Data breach policy procedures

Introduction

Data breach procedures provide a framework for all staff ,members of the parish council and are particularly relevant for an organisation that prides itself on its flexible approach and facilitation of mobile working.

CPC holds and processes personal data in relation to employees, volunteers, council members, suppliers.  Every care is taken to protect personal data from incidents (either accidentally or deliberately) and to avoid a data breach that could compromise security.

Any compromise of the information we hold, whether in terms of breach of confidentiality, integrity, or availability may result in harm to individual(s), reputational damage, a detrimental effect on service provision, amount to legislative non- compliance, and/or financial costs.

Purpose of the Policy

The purpose of this Policy is to ensure CPC complies with handling any data breaches in accordance with all relevant legislation and guidance binding upon us, that we respond in a consistent and effective way and that all staff are aware of their responsibilities in relation to data breaches.

Our objective is to contain any breaches, to minimise the risk associated with the breach and consider what action is necessary to secure the relevant data and prevent further breaches.

Scope of the policy

This policy applies to all employees, members of the parish council, contractors, agents and representatives including volunteers working for or on behalf of CPC. It relates specifically to how to deal with breaches or lapses in our information security management. Reference will be made to other relevant policies linked to the management of information or other areas of CPC security which are not covered by this policy.

This Policy relates to all personal and commercially sensitive data held by CPC regardless of format.

A relatively small percentage of the data that CPC holds is personal data. Nevertheless, this Policy covers all data breaches, including not just personal data breaches but also breaches involving other information. For example, a data breach may involve information about companies which is commercially sensitive, or about CPC’s intended policy not yet made public. In some cases, other serious legal consequences may flow from a data breach, as well as obvious reputational and practical damage to CPC and its work.

What is a data breach?

A data breach is any incident where information is exposed to unauthorised or inappropriate processing, resulting in its security being compromised. The extent of damage or potential damage caused by any data breach will be determined by the volume and sensitivity of the information, and the degree of exposure which results. As technology trends change and the amount of information created increases, new ways are emerging by which data breaches can occur.

A data breach may involve information which is classified as personal data3.  As of 25 May 2018, the General Data Protection Regulation (GDPR), supplemented by the Data Protection Act 2018, governs the processing of personal data and requires organisations to ensure that appropriate procedures are in place for the handling of data breaches involving Personal Data.

This process applies whether a data breach originates within CPC or within any organisation who processes data on our behalf4.

The GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed5. This also includes a temporary data breach, although depending upon the circumstances and the timeliness and effectiveness of CPC’s response, temporary personal data breaches may require different responses from CPC.

A data breach may include one or more of the following elements6:-

• “Confidentiality breach” - where there is an unauthorised or accidental disclosure of, or access to, personal data;

• “Availability breach” - where there is an accidental or unauthorised loss of access to, or destruction of, personal data;

• “Integrity breach” - where there is an unauthorised or accidental alteration of personal data.

Examples of breach:

• • Loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of Surface Pro, mobile phone or paper records); attempts (failed or successful) to gain unauthorised access to information or IT system(s), e.g. hacking including where data on those systems is modified (e.g. website defacement)

  • Unauthorised disclosure of sensitive / confidential data

  • Unforeseen circumstances such as a fire or flood

  •  Human error (e.g. email containing personal data sent to incorrect email addresses)

  •  ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it

Responsibilities

CPC recognises that it has a corporate responsibility to ensure that all CPC data is processed in accordance with any relevant legislation and guidance to which it is subject.

All persons covered by the scope of this policy are responsible for reporting actual, suspected, threatened or potential data breaches and for assisting with investigations as required, particularly if urgent action must be taken to prevent any or further damage.

The Data Protection Contact (DPC) is responsible for drawing up guidance on access to information, including data protection and promoting compliance with this policy in such a way as to ensure the easy, appropriate and timely management of incidents.

Councillors should ensure that all staff and volunteers are aware of these legal requirements and procedures relating to information management. All new staff are provided with an introductory briefing on information management and security procedures. 

Failure to comply with the policy may result in an administrative fine for the organisation by the Information Commissioner’s Office (ICO) and/or disciplinary action against individuals under CPC’s procedures.

Available guidance

 All relevant policies relating to information management and security are available for staff on the CPC website. This guidance is reviewed regularly and updated to incorporate any legislative changes and recommendations from learning.

Incident Management

1.          Reporting an Incident

 Any person becoming aware of an actual or suspected breach or weakness must report this immediately. Staff, volunteers and council members are encouraged to use this information incident reporting form. It is essential that incidents are reported to the Clerk as soon as an issue is suspected. 

If the breach occurs or is discovered outside normal working hours, it must be reported as soon as possible. The report will include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, if the data relates to people, the nature of the information, and how many individuals are involved. 

Theft or losses involving CPC equipment should also be reported to the local police area and a crime number obtained. Once received the crime number should be given to CPC security.

 2.        Containment and Recovery

 All efforts must be made in order to minimise a further breach. In the event of loss of equipment all efforts should be made with any organisations involved to recover the equipment. This may include CPC security liaising with the Police, the public transport network and event organisers. It is also essential that breaches involving the loss of equipment are reported to CPC security without delay so that disablement or remote wiping can be undertaken immediately. In the event of an email breach, staff should speak to their resource manager or work manager.

3. Investigation and Risk Assessment

 An initial assessment of the extent of potential harm (see Appendix A) will be made by the DPO and/or other relevant personnel such as the Deputy Security Advisor (DSA) or Information Governance Manager (IGM), within the first 24 hours wherever possible. If the incident is ongoing consideration should be given to how to contain and minimise further damage.

Consideration will include:

• • • Types of data involved (including personal & personal sensitive or commercially sensitive data)

    • Volume of data involved

    • Quantity of data subjects (persons affected) involved, if relevant

    • Assessment of ongoing risk e.g. number of recipients involved (if known)

    • Any mitigating features, for example files are encrypted or password protected

Any breach identified as a moderate or severe risk by this assessment will be reported to CPC’s Clerk. The Clerk will inform the Council Member if the incident is categorised as a moderate or severe risk. 

It may be necessary for the Clerk to collate additional information or consult with additional persons, in order to fully understand the level of risk to CPC or to any individuals or companies concerned. Any request for information should be treated with urgency and confidentiality in order to mitigate any further risk and as a matter of respect to any individuals concerned. It may also be necessary to assign additional resources to assist with an investigation and for steps to be taken during this period to minimise the impact of the data breach (e.g. communicating with recipients of a misdirected email and requesting them to delete the message unread).

4. Evaluation and Response

Once all the facts have been established, the Clerk will make a decision on how to ensure both that any damage caused by the breach has been mitigated as far as possible, that any relevant legal obligations have been complied with, and that appropriate steps have been taken to prevent recurrence of the breach. In respect of mitigation of the impact of the breach and any ongoing risks, and compliance with legal obligations, the following steps must be decided:

• • • • •  In the case of a breach involving personal data, do we need to report to the ICO? 

          • • This assessment will need to be immediate as personal data breaches that require reporting to the ICO need to be undertaken within 72 hours.

In accordance with Cabinet Office standards, a significant breach must be reported to the Cabinet Office 

• • • • • In the case of a breach involving personal data, do we need to contact all/any of the individuals whose personal data was affected? And in the case of information concerning a business, do we need to contact that business? 

          • • If yes, how best should we manage these communications?

        • Do we need to contact any external recipients, including stakeholders? 

          • • If yes, how best should we manage these communications?

        •  Is any subsequent action against any individual or business required, for example if it is the result of a deliberate or malicious action, or breach of contract?

        • Is the breach as a result of our Cloud Provider? 

          • • Is yes then CPC would need to take into account any legal requirements placed on us by the Network & Information Systems (NIS) regulations.

In order to ensure that appropriate measures are in place to prevent a recurrence of the data breach, and to ensure that the data breach process itself is working effectively, the members of the council will then carry out a Lessons Learned exercise and implement any changes that this identifies as required to prevent future data breaches and ensure effective operation of the data breach process. The Lessons Learned exercise should be reasonable and proportionate in terms of scope and use of resource, by reference to the severity of the data breach and/or any underlying issue indicated by it.

Factors to consider include:

• • • • •  Was the breach caused, even in part, by any systemic or ongoing problem?

        • Was the breach caused by an external factor? 

          • • If yes how had we prepared for this, e.g.an Impact Assessment or Information Security Assessment

        • Human element - are there any areas where colleagues need additional training or tailored advice?

        • Are there any weaknesses in security, for example the portable storage of devices or access to CPC’s network?

        • Sharing or disclosing information - are transmission methods appropriate or even necessary, for example email protocols or anonymisation?

        • Did we react quickly enough to the incident?

        • Were we clear on what next steps to take, including damage mitigation at as early a stage as possible?

        • Were the right people informed/involved at every stage.

If deemed necessary a report recommending any changes to systems, policies and procedures will be considered by the Parish Council.