data breach policy

The Data Protection Officer (DPO): Laurence Cope

Introduction

Amity Web Solutions collects, stores, processes, and shares personal data of it’s customers and it’s customers’ customers. Every care is taken to protect personal data from accidental or deliberate incidents to avoid a data protection breach. A data breach of personal data may result in harm to individual(s), reputational damage, detrimental effect on service provision, legislative non- compliance, and/or financial costs.

Purpose and Scope

Amity Web Solutions is obliged under Data Protection legislation to have in place a framework designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility.

This Policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents

This policy relates to all personal and special categories (sensitive) data held by Amity Web Solutions regardless of format.

This policy applies to all staff at Amity Web Solutions. This includes temporary, casual or agency staff and contractors, consultants, suppliers and data processors working for, or on behalf of Amity Web Solutions.

The objective of this policy is to have a formal process in place to help contain any breaches, to help minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches.

Definitions / Types of breach

A personal data breach is:
“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.

A personal data breach may mean that someone other than the data controller gets unauthorised access to personal data. But a personal data breach can also occur if there is unauthorised access within an organisation, or if a data controller’s own employee accidentally alters or deletes personal data.

An incident includes but is not restricted to:

  • Loss or theft of personal data or the equipment on which the data is stored e.g. laptop, memory stick, smartphone, or paper record
  • Theft or failure of equipment on which personal data is stored
  • Unauthorised use of or access to personal data
  • Attempts to gain unauthorised access to personal data
  • Unauthorised disclosure of personal data
  • Website defacement
  • Hacking attack

Reporting an incident

Any person using personal data on behalf of Amity Web Solutions is responsible for reporting data breach incidents immediately to the DPO. The report should contain the following details:

  • Date and time of discovery of breach
  • Details of person who discovered the breach
  • The nature of the personal data involved
  • How many individuals’ data is affected
  • The report must include:
    • Who is reporting it
    • Details of the incident
    • When the breach occurred (dates and times)
    • If the data relates to people and how many individuals are involved
    • The nature of the information

The forms are located are the bottom of this document.

Containment and recovery

The DPO will first determine if the breach is still occurring and take the appropriate steps to minimise the effect of the breach.

An initial assessment will be made by the DPO and with relevant staff members to establish the severity of the breach

The DPO will determine the suitable course of action to be taken to ensure a resolution to the incident

Investigation and risk assessment

An investigation will be carried out without delay and where possible within 24 hours of the breach being discovered. The DPO will assess the risks associated with the breach, the potential consequences for the data subjects, how serious and substantial those are and how likely they are to occur

The investigation will take into account the following:

  • The type of data involved and its sensitivity
  • The protections in place (e.g. encryption)
  • What has happened to the data
  • Whether the data could be put to illegal or inappropriate use
  • Who the data subjects are, how many are involved, and the potential effects on them
  • Any wider consequences

Notification

If the breach is likely to adversely affect the personal data or privacy of our customers or customers’ customers, we will notify our customers of the breach without unnecessary delay. We will tell them:

  • Our name and contact details;
  • The estimated date of the breach;
  • A summary of the incident;
  • The nature and content of the personal data;
  • The likely effect on the individual;
  • Any measures you have taken to address the breach; and
  • How they can mitigate any possible adverse impact.

We do not need to notify customers about a breach if we can demonstrate that the data was encrypted (or made unintelligible by a similar security measure)

IPO Notification

We will notify the ICO within 24 hours of becoming aware of the essential facts of the breach. This notification will include at least:

  • Our name and contact details;
  • The date and time of the breach (or an estimate);
  • The date and time you detected it;
  • Basic information about the type of breach; and
  • Basic information about the personal data concerned.
  • We will report a breach using the IPO breach notification form https://ico.org.uk/for-organisations/report-a-breach/
  • If possible, we will also include full details of the incident, the number of individuals affected and its possible effect on them, the measures taken to mitigate those effects, and information about your notification to customers. If these details are not yet available, we will provide them as soon as possible.

We will submit a second notification form to the IPO within three days, either including these details, or tell them how long it will take to get them.

Evaluation and response

Once the incident is contained, the DPO will carry out a full review of the causes of the breach; the effectiveness of the response(s) and instigate corrective action to systems, procedures and controls to minimise the risk of similar incidents occurring.

More Information

https://ico.org.uk/for-organisations/guide-to-pecr/communications-networks-and-services/security-breaches/

Data Breach Reporting Forms

Once a data breach has been identified, the person identifying the breach should complete the forms and give them to the DPO. There are 3 forms to be used:

  • Data Breach Form 1: Personal details and information on the affected company (not to be shared with third parties)
  • Data Breach Form 2: Details on the data breach incident as per the indications in Article 33 of the GDPR, to be sent to the national supervisory authority, where feasible, no later than 72 hours after having become aware of the breach
  • Data Breach Form 3: A section to be completed following the 72-hour period when more information is available on the data breach, which includes complementary data sets to gain more in-depth knowledge of the nature of the breach