Develop a process to make sure you know what to do if things go wrong (you have a data breach)
What is a data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just losing personal data. Examples could be an email sent to the wrong recipient or the loss of a paper folder, both with personal data contained within them.
You should start to think about the possible breaches that could occur in your scout group. A breach can be:
-
the disclosure of confidential data to unauthorised individuals
-
the loss or theft of portable devices or equipment containing identifiable personal, confidential or sensitive data e.g. PCs, USBs, mobile phones, laptops, disks etc
-
the loss or theft of paper records
-
inappropriate access controls allowing unauthorised use of information
-
a suspected breach of the business’s IT security and acceptable use policies
-
attempts to gain unauthorised access to computer systems, e.g. hacking
-
records altered or deleted without authorisation from the data ‘owner’
-
viruses or other security attacks on IT equipment systems or networks
-
breaches of physical security for example forcing of doors or windows into a secure room or filing cabinet containing confidential information
-
confidential information left unlocked in accessible areas
-
insecure disposal of confidential paper waste
-
leaving IT equipment unattended when logged in to a user account without locking the screen to stop others accessing information
-
the publication of confidential data on the internet in error and accidental disclosure of passwords
-
misdirected emails or faxes containing identifiable personal, confidential or sensitive data
You should also think about how you would identify that a breach had occurred, and its possible impacts on the people whose data had been affected.
You should then think about how you would know if a breach had happened and what the impact would be on the people whose data had been affected.
Click here to download The Scout Association's Data Breach Response Plan template
Click here to download our Data Breach Response procedure template
What should we do if I have a data breach?
Data breach means if any of the personal data you manage is accidently disclosed externally or removed from your Scout Group via malicious means.
The first step is to make sure that the breach has been isolated. Then you should make sure that you document the breach. The document you need to complete is in the GDPR toolkit and is called the Breach Notification Form. This should be completed and passed to the relevant Executive Committee.
If the breach is likely to result in damage to a person’s reputation, financial loss, loss of confidentiality, or major financial or social disadvantage, you should notify the Information Commissioner's Office (ICO), the UKs governing body. You must inform them within 72 hours so this process must be completed expediently. Your Executive Committee will be responsible for managing any form of data breach.
If the breach is likely to result in a high risk to the rights and freedoms of individuals, you should also contact them directly and without undue delay. Members and parents/guardians may exercise the rights they have over their data.
Responsibilities
Your group executive committee is responsible for making sure that responses are complete and timely.
All adult volunteers who interact with data subjects are responsible for making sure that a personal data breach is reported to your Group Executive Committee, and that they provide as much detail as possible.
Reporting a data breach to the supervisory authority
The Executive Committee may need to report to the Information Commissioner’s Office (ICO) within 72 hours after becoming aware of a personal data breach, if it meets a certain criticality.
The notification referred to in paragraph one shall at least:
-
describe the nature of the personal data breach
-
outline the categories and approximate number of data subjects concerned
-
outline the categories and approximate number of personal data records concerned
-
communicate the name and contact details of the Executive Committee
-
describe the likely consequences of the personal data breach
-
describe the measures taken or proposed to be taken by the Executive Committee to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects