Guidance for Staff
IMPORTANT
Please follow “What do I do if I suspect a personal data incident/breach” steps below:
- Don’t delay. The longer a breach occurs the more damage it is likely to do. If we need to notify the regulator we must do it within 72 hours (this includes bank holidays and weekends!).
- Breaches can be scary times! Please don’t tell everyone in the company about it - this is a decision that needs to be made by the Primary Security Contact. Discretion is key.
- Absolutely never post anything about a breach on social media.
What do I do if I suspect a personal data incident/breach
- Immediately report the breach to Primacy Security Contact. If you don’t know who this is, please review your breach policy.
- Provide as much information as possible during the call or in your email. This includes the below where possible:
- A brief description of the incident (what happened?)
- The type of data involved? (e.g. employee data, customer data)
- What are the affected data items? (e.g. names, email addresses, billing information)
- When the incident happened (date & time)
- What date & time the incident was discovered
- Any remedial action that has already been taken to contain the incident
Guidance for Primary Security Contact
IMPORTANT
- Keep evidence: It's important to keep accurate and detailed records of every action taken to address an incident or breach. Do not edit or manipulate any of the data in any way, simply record the incident or breach in its current state and note any actions taken.
- Make sure you update your Breach & Incident Log
Primary Security Contact should:
Step 1 - REPORT TO TRUST KEITH
-
Create a copy of the Incident Form template - you can find it on the app in the Policies and Frameworks tab.
- Fill in “Report" tab with information from the person who reported the incident or breach.
STEP 2 - INVESTIGATE & CONTAIN
- Complete the “Investigate & Contain" tab of the Incident Form
- Is the incident or breach still occurring? If yes, immediately take the steps to stop it, minimise the impact, and recover the data where possible
- Who in the company needs to know about the incident or breach? Do you have an incident/data breach response team? Is it serious enough to raise with the CEO?
STEP 3 - ASSESS SEVERITY
- Complete ”Severity Assessment" tab of the Incident Form.
- The corroborated time & date the incident occurred.
- The type of data involved.
- The nature of sensitivity of that data > How many data records are impacted.
- How many data subjects are impacted (if applicable).
- Description of the incident or details of the information lost.
- Utilise the form calculators to work out the Data Processing Context, Ease of Identification, Circumstances of Breach, and Overall Severity and Risk scores - caution: do not edit cells with active calculations in.
STEP 4 - ASSESS NOTIFICATION TO ICO/DPA
- Complete the “Notification Assessment" tab of the Incident Form.
-
- Is the data breach likely to result in a high risk of adversely affecting the data subject's rights and freedoms under Data Protection legislation?
- Would a notification assist the data subject(s) affected?
- Is a notification a contractual requirement?
- Would a notification help prevent the unauthorised or unlawful use of personal data?
- Should other third parties be notified? - for example, The Police, Insurers, Banks, Credit Card Companies, and Trade Union.
STEP 5 - REVIEW
- Complete the “Review" tab of the Incident Form.
- Carry out a full review of
- The causes of the incident or breach
- The effectiveness of the response(s)
- Whether any changes to existing controls, systems, policies, and procedures should be undertaken to minimise the risk of similar incidents or breaches occurring again
- Add the incident to the Breach & Incident Log