Data Breach Policy.docx
Microsoft Word document [33.7 KB]

ROSELYN HOUSE SCHOOL / THE RHISE SERVICE

DATA BREACH POLICY

 

The UK General Data Protection Regulation (UK GDPR) aims to protect the rights of individuals about whom data is obtained, stored, processed or supplied and requires that organisations take appropriate security measures against unauthorised access, alteration, disclosure or destruction of personal data.

 

The UK GDPR places obligations on staff to report actual or suspected data breaches and our procedure for dealing with breaches is set out below. All members of staff are required to familiarise themselves with its content and comply with the provisions contained in it. Training will be provided to all staff to enable them to carry out their obligations within this policy.

 

Data Processors will be provided with a copy of this policy and will be required to notify the School of any data breach without undue delay after becoming aware of the data breach. Failure to do so may result in a breach to the terms of the processing agreement.

 

Breach of this policy will be treated as a disciplinary offence which may result in disciplinary action under KS Education Limited’s Disciplinary Policy and Procedure up to and including summary dismissal depending on the seriousness of the breach.

 

This policy does not form part of any individual’s terms and conditions of employment with KS Education Limited and is not intended to have contractual effect. Changes to data protection legislation will be monitored and further amendments may be required to this policy in order to remain compliant with legal obligations.

 

Definitions

 

Personal Data

 

Personal data is any information relating to an individual where the individual can be identified (directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. This includes special category data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed.

 

Personal data can be factual (for examples a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.

 

Personal data will be stored either electronically or as part of a structured manual filing system in such a way that it can be retrieved automatically by reference to the individual or criteria relating to that individual.

 

Special Category Data

 

Previously termed “Sensitive Personal Data”, Special Category Data is similar by definition and refers to data concerning an individual’s racial or ethnic origin, political or religious beliefs, trade union membership, physical and mental health, sexuality, biometric or genetic data and personal data relating to criminal offences and convictions.

 

Personal Data Breach

 

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data or special category data transmitted, stored or otherwise processed.

 

Data Subject

 

Person to whom the personal data relates.

 

ICO

ICO is the Information Commissioner’s Office, the UK’s independent regulator for data protection and information.

 

Responsibility

 

Mrs R Smith has overall responsibility for breach notification within Roselyn House School / The RHISE Service. She is responsible for ensuring breach notification processes are adhered to by all staff and are the designated point of contact for personal data breaches.

 

In the absence of Mrs R Smith, please contact Miss S Damerall.

 

The Data Protection Officer (DPO) is responsible for overseeing this policy and developing data-related policies and guidelines.

 

Please contact the DPO with any questions about the operation of this policy or the UK GDPR or if you have any concerns that this policy is not being or has not been followed.

 

The DPO’s contact details are set out below: -

 

Data Protection Officer: Judicium Consulting Limited

Address: 72 Cannon Street, London, EC4N 6AE

Email: dataservices@judicium.com

Web: www.judiciumeducation.co.uk

Telephone: 0203 326 9174

Lead Contact: Craig Stilwell

 

 

Security and Data-Related Policies

 

Staff should refer to the following policies that are related to this data protection policy: -

  • Security Policy which sets out the School’s guidelines and processes on keeping personal data secure against loss and misuse.
  • Data Protection Policy which sets out the School’s obligations under UK GDPR about how they process personal data.
  • Cyber Security Policy which sets out the School’s obligations and guidelines for Cyber Security issues.

 

These policies are also designed to protect personal data and can be found on the network and on our website.

 

Data Breach Procedure

 

What Is A Personal Data Breach?

 

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data or special category data transmitted, stored or otherwise processed.

 

Examples of a data breach could include the following (but are not exhaustive): -

 

  • Loss or theft of data or equipment on which data is stored, for example loss of a laptop or a paper file (this includes accidental loss);
  • Inappropriate access controls allowing unauthorised use;
  • Equipment failure;
  • Human error (for example sending an email or SMS to the wrong recipient);
  • Unforeseen circumstances such as a fire or flood;
  • Hacking, phishing and other “blagging” attacks where information is obtained by deceiving whoever holds it.

 

When Does It Need To Be Reported?

 

Roselyn House School / The RHISE Service must notify the ICO of a data breach where it is likely to result in a risk to the rights and freedoms of individuals. This means that the breach needs to be more than just losing personal data and if unaddressed the breach is likely to have a significant detrimental effect on individuals.

 

Examples of where the breach may have a significant effect includes: -

 

  • potential or actual discrimination;
  • potential or actual financial loss;
  • potential or actual loss of confidentiality;
  • risk to physical safety or reputation;
  • exposure to identity theft (for example through the release of non-public identifiers such as passport details);
  • the exposure of the private aspect of a person’s life becoming known by others.

 

If the breach is likely to result in a high risk to the rights and freedoms of individuals then the individuals must also be notified directly.

 


 

Reporting A Data Breach

 

If you know or suspect a personal data breach has occurred or may occur which meets the criteria above, you should: -

 

  • Complete a data breach report form (which can be obtained from Mrs R Smith;
  • Email the completed form to Mrs R Smith.

 

Where appropriate, you should liaise with your line manager about completion of the data report form. Breach reporting is encouraged throughout Roselyn House School / The RHISE Service and staff are expected to seek advice if they are unsure as to whether the breach should be reported and/or could result in a risk to the rights and freedom of individuals. They can seek advice from Mrs R Smith or the DPO.

