DATE OF IMPLEMENTATION/REVIEW: 01/09/2021
IMPLEMENTED AND AUDITED BY: James McAlpine
COMMENTS: To be reviewed 01/09/2022
This policy is also covered in our Staff Handbook
The Company has a legal obligation to notify serious breaches if its duty of care in respect of protecting confidential information. This policy explains this in detail.
The Company is fully aware of its obligations under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 to process data lawfully and to ensure it is kept securely. We take these obligations extremely seriously and have protocols in place to ensure that, to the best of our efforts, data is not susceptible to loss or other misuse.
The GDPR incorporates a requirement for a personal data breach to be notified to the supervisory authority and in some cases to the affected individuals. This policy sets out the Company’s stance on taking action if a breach were to occur.
Procedure and Guidance
Personal data breach
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or processed. A ‘breach’, for these purposes, is identifiable as a security incident which has affected the confidentiality, integrity or availability of personal data. As indicated above, a data breach for these purposes is wider in scope than the loss of data. The following are examples of data breaches:
For the purposes of this policy, a data breach will be notifiable when it is deemed by the Company as likely to pose a risk to people’s rights and freedoms. If it does not carry that risk, the breach is not subject to notification although it will be entered on the Company’s breach record. A risk to people’s freedoms can include physical, material or non-material damage such as discrimination, identity theft or fraud, financial loss and damage to reputation.
When assessing the likelihood of the risk to people’s rights and freedoms, the Company will consider:
Actions upon identification of breach
When the Company is made aware of a breach, it will undertake an immediate investigation into what happened and what actions must be taken to restrict any consequences or further occurrence.
A determination will be made at that point whether the breach is deemed a notifiable breach and whether it is deemed as resulting in a high risk to the rights and freedoms of individuals.
Timescales for notification to supervisory authority
Where a notifiable breach has occurred, the Company will notify the Information Commissioner’s Office without undue delay and at the latest within 72 hours of it becoming aware of the breach. If notification is made beyond this timeline, the Company will provide the Information Commissioner’s Office with reasons for this. If it has not been possible to conduct a full investigation into the breach in order to give full details to the Information Commissioner’s Office within 72 hours, an initial notification of the breach will be made within 72 hours, giving as much detail as possible, together with reasons for incomplete notification and an estimated timescale for full notification. The initial notification will be followed up by further communication to the Information Commissioner’s Office to submit the remaining information.
Content of breach notification to the supervisory authority
The following information will be provided when a breach is notified:
Timescales for notification to affected individuals
Where a notifiable breach has occurred, which is deemed to have a high risk to the rights and freedoms of individuals, the Company will notify the affected individuals themselves i.e., the individuals whose data is involved in the breach, in addition to the supervisory authority.
This notification will be made without undue delay and may, dependent on the circumstances, be made before the supervisory authority is notified. A high risk may be, for example, where there is an immediate threat of identity theft, or if special categories of data are disclosed online.
Content of breach notification to the affected individuals
The following information will be provided when a breach is notified to the affected individuals:
Record of breaches
The Company records all personal data breaches regardless of whether they are notifiable or not as part of its general accountability requirement under GDPR. It records the facts relating to the breach, its effects and the remedial action taken.
KLOE Reference for this Policy: Safe | Well-Led
Regulations directly linked to this Policy: Regulation 9: Person-centred care | Regulation 10: Dignity and respect | Regulation 11: Need for consent
Regulation(s) relevant to this Policy: