or equivalent person.
- 7.2 If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable taking into account its severity.
- 7.3 The report will include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, if the data relates to personal data, the nature of the information, and how many individuals are involved. An Incident Report Form should be completed as part of the reporting process
- 7.4 All employees/workers should be aware that any breach of the Data Protection Act could result in XX’s Disciplinary Procedures being instigated.
- Containment and Recovery:
- 8.1 The Data Protection Officer (DPO) will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the breach.
- 8.2 An initial assessment will be made by the DPO in liaison with relevant employees/workers to establish the severity of the breach and who will take the lead investigating the breach (this will depend on the nature of the breach in some cases it could be the DPO or a senior member of ICT employees/workers). This person will be the Lead Investigation Officer (LIO). Their appointment will be agreed by the DPO and the MD (or equivalent person).
- 8.3 The Lead Investigation Officer (LIO) will establish whether there is anything that can be done to recover any losses and limit the damage the breach could cause.
- 8.4 The LIO will establish who may need to be notified as part of the initial containment and will inform the police, where appropriate.
- 8.5 Advice from experts across the Business including the CTO and Deputy Chairman should be sought in resolving the incident promptly.
- 8.6 The LIO, in liaison with the relevant employees/workers will determine the suitable course of action to be taken to ensure a resolution to the incident.
- 8.7 The LIO and or the DPO must consider at an early stage a press release or, an internal communication is required and to be ready to handle any incoming press enquiries.
- Investigation and Risk Assessment :
- 9.1 An investigation will be undertaken by the LIO immediately and wherever possible within 24 hours of the breach being discovered / reported.
- 9.2 The LIO will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur.
- 8.3 The investigation will need to take into account the following:
- A. the type of data involved its sensitivity
- B. the protections which are in place (e.g. encryption)
- C. what’s happened to the data, has it been lost or stolen
- D. whether the data could be put to any illegal or inappropriate use
- E. who the individuals are, number of individuals involved and the potential effects on those data subject(s)
- F. whether there are wider consequences to the breach
- Notification of Information Commissioner’s Office and other 3rd parties: This policy statement is owned by the Board of Directors of the Business who has delegated this task to the designated persons in the Business. This policy shall be revised once in two years by a designated person and every time that the Board of Directors of the Business decides to do so.
- 10.1 The LIO and / or the DPO will determine who needs to be notified of the breach. Ultimately the DPO must decide whether the ICO should be notified of the breach. You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.
- 10.2 The ICO recognises that it will not always be possible to investigate a breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it. So, the law allows you to provide the required information in phases, as long as this is done without undue further delay.
- 10.3 This means that we must prioritise the investigation, give it adequate resources, and expedite it urgently. If we know that we won’t be able to provide full details within 72 hours, it is a good idea to explain the delay and tell the ICO when you expect to submit more information.
- 10.4 When a personal data breach has occurred, we need to quickly establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it is likely that there will be a risk then you must notify the ICO; if it is unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.
- 10.5 In assessing risk to rights and freedoms, it’s important to focus on the potential negative consequences for individuals. The ICO will only be notified if personal data is involved. More detailed guidance on when and how to notify ICO is available from the ICO website. For reporting the DPO must complete the standard form https://report.ico.org.uk/security-breach
- 10.6 Every incident will be assessed on a case by case basis; however, the following will need to be considered:
- A. Whether there are any legal/contractual notification requirements;
- B. Whether notification would assist the individual affected – could they act on the information to mitigate risks?
- C. Whether notification would help prevent the unauthorised or unlawful use of personal data?
- D. Would notification help the Business meet its obligations under the seventh data protection principle;
- E. The dangers of over notifying. Not every incident warrants notification and over notification may cause disproportionate enquiries and work.
- 10.7 The LIO and or the DPO must also consider notifying third parties such as the police, insurers, bank or credit card companies, and trade unions. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.
- 10.8 All actions will be recorded by the DPO.
- 10.9 Notification to the individuals whose personal data has been affected by the incident will include a description of how and when the breach occurred, and the data involved. Specific and clear advice will be given on what they can do to protect themselves and include what action has already been taken to mitigate the risks. Individuals will also be provided with an appropriate named contact officer in the Business who they can contact for further information or support in relation to what has occurred.
- Notification of the individuals whose personal data has been affected by the breach.
- 11.1 When do we need to tell individuals about a breach?
- A. If a breach is likely to result in a high risk to the rights and freedoms of individuals, the law says that we must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.
- B. A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO. Again, we need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.
- 11.2 What information must we provide to individuals when telling them about a breach?
We need to describe, in clear and plain language, the nature of the personal data breach and, at least:- A. the name and contact details of our data protection officer or other contact point where more information can be obtained;
- B. description of the likely consequences of the personal data breach; and
- C. a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects
- 11.1 When do we need to tell individuals about a breach?
- Evaluation and response:
- 12.1 Once the initial incident is contained, the DPO will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.
- 12.2 Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.
- 12.3 The review will consider:
- A. Where and how personal data is held and where and how it is stored
- B. Where the biggest risks lie, and will identify any further potential weak points within its existing measures
- C. Whether methods of transmission are secure; sharing minimum amount of data necessary
- D. Identifying weak points within existing security measures
- E. Employees/workers awareness
- F. Implementing a data breach plan and identifying a group of individuals responsible for reacting to reported breaches of security
- G. If deemed necessary a report recommending any changes to systems, policies and procedures will be considered by XX’s Senior Management Team
- 12.4 Where the breach involves a client, the client should be notified without any unreasonable delay and within 48 hours.
- Data Breach Flow Charts : Flow Chart Internal Data Breach Reporting by Employees/workers(Below)
- Definitions : Data Protection Officer (DPO): the member of employees/workers with oversight of organisational and technical measures and controls to comply with the Data Protection Act.
Personal Data: data which relates to a living person who can be identified from the data or from a combination of data.
Information Commissioner’s Office (ICO): is the UK’s independent regulatory body set up to uphold information rights. Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.Lead Investigation Officer (LIO): Member of employees/workers responsible for investigating a data breach. - Responsibility and Accountability: This Policy shall be implemented by the Board / designated personnel and Human Resources / Operations Manager. XX shall ensure that all activities required to implement, maintain and review this policy are performed. All personnel, regarded as included in the ISMS scope, must comply with this policy statement and its related security responsibilities defined in the information security policies and procedures that support the corporate information security policy. All personnel, even if not included in the ISMS scope, have a responsibility for complying with this and all other applicable
Policies in full and to report any security incidents and identified weaknesses, and to contribute to the protection of business processes, information assets, and resources of XX. - Enforcement: Compliance with this Policy is mandatory and non-compliance with this or any other Red Flag Information Security or other Policy may result in disciplinary or where appropriate criminal
proceedings against employees who are wilfully negligent (this may include their line managers). This is in line with company HR Policies, regulatory and legal compliance.
If compliance is not possible an “Exception” must be raised and approved in line with the requirements of and procedures of the Company.
Ownership and Revision This policy statement is owned by the Board of Directors of XX who has delegated this task to the Chief Information Security Officer or other designated person. This policy shall be revised once in two years by the CISO or other designated person and every time that the Board of Directors of XX decides to do so.
Title | Business Continuity Policy |
Description | Policy Document |
Created By | Xapads Media Pvt. Ltd 5th Floor, Windsor IT Park, Tower B, Plot No, A1. |
Date Created | 14/09/2023 |
Maintained By | Xapads Media |
Appendix 1
Data Breach Form(Please Print off form and send as word document when completed)
Please act promptly to report any data breaches. Please complete Section 1 of this form as soon as possible and email it to the Data Protection Officer or equivalent person in the Business you feel that the breach is serious or, you require advice please do not hesitate to contact the DPO for guidance in the first instance. You should also liaise with your line manager and ensure they are made aware of the breach.
Section 1: Notification of Data Security Breach | To be completed by person reporting incident |
Date incident was discovered: | |
Date(s) of incident: | |
Place of incident: | |
Name of person reporting incident: | |
Contact details of person reporting incident (email address, telephone number): | |
Brief description of incident or details of the information lost: | |
Number of Data Subjects affected, if known: | |
Has any personal data been placed at risk? If, so please provide details: | |
Brief description of any action taken at the time of discovery: | |
For use by the Data Protection Officer Received by: On (date): Forwarded for action to: On (date): |
|
Section 2: Assessment of Severity | To be completed by the Lead Investigation Officer in consultation with the Head of area affected by the breach and if appropriate IT where applicable |
Details of the IT systems, equipment, devices, records involved in the security breach: | |
Has any personal data been placed at risk? If, so please provide details: | |
What is the nature of the information lost? How much data has been lost? If laptop lost/stolen: how recently was the laptop backed up onto central IT systems? | |
Is the information unique? Will its loss have adverse operational, research, financial legal, liability or reputational consequences for the Business or third parties? How many data subjects are affected? Is the data bound by any contractual security arrangements? What is the nature of the sensitivity of the data? Please provide details of any types of information that fall into any of the following categories: • Information that could be used to commit identity fraud such as; personal bank account and other financial information; national identifiers, such as National Insurance Number and copies of passports and visas; |
|
Data Protection Officer and/or Lead Investigation Officer to consider whether it should be escalated to the Board | |
Section 3: Action taken | To be completed by Data Protection Officer and/or Lead Investigation Officer |
Incident number Report received by: |
|
On (date): | |
Action taken by responsible officer/s Was incident reported to Police? Follow up action required/recommended: |
Yes/No If YES, notified on (date): |
Reported to Data Protection Officer and Lead Officer on (date): | |
For use of Data Protection Officer and/or Lead Officer: Notification to other external, regulator/stakeholder |
For use of Data Protection Officer and/or Lead Officer: Notification to other external, regulator/stakeholder |