Data Loss Assessment and Reporting Procedure
|
|
- Lesley Caldwell
- 6 years ago
- Views:
Transcription
1 Data Loss Assessment and Reporting Procedure Governance and Legal Services Strategy, Planning and Assurance Directorate Approved by: Data Governance & Strategy Group Approval Date: July 2016 Review Date: June 2019 Version: 2.1
2 Contents 1. Process flowchart Summary of Key Points Background Purpose Definitions Roles and responsibilities Report and contain potential damage Investigate and assess risks Information gathering Confidentiality Actions and notifications Incident evaluation and follow up Contact list for queries in relation to this Procedure... 9 APPENDIX APPENDIX APPENDIX
3 1. Process flowchart Report Report actual or suspected incidents to line manager and Information Management & Compliance (IMC) If a mobile device or storage device is lost or stolen ALSO report this to the IT Service Desk @kcl.ac.uk Contain If IMC determine that a data breach has occurred they will advise urgent containment action to minimise harm and data exposure If NHS Digital data, follow the HSCIC checklist and their reporting requirements Investigate Complete the Incident Report Form and submit to IMC as soon as possible Incident Report Form Action Follow instructions from IMC / Incident Response Team Evaluate Implement agreed follow-up actions and lessons learned to mitigate risk of future occurrence Information Security Forum Data Steward 3
4 2. Summary of Key Points 2.1. This Procedure covers any incident where it appears that personal data for which the university is responsible is lost, misused, wrongly or unlawfully disclosed or accessed, or there is a risk that an incident may allow unauthorised access to personal data It is designed to align with the ICO Guidance on Data Security Breach Management and also sets out the steps to be taken where a data security incident concerns data which is sourced from the Health and Social Care Information Centre (HSCIC) It describes roles and responsibilities of individuals involved in managing a data security incident, including: o Responsible staff member o Incident Owner o Head of Information Management and Compliance o Associate Director (Legal Services) o Information Security Forum o Data Stewards o IT Service Desk 2.4. Practical measures for immediate containment and recovery following reporting of a data security incident are described The Data Protection Policy and the Capability and Disciplinary Procedures both highlight negligence leading to a breach of the Data Protection Act 1998 as potential disciplinary matters. The Procedure sets out the circumstances in which, and process by which, disciplinary action will be initiated A framework tool for assessing the severity level of a data security incident is described, including reporting to the Information Commissioner s Office (ICO). In the case of data sourced from the NHS Digital (previously Health and Social Care Information Centre) it describes the action that must be taken in regard to reporting to NHS Digital Measures to be taken in agreeing and recording lessons learned and ensuring implementation of agreed actions are described A reporting form to be completed by the Incident Owner upon discovery of a breach or incident is appended. 3. Background 3.1. In order to comply with the Data Protection Act 1998, organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal data. Where such measures fail, this Data Loss Assessment and Report Procedure ( Procedure ) must be followed The requirements of this Procedure must be applied in conjunction with all applicable university policies and procedures, including, for example:- Data Protection Policy Information Security Policy Encryption Policy 4
5 Mobile Device Policy Research Data Management Policy Mobile Phone and SIM enabled Device Policy 4. Purpose 4.1. The purpose of this document is to describe the procedure for reporting incidents which involve the actual or suspected disclosure of personal data (as defined below) to unauthorised persons. It applies to all personal data made available to the university, irrespective of the source of the data or the media upon which it is held, and encompasses all university activities The implementation of this Procedure will: Facilitate a fast response to incidents in order to contain or minimise the impact of the incident on data subjects affected by the incident, and minimise the university s exposure to legal and regulatory consequences, financial loss and reputation damage; Clarify the responsibilities of those involved in reporting data security incidents; Provide support to those who are affected by the incident, including the data subjects and those directly involved with the incident; Provide information regarding the causes of data security breaches so that improvements can be made to mitigate the risk of a further occurrence Reporting incidents should be viewed positively and is to be encouraged, as they often result in improved services or provide clarification of procedures which have been missing. 5. Definitions 5.1. Personal data: any data which relates to a living individual who can be identified from that data, or from that data in conjunction with other readily available information Sensitive personal data: a sub-category of personal data that could cause harm or distress to an identifiable individual if generally released, including information relating to an individual s: Racial or ethnic origin Political opinions Religious beliefs or other beliefs of a similar nature Trade union membership Physical or mental health or condition Sexual life Commission or alleged commission of any criminal offence Proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings 5.3. Data subject: the person who the data concerns Disclosure: personal data should only be disclosed within the university to members of staff who need to know it in order to carry out their duties, or to others connected with the university who have been approved to receive such information in relation to university activities or events. Examples of the types of incidents which should be reported are included in Appendix 1. 5
6 6. Roles and responsibilities 6.1. Staff who experience or discover a data loss are responsible for reporting it as soon as possible and should know to whom they should report or escalate an incident. This will normally be their line manager, or principal investigator (PI) in the context of research projects. The line manager/pi should report the incident to the relevant Director of Administration or Head of Professional Service, and the Head of Information Management & Compliance Students should normally report incidents to their tutor or supervisor, who will be responsible for onward reporting of the incident to the relevant Director of Administration and the Head of Information Management & Compliance The incident owner will normally be the IT Major Incident Manager, Director of Administration or Head of Professional Service, or their nominated deputy, and has primary responsibility for investigating the incident and ensuring that steps are taken to address the incident. The incident owner must not be the same as the individual who experienced/discovered the data loss The incident response team is convened where necessary and is responsible for assisting the incident owner in managing the incident. It comprises the incident owner, the Head of Information Management & Compliance, the Responsible Staff Member (or their line manager) and other relevant staff. Where necessary, this team should meet as soon as possible after the data loss occurs. The group may meet remotely by telephone or The Responsible Staff Member is the person who has primary day to day responsibility for the data which has been lost, and may also be the person who experienced or discovered the loss. The Responsible Staff Member plays an important role in providing information about the data which has been lost. In some circumstances this person may be an affiliate or a contractor. If in doubt they should confirm responsibilities with the relevant King s manager The IT Service desk should ensure that incidents which are reported to them are reported to the Head of Information Management and Compliance, including an assessment of actual or potential security risks arising from an incident involving IT systems or equipment. This could include lost or stolen IT equipment or devices, or unauthorised access to data or systems Data loss incidents may occur as a result of, or in connection with, major IT incidents which are managed under the IT Major Incident Management Procedure. Where this occurs, the two procedures shall run in parallel (with this Procedure identifying the management steps to address the loss of personal data), but the incident owner shall be the IT Major Incident Manager under the Major Incident Management Procedure The Head of Information Management and Compliance will report the breach to the appropriate Data Steward and report findings of the investigation and actions taken to the Information Security Forum who will take a view on lessons learned and report to the appropriate Data Steward/s (where these exist)to ensure necessary remedial actions are undertaken. 7. Report and contain potential damage 7.1. It is important that incidents are reported to the Information Management & Compliance Office as a matter of urgency, in order that the seriousness of the incident can be determined as soon as 6
7 possible, and so that advice can be provided on any immediate containment action required to minimise harm and data exposure The two main types of incident are: Where someone knows or suspects that an incident has occurred which actually or potentially involves inappropriate disclosure of personal data - contact the Information Management & Compliance Office immediately Where a data storage device such as a PC, laptop, tablet, USB stick, or smart phone has been lost or stolen, regardless of the data it contains contact the IT Service Desk AND the Information Management & Compliance Office immediately If in doubt, it is better to report a suspected incident than to ignore it Contact details: Information Management & Compliance Office Tel legal-compliance@kcl.ac.uk IT Service Desk Tel @kcl.ac.uk 7.5. On becoming aware of a data security breach there may be immediate actions you can take to contain or lessen the impact. In the situations described, these could include: Immediately recalling an incorrectly sent . Or, if the recall is unsuccessful, by contacting the person/people to whom personal data has been disclosed, apologising and asking them to securely delete it from their systems (including from deleted items folders) and to immediately confirm that they have done so Immediately retrieving paper documents from any unintended recipients Immediately disabling any lost or stolen data storage devices. 8. Investigate and assess risks 8.1. Information gathering The Information Management & Compliance Office need to gather enough information to determine whether or not a data breach has actually occurred and the urgency of response required The Faculty/Directorate must co-operate promptly with the Information Management & Compliance Office to avoid any delays. This includes completing the Incident Report form shown at Appendix 2 as quickly as possible following initial notification If it is concluded that a breach has occurred, depending upon the seriousness and complexity of the incident, an Incident Response Team may be established, comprising appropriate university expertise to ensure that the incident is managed appropriately. 7
8 Any data security breach involving data sourced from NHS Digital (previously the Health and Social Care Information Centre) must be managed in accordance with the Checklist guidance for reporting, managing and investigating information governance and cybersecurity serious incidents requiring investigation and reported to NHS Digital (previously the Health and Social Care Information Centre) as required, without delay Responsibility for notifications to NHS Digital will rest with the Incident Owner, supported by the Head of Information Management & Compliance. Any additional requirements of the relevant NHS Digital data sharing agreement must also be fully observed If NHS Trust data is involved, early notification by the Head of Information Management and Compliance to the relevant Trust Caldicott Guardian is required and discussions will be necessary with the Trust to determine who is the data controller (in the sense of the Data Protection Act 1998) and whether the incident is the responsibility of the university or the Trust. Where it is determined that the incident is the responsibility of the Trust, the incident shall be passed to the Trust to manage and the incident for the university will be closed Confidentiality Any discussion of the incident or circulation of any related documents or s must be restricted to those directly involved in the investigation. Written or ed documents related to the incident must be headed Confidential To provide some privacy when reports and forms are circulated to the investigation team, individual data subjects must not be explicitly named in the reports or correspondence. 9. Actions and notifications Any further actions to be taken will be determined following the investigation The communication of any data security breach to affected data subjects must be handled with care and sensitivity and appropriate advice will be provided Wider communication of a breach, including notification to any regulatory authorities, such as the Information Commissioner s Office, will be managed by the Information Management & Compliance Office in accordance with the severity assessment tool set out in Appendix Incident evaluation and follow up The incident may highlight remedial action which is required in relation to procedures, additional training requirements, IT systems or the incident reporting procedure. Any agreed actions and target dates for completion will be recorded on the Incident Report Form The Head of Information Management & Compliance will ensure that the Incident Report Form is completed and: liaise with the relevant Incident Owner to ensure that local actions are completed; escalate any actions which have not been completed by the target date; 8
9 Ensure that guidance material is revised to reflect any learning outcomes; Report all data security breaches to the university s Data Governance & Strategy Group for monitoring and oversight; and Propose improvement plan and actions where appropriate to DGSG, and Data Steward via the Information Security Forum The Head of Information Management & Compliance may recommend the instigation of the relevant disciplinary procedure for staff or misconduct procedure for students where the circumstances of a particular incident under this Procedure make it appropriate to do so. Any such recommendation will be made to the Associate Director (Governance) who will determine whether a referral to the Human Resources Directorate is warranted This Procedure reflects the ICO Guidance on Data Security Breach Management which should be referred to for any queries. This Procedure will be reviewed at least every three years or when there are significant changes. 11. Contact list for queries in relation to this Procedure Role Name Telephone Head of Information Management & Compliance Contact Trevor Pearce below Information Compliance Manager Associate Director (Governance) Ben Daley / Trevor Pearce / ben.daley@kcl.ac.uk trevor.pearce@kcl.ac.uk 9
10 APPENDIX 1 EXAMPLES OF INCIDENTS WHICH SHOULD BE REPORTED IF UNSURE, REPORT IT Use the Incident Report Form for incidents involving: Misdirection of s or correspondence containing personal data; Sending non-essential personal data to otherwise valid recipients; Failure of access controls, such as incorrect allocation of permission or password sharing, which result in unauthorised access to personal data; Loss or theft of papers containing personal data; Personal data received in error; Publication of personal data on a website; Loss or theft of any university-owned data storage device regardless of the data it contains e.g., laptop, PC, USB/pen drive, ipad or other tablet, removable hard drive, smart phone or other portable devices; or Theft of any privately owned devices should only be reported if they contain personal data related to university activities. 10
11 APPENDIX 2 DATA PROTECTION INCIDENT REPORT FORM To be completed by the Incident Owner or their nominee and sent urgently to the Information Management & Compliance Office (and the IT Service Desk where applicable). This should be completed as soon as possible following discovery of the incident following initial notification to the Head of Information Management and Compliance. Please note that circulation of this form and any related documents must be restricted to those directly involved in investigating the incident. Please do not reference any data subjects by name in this report. Report completed by [name, job title] Faculty/Directorate Telephone Date of report 1. Description of data lost, stolen or disclosed [include examples of type of data, volumes of records affected and number of data subjects involved. Where relevant specify device make, model and serial number. Where a mobile device has been lost or stolen, please include the k number of the person who lost it] 2. Circumstances of the loss, theft or disclosure [include timing of events; location; IT media and applications involved; details of actions taken to date, e.g., anyone who has been contacted in relation to the incident] 3. Details of any other regulatory body or collaborative partner who may need to be informed [e.g., NHS Trust, NHS Digital, etc.] 4. What were the causes of the incident? What improvements could be made to prevent a recurrence? [Assessment of any related policies, procedures or guidance which have been breached or wider issues; provide copies of any local guidelines or procedures which have not been followed] 11
12 5. Has the person/s responsible of or involved in the loss, completed the university s Mandatory Data Protection Training Module? -- To be completed by the Information Management & Compliance Office -- Incident Reference: Incident Severity Rating: Improvements to be considered / actions to be completed Target date and action owner Comments 12
13 SEVERITY ASSESSMENT TOOL (FOR USE BY INFORMATION AMANGEMENT AND COMPLIANCE TEAM) APPENDIX 3 Where the data involved has been sourced from NHS Digital, previously the Health and Social Care Information Centre (HSCIC), the HSCIC Checklist guidance for reporting, managing and investigating information governance and cybersecurity serious incidents requiring investigation must be followed in respect of assessing the severity of the incident and reporting requirements. For all other incidents, the Head of Information Management & Compliance or the Incident Response Team will assess the severity of the incident on a scale of 0-3. The tool below is intended as a guide only and should not be relied on to reflect all relevant circumstances. No. of individuals whose data has been disclosed or put at risk ,000 1,001 plus Sensitivity factors should be applied to the initial score as follows: For each of the following sensitivity factors reduce score by 1 (not applicable in the case of a score of 0) A) No sensitive personal data B) Information already accessible or in public domain C) Low level of harm to individuals For each of the following factors increase score by 1 D) Detailed information at risk e.g. clinical care case notes, social care notes E) High risk confidential information F) One or more previous similar incidents in last 12 months G) Failure to implement, enforce or follow technical safeguards to protect information H) Likely to attract media interest or other reputational damage and/or a complaint has been made to the ICO by an organisation or individual I) Individuals are likely to suffer substantial damage or distress including significant embarrassment or detriment J) Individuals likely to have been placed at risk of incurred physical harm Sensitivity factors which would not be relevant should be excluded as follows. When user selects this A B C D The following sensitivity factors are excluded D,E D,E,I,J I,J A,B 13
14 E F G H I J A,B None None None B,C B,C Where an incident scores 3 or more, it should be referred to the Head of Administration and College Secretary for a decision on whether to report the incident to the Information Commissioner s Office. Amended 15 September 2016 Contact details of Head of IMC and Associate Director of Governance 14
Subject: Kier Group plc Data Protection Policy
Kier Group plc Data Protection Policy Subject: Kier Group plc Data Protection Policy Author: Compliance Document type: Policy Authorised by: Kier General Counsel & Company Secretary Version 3 Effective
More informationUWTSD Group Data Protection Policy
UWTSD Group Data Protection Policy Contents Clause Page 1. Policy statement... 1 2. About this policy... 1 3. Definition of data protection terms... 1 4. Data protection principles..3 5. Fair and lawful
More informationData Breach Notification Policy
Data Breach Notification Policy Policy Owner Department University College Secretary Professional Support Version Number Date drafted/date of review 1.0 25 May 2018 Date Equality Impact Assessed Has Prevent
More informationCOMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2
COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September 2018 Table of Contents 1. Scope, Purpose and Application to Employees 2 2. Reference Documents 2 3. Definitions 3 4. Data Protection Principles
More informationStopsley Community Primary School. Data Breach Policy
Stopsley Community Primary School Data Breach Policy Contents Page 1 Introduction... 3 2 Aims and objectives... 3 3 Policy Statement... 4 4 Definitions... 4 5 Training... 5 6 Identification... 5 7 Risk
More informationData Breach Incident Management Policy
Data Breach Incident Management Policy Policy Number FCP2.68 Version Number 1 Status Draft Approval Date: First Version Approved By: First Version Responsible for Policy Responsible for Implementation
More informationDATA BREACH POLICY [Enniskillen Presbyterian Church]
DATA BREACH POLICY [Enniskillen Presbyterian Church] Enniskillen Presbyterian Church is committed to complying with data protection legislation and will take appropriate technical and organisational measures
More informationGMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017
GMSS Information Governance & Cyber Security Incident Reporting Procedure February 2017 Review Date; April 2018 1 Version Control: VERSION DATE DETAIL D1.0 20/04/2015 First Draft (SC) D 2.0 28/04/2015
More informationInformation Governance Incident Reporting Procedure
Information Governance Incident Reporting Procedure : 3.0 Ratified by: NHS Bury CCG Quality and Risk Committee Date ratified: 15 th February 2016 Name of originator /author (s): Responsible Committee /
More informationUWC International Data Protection Policy
UWC International Data Protection Policy 1. Introduction This policy sets out UWC International s organisational approach to data protection. UWC International is committed to protecting the privacy of
More informationInformation Governance Incidents Cyber Security Incidents and Near Misses Reporting Procedure
Information Governance Incidents Cyber Security Incidents and Near Misses Reporting Procedure Procedure Number: IG05 Version: 2.3 Approved by: Information Governance Working Group Date approved January
More informationThis Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).
PRIVACY POLICY Data Protection Policy 1. Introduction This Data Protection Policy (this Policy ) sets out how Brital Foods Limited ( we, us, our ) handle the Personal Data we Process in the course of our
More informationData Protection Policy
Data Protection Policy Addressing the General Data Protection Regulation (GDPR) 2018 [EU] and the Data Protection Act (DPA) 2018 [UK] For information on this Policy or to request Subject Access please
More information1. Introduction and Overview 3
Data Breach Policy Contents 1. Introduction and Overview 3 1.1 What is a Serious Information Governance Incident? 3 1.2 What causes a SIGI? 3 1.3 How can a SIGI be managed? 4 2. How to manage an incident
More informationINNOVENT LEASING LIMITED. Privacy Notice
INNOVENT LEASING LIMITED Privacy Notice Table of Contents Topic Page number KEY SUMMARY 2 ABOUT US AND THIS NOTICE 3 USEFUL WORDS AND PHRASES 4 WHAT INFORMATION DO WE COLLECT? 4 WHY DO WE PROCESS YOUR
More informationBreach Notification Form
Breach Notification Form Report a breach of personal data to the Data Protection Commission Use this form if you are a Data Controller that wishes to contact us to report a personal data breach that has
More informationPS Mailing Services Ltd Data Protection Policy May 2018
PS Mailing Services Ltd Data Protection Policy May 2018 PS Mailing Services Limited is a registered data controller: ICO registration no. Z9106387 (www.ico.org.uk 1. Introduction 1.1. Background We collect
More informationClyst Vale Community College Data Breach Policy
Clyst Vale Community College Data Breach Policy Contents 1. Aim Page 2 2. Definition Page 2-3 3. Scope Page 3 4. Responsibilities Page 3 5. Reporting a data breach Page 3-4 6. Data breach plan Page 4 7.
More informationData Protection Policy
Data Protection Policy Introduction Stewart Watt & Co. is law firm and provides legal advice and assistance to its clients. It is regulated by the Law Society of Scotland. The personal data that Stewart
More informationDATA PROTECTION POLICY THE HOLST GROUP
DATA PROTECTION POLICY THE HOLST GROUP INTRODUCTION The purpose of this document is to provide a concise policy regarding the data protection obligations of The Holst Group. The Holst Group is a data controller
More informationData Protection Policy
Data Protection Policy Data Protection Policy Version 3.00 May 2018 For more information, please contact: Technical Team T: 01903 228100 / 01903 550242 E: info@24x.com Page 1 The Data Protection Law...
More informationData Privacy Breach Policy and Procedure
Data Privacy Breach Policy and Procedure Document Information Last revision date: April 16, 2018 Adopted date: Next review: January 1 Annually Overview A privacy breach is an action that results in an
More informationInformation Governance Incident Reporting Policy
Information Governance Incident Reporting Policy Version: 4.0 Ratified by: NHS Bury Clinical Commissioning Group Information Governance Operational Group Date ratified: 29 th November 2017 Name of originator
More informationMotorola Mobility Binding Corporate Rules (BCRs)
Motorola Mobility Binding Corporate Rules (BCRs) Introduction These Binding Privacy Rules ( Rules ) explain how the Motorola Mobility group ( Motorola Mobility ) respects the privacy rights of its customers,
More informationInformation Handling and Classification Table
Information Handling and Classification Table Title: Information Classification and Handling Table Reference: IS-07a Status: Approved Version: 1.2 Date: March 2018 Classification: Non-Sensitive/Open Author(s)
More informationMBNL Landlord Privacy Notice. This notice sets out how we handle landlord personal data as part of our General Data Protection policies (GDPR).
MBNL Landlord Privacy Notice This notice sets out how we handle landlord personal data as part of our General Data Protection policies (GDPR). SUMMARY This Privacy Notice applies to: users of our website
More informationUSER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.
These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy. I. OBJECTIVE ebay s goal is to apply uniform, adequate and global data protection
More informationInformation security guidance for schools
Information security guidance for schools Guidance Guidance document no: 206/2016 Date of issue: August 2016 Replaces guidance document no: 186/2015 Information security guidance for schools Audience All
More informationAdkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts
Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts POLICY STATEMENT Adkin is committed to protecting and respecting the privacy of all of our clients. This Policy
More informationData Encryption Policy
Data Encryption Policy Document Control Sheet Q Pulse Reference Number Version Number Document Author Lead Executive Director Sponsor Ratifying Committee POL-F-IMT-2 V02 Information Governance Manager
More informationData Protection Policy
Introduction In order to; provide education, training, assessment and qualifications to its customers and clients, promote its services, maintain its own accounts and records and support and manage its
More informationGuardian Electrical Compliance Ltd DATA PROTECTION GDPR REGULATIONS POLICY
1. Statement of Policy (Guardian) needs to collect and use certain types of information about the Individuals or Service Users with whom they come into contact in order to carry on our work. This personal
More informationPrivacy Policy GENERAL
Privacy Policy GENERAL This document sets out what information Springhill Care Group Ltd collects from visitors, how it uses the information, how it protects the information and your rights. Springhill
More informationCognizant Careers Portal Privacy Policy ( Policy )
Cognizant Careers Portal Privacy Policy ( Policy ) Date: 22 March 2017 Introduction This Careers Portal Privacy Policy ("Policy") applies to the Careers portal on the Cognizant website accessed via www.cognizant.com/careers
More informationInformation Security Controls Policy
Information Security Controls Policy Version 1 Version: 1 Dated: 21 May 2018 Document Owner: Head of IT Security and Compliance Document History and Reviews Version Date Revision Author Summary of Changes
More informationACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION
ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION Document Control Owner: Distribution List: Data Protection Officer Relevant individuals who access, use, store or
More informationBrasenose College ICT Systems Privacy Notice (v1.2)
Brasenose College ICT Systems Privacy Notice (v1.2) A summary of what this notice explains Brasenose College is committed to protecting the privacy and security of personal data. This notice applies to
More informationDATA PROTECTION POLICY
1 Your Data Protection Responsibilities DATA PROTECTION POLICY 1.1 Everyone has rights with regard to how their personal data is handled. Personal data is any information that a person can be identified
More informationInformation Classification and Handling Policy
Information Classification and Handling Policy Document Title: Author(s) (name, job title and Division): Version Number: Document Status: Date Approved: Approved By: Effective Date: Date of Next Review:
More informationUniversity College Cork National University of Ireland, Cork Data Access Request Procedure
University College Cork National University of Ireland, Cork Data Access Request Procedure 1 Document Location http://www.ucc.ie/en/ocla/comp/data/dataaccess/ Revision History Date of this revision: 28/02/2014
More informationPRIVACY NOTICE VOLUNTEER INFORMATION. Liverpool Women s NHS Foundation Trust
PRIVACY NOTICE VOLUNTEER INFORMATION Liverpool Women s NHS Foundation Trust Introduction This document summarises who we are, what information we hold about you, what we will do with the information we
More informationDATA PROTECTION IN RESEARCH
DATA PROTECTION IN RESEARCH Document control Applicable to: All employees and research students Date first approved February 2006 Date first amended May 2015 Date last amended May 2015 Approved by Approval
More informationINFORMATION SECURITY AND RISK POLICY
INFORMATION SECURITY AND RISK POLICY 1 of 12 POLICY REFERENCE INFORMATION SHEET Document Title Document Reference Number Information Security and Risk Policy P/096/CO/03/11 Version Number V02.00 Status:
More informationFrequently Asked Questions
Frequently Asked Questions After having undertaken a period of research within recreational cricket, this document is aimed at addressing the frequently asked questions from cricket Clubs, Leagues, Boards
More informationInformation Governance Incident Reporting Policy and Procedure
Information Governance Incident Reporting Policy and Procedure Policy Number Target Audience Approving Committee IG007 CCG/GMSS Staff CCG Chief Officer Date Approved February 2018 Last Review Date February
More informationInformation Security Incident
Good Practice Guide Author: A Heathcote Date: 22/05/2017 Version: 1.0 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a non-departmental body
