Introduction

Whilst we are committed to protecting the personal data of all individuals, there will always be a risk of a data breach.

If there are occurrences of any of the following, they must be notified immediately, or as soon as is practicable, to the Caldicott Guardian and/or IG Lead.

• Loss of any personal data
• Destruction of any personal data other than when authorised by our Records Management Policy, due to the personal data being outside our retention policy
• Unauthorised disclosure of personal data
• Corruption of personal data
• Unauthorised access to personal data
• Unauthorised alteration of personal data

 

On receipt of notification the following steps will be taken by Caldicott Guardian and/or IG Lead:

• The board of directors and our DPO will be notified
• Consideration will be given to the extent of the breach and the risk to any individual will be assessed. A report will be written as to the findings
• A decision will be taken as to what steps can be taken to mitigate the effects of the breach
• The report will be provided to the board of directors
• If the breach is likely to result in a high risk of adversely affecting the data subject’s rights and freedoms, the data subject will be notified without delay. If it is decided not to notify the data subject, a record will be made of the decision and the reasons for making the decision. The record will be made in the Data Breach Register
• If the data breach is likely to result in a risk to rights and freedoms of the data subject, the Information Commissioner will be notified without undue delay and not later than 72 hours of becoming aware of the data breach. If it is decided not to make a report to the ICO, a record will be made of the decision and the reasons for making the decision in the Data Breach Register
• The above decisions can be reviewed and amended as further information comes to light

Reporting a Breach

This document should be circulated to all staff so that they can easily identify a breach and be aware that strict time limits apply, even during weekends and bank holidays.

 

Appendix 1 – IG/Data Security Breach Assessment Reporting and Management Process

 

Use appendix two to assess impact.

Appendix 2 – IG/Data Security Breach Assessment Grid

Appendix 3- DPO Data Breach Notification Procedure

If you decide to seek the advice from the DPO due to a data breach:

1. Notify the DPO as soon as possible (including weekends) as there is a window of 72 hours to report a breach to the ICO, if the breach is reportable.
2. Mitigate the breach as far as possible, for example, recovering the lost or disclosed data.
3. Send to the DPO on dpo@affinityresolutions.co.uk:

• The date of the breach
• The date you became aware of the breach
• A brief account of the breach
• Details of the data which has been lost/disclosed
• The number of data subjects affected
• If the data subject(s) is aware of the breach
• If any other organisation is aware of the data breach
• Any steps taken to mitigate the breach
• If sending supporting documentation, redact personal information if possible

 

 

Appendix 4 – Personal Data definition

Personal Data Breach

As per Article 4(12) of the GDPR, a “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The traditional view that a personal data breach is only reportable when data falls into the wrong hands is now replaced by a concept of a ‘risk to the rights and freedoms of individuals’ under Article 33 of GDPR. These types of breaches are graded as per the guidance from NHS Digital using a risk scoring 5×5 matrix and maybe notifiable to the Information Commissioners Office (ICO) if they attain a grade as described in the guidance.

Personal data

This is data defined as any information relating to an identified or identifiable living individual.’ An “Identifiable living individual” means a living individual who can be identified, directly or indirectly, by reference to:

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

All paper records that relate to a living individual and any aspect of digital processing such as IP address and cookies are deemed personal data. GDPR also introduces geographical data and biometric data to be classified as personal data.

Special Categories of Personal Data

Under GDPR, these are: 6

• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• the processing of genetic data
• biometric data for uniquely identifying a natural person
• data concerning health
• data concerning a natural person’s sex life or sexual orientation

For data security breach reporting purposes, special categories of data also include:

• Vulnerable children
• Vulnerable adults
• Criminal convictions/prisoner information
• Special characteristics listed in the Equality Act 2010 where not explicitly listed in this guidance and it could potentially cause discrimination against such a group or individual
• Communicable diseases as defined by public health legislation
• Sexual health
• Mental health

 

 

Change Register

 

Date	Version	Author	Change Details
Feb-22	1.0	D Lowndes / DPO	After DPO review of all policies new procedure as drafted by DPO.  Additional material as a result of recent incident
Mar-22	1.1	D Lowndes	Additional appendices added
July 2024	1.2	K Ryan	Removed names, changed incident to learning event and Appendix 1 changed wording.