Data Breach Policy
This Policy sets out the procedures which must be followed to enable us to comply with legal obligations as well obligations to clients under current contracts.
Data Security Breaches
A Data Security breach could occur where customer data has been processed without appropriate measures being taken to protect the data. Examples of a Data Security breach could be:
- Personal information being shared with a Customer without having first completed identification checks
- Customer information being sent electronically to a 3rd party without appropriate authorisation, encryption or password protection
- Non-adherence to our Secure Desk policy; for example, Customer information being written down and left unattended at any time in our offices
Data Protection Breaches
A Data Protection breach could occur where data is obtained or viewed by a person that was not authorised to receive it. Some examples of a Data Protection breach could be:
- Loss or theft of data or equipment on which data is stored.
- Inappropriate access controls allowing unauthorised use.
- Equipment Failure.
- Social Engineering offences where information is obtained by a third party by means of deception.
Our Data Controller will maintain a log of data breaches and provide any necessary support in managing and resolving the breach.
Managing a Data Breach
- Following notification of a data breach we will establish a recovery plan to minimise any risk of damage to the individuals affected and to the business.
- We will consider all potential adverse consequences of the breach and take steps to minimise or remove such risks.
- We will attempt to recover any documents or data promptly and would not normally agree to the unintended recipient offering to destroy documents themselves.
- We will consider who to notify in order to contain or minimise any impact on the individuals affected, our clients and the business.
- We will act quickly to investigate the breach and consider improvements to systems to prevent future breaches.
A differentiation is made between a Security Incident (for example a malware infection) vs Data Breach (actual loss of personal information). In the case of the latter, the ICO would be informed as per requirements in the Data Protection Act and General Data Protection Regulations from May 2018. The ICO must be informed of a Data Breach within 72 hours.