Data Breach Process

Although Summercroft Primary School takes measures against unauthorised or unlawful processing and against accidental loss, destruction or damage to personal data as set out in this policy and the supporting policies referred to, a data security breach could still happen.  Examples of data breaches include:

• Loss or theft of data or equipment on which data is stored (e.g. losing an unencrypted USB stick, losing an unencrypted mobile phone)
• Inappropriate access controls allowing unauthorised use
• Equipment failure
• Human error (e.g. sending an email to the wrong recipient, information posted to the wrong address, dropping/leaving documents containing personal data in a public space)
• Unforeseen circumstances such as fire or flood
• Hacking attack
• ‘Blagging’ offences where information is obtained by deceiving Summercroft Primary School

However the breach has occurred, the following steps should be taken immediately:

1. Internal Notification:  Individual who has identified the breach has occurred must notify the Summercroft Primary School DPO.  A record of the breach should be created using the following templates:

• Data Breach Incident Form (Appendix A)
• Data Breach Log (Appendix B)
• Evidence Log (Appendix C)

1. Containment:  DPO to identify any steps that can be taken to contain the data breach (e.g. isolating or closing the compromised section of network, finding a lost piece of equipment, changing access codes) and liaise with the appropriate parties to action these.
2. Recovery:  DPO to establish whether any steps can be taken to recover any losses and limit the damage the breach could cause (e.g. physical recovery of equipment, back up tapes to restore lost or damaged data)
3. Assess the risks:  Before deciding on the next course of action, DPO to assess the risks associated with the data breach giving consideration to the following, which should be recorded in the Data Breach Notification form (Appendix C):

• What type of data is involved
• How sensitive is it?
• If data has been lost/stolen, are there any protections in place such as encryption?
• What has happened to the data?
• What could the data tell a third party about the individual?
• How many individuals data have been affected by the breach?
• Whose data has been breached?
• What harm can come to those individuals?
• Are there wider consequences to consider such as reputational loss?

1. Notification to the Information Commissioners Office (ICO):  Following the risk assessment in step 4, the DPO should notify the ICO within 72 hours of the identification of a data breach if it is deemed that the breach is likely to have a significant detrimental effect on individuals.  This might include if the breach could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any significant economic or social disadvantage.

The DPO should contact ICO using their security breach helpline on 0303 123 1113, option 3 (open Monday to Friday 9am-5pm) or the ICO Data Breach Notification form can be completed and emailed to casework@ico.org.uk.

1. Notification to the Individual:  The DPO must assess whether it is appropriate to notify the individual(s) whose data has been breached.  If it is determined that the breach is likely to result in a high risk to the rights and freedoms of the individual(s) then they must be notified by  Summercroft Primary School.

1. Evaluation:  The DPO should assess whether any changes need to be made to Summercroft Primary School processes and procedures to ensure that a similar breach does not occur.