Expressway 77 #100
Linc holds and processes personal data on behalf of its staff and clients, a valuable asset that needs to be suitably protected. Every care is taken to protect client and personal data from incidents (either accidental or deliberate) to avoid a security breach that could compromise data. Compromise of information, confidentiality, integrity, or availability may result in harm to individuals, reputational damage, detrimental effect on service provision, legislative noncompliance, and/or financial costs including significant fines from the Information Commissioner's Office (ICO).
The company is obliged under the Data Protection Act to have in place systems designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility. This Policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents.
The GDPR makes notification mandatory for all controllers unless a breach is unlikely to result in a risk to the rights and freedoms of individuals. Processors must notify any breach to their controllers. Controllers and processors are therefore encouraged to put in place processes to be able to detect and promptly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary.
This Policy relates to all personal and sensitive data controlled or processed by the company regardless of format. This Policy applies to all employees, contractors, consultants, temporary staff, and other workers at Linc and data processors working for, or on behalf of the company.
Where there is an unauthorised or accidental disclosure of, or access to, personal data. For Example:
Where there is an accidental or unauthorised loss of access to, or destruction of, personal data. For Example:
Where there is an unauthorised or accidental alteration of personal data. For Example:
It should also be noted that, depending on the circumstances, a breach can concern confidentiality, availability and integrity of personal data at the same time, as well as any combination of these.
On discovery of a data breach the following actions should be taken:
The individual committing the breach or having identified a possible breach should immediately inform their manager or the Information Security Officer. The immediate priority is to contain the breach and limit its scope and impact.
A Breach Notification incident should be logged on the Internal IT Support system (see the Information Security Incident Logging Policy) stating:
The Information Security Officer or Data Protection Officer or a nominated person will conduct an investigation into the breach and prepare a Breach Report.
This report will follow the ICO's guidance on Breach Management and will consider the following:
Under Article 33 of the GDPR - In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
The Data Protection Officer or information Security Officer or in the absence of either of these people, any member of the Senior Leadership Team, will determine whether the breach is one which is required to be notified to the ICO.
Where the data breach involves any client data the responsibility for reporting the breach is with the client controller(s) ie. The clients' Data Protection Officers or person responsible for breach notifications. The Linc controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the client specified contact and controllers.
If a breach is also assessed to be likely to result in a high risk to the rights and freedoms of individuals, the individuals themselves must be informed directly and without undue delay, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.
When informing the individuals the following needs to be supplied in clear and plain language:
Once the breach has been dealt with the cause of the breach needs to be considered. There may be a need to update policies and procedures, or to conduct additional training.