 

Once reported, you should not take any further action in relation to the breach. In particular you must not notify any affected individuals or regulators or investigate further. Mrs R Smith will acknowledge receipt of the data breach report form and take appropriate steps to deal with the report in collaboration with the DPO.

 

Managing and Recording The Breach

 

On being notified of a suspected personal data breach, Mrs R Smith will notify the DPO. Collectively they will take immediate steps to establish whether a personal data breach has in fact occurred. If so they will take steps to:-

 

  • Where possible, contain the data breach;
  • As far as possible, recover, rectify or delete the data that has been lost, damaged or disclosed;
  • Assess and record the breach in the data breach register;
  • Notify the ICO;
  • Notify data subjects affected by the breach;
  • Notify other appropriate parties to the breach;
  • Take steps to prevent future breaches.

 

Notifying the ICO

 

Mrs R Smith will notify the ICO when a personal data breach has occurred which is likely to result in a risk to the rights and freedoms of individuals.

 

This will be done without undue delay and, where possible, within 72 hours of becoming aware of the breach. The 72 hours deadline is applicable regardless of school holidays (I.e. it is not 72 working hours). If Roselyn House School / The RHISE Service are unsure of whether to report a breach, the assumption will be to report it.

 

Where the notification is not made within 72 hours of becoming aware of the breach, written reasons will be recorded as to why there was a delay in referring the matter to the ICO.

 


 

Notifying Data Subjects

 

Where the data breach is likely to result in a high risk to the rights and freedoms of data subjects, Mrs R Smith will notify the affected individuals without undue delay including the name and contact details of the DPO and ICO, the likely consequences of the data breach and the measures that Roselyn House School / The RHISE Service have (or intended) to take to address the breach.

 

When determining whether it is necessary to notify individuals directly of the breach, Mrs R Smith will co-operate with and seek guidance from the DPO, the ICO and any other relevant authorities (such as the police).

 

If it would involve disproportionate effort to notify the data subjects directly (for example, by not having contact details of the affected individual) then Roselyn House School / The RHISE Service will consider alternative means to make those affected aware (for example by making a statement on our website).

 

Notifying Other Authorities

 

Roselyn House School / The RHISE Service will need to consider whether other parties need to be notified of the breach. For example: -

 

  • Insurers;
  • Parents;
  • Third parties (for example when they are also affected by the breach);
  • Local authority;
  • The police (for example if the breach involved theft of equipment or data).

 

This list is non-exhaustive.

 

Assessing The Breach

 

Once initial reporting procedures have been carried out, Roselyn House School / The RHISE Service will carry out all necessary investigations into the breach.

 

Roselyn House School / The RHISE Service will identify how the breach occurred and take immediate steps to stop or minimise further loss, destruction or unauthorised disclosure of personal data. We will identify ways to recover correct or delete data (for example notifying our insurers or the police if the breach involves stolen hardware or data).

 

Having dealt with containing the breach, Roselyn House School / The RHISE Service will consider the risks associated with the breach. These factors will help determine whether further steps need to be taken (for example notifying the ICO and/or data subjects as set out above). These factors include: -

 

  • What type of data is involved and how sensitive it is;
  • The volume of data affected;
  • Who is affected by the breach (i.e. the categories and number of people involved);
  • The likely consequences of the breach on affected data subjects following containment and whether further issues are likely to materialise;
  • Are there any protections in place to secure the data (for example, encryption, password protection, pseudonymisation);
  • What has happened to the data;
  • What could the data tell a third party about the data subject;
  • What are the likely consequences of the personal data breach on Roselyn House School / The RHISE Service;
  • Any other wider consequences which may be applicable.

 

Preventing Future Breaches

 

Once the data breach has been dealt with, Roselyn House School / The RHISE Service will consider its security processes with the aim of preventing further breaches. In order to do this, we will: -

 

  • Establish what security measures were in place when the breach occurred;
  • Assess whether technical or organisational measures can be implemented to prevent the breach happening again;
  • Consider whether there is adequate staff awareness of security issues and look to fill any gaps through training or tailored advice;
  • Consider whether its necessary to conduct a privacy or data protection impact assessment;
  • Consider whether further audits or data protection steps need to be taken;
  • To update the data breach register;
  • To debrief governors/management following the investigation.

 

Reporting Data Protection Concerns

 

Prevention is always better than dealing with data protection as an after-thought. Data security concerns may arise at any time and we would encourage you to report any concerns (even if they don’t meet the criteria of a data breach) that you may have to Mrs R Smith or the DPO. This can help capture risks as they emerge, protect , Roselyn House School / The RHISE Service from data breaches and keep our processes up to date and effective.

 

Training

 

The School will ensure that staff are trained and aware on the need to report data breaches to ensure that they know to detect a data breach and the procedures of reporting them. This policy will be shared with staff.

 

Monitoring

 

We will monitor the effectiveness of this and all of our policies and procedures and conduct a full review and update as appropriate.

 

Our monitoring and review will include looking at how our policies and procedures are working in practice to reduce the risks posed to Roselyn House School / The RHISE Service.

 

 

May 2024

Print | Sitemap
This website is maintaned By Dave Somers ICT Dept Roselyn House School © KS Education 2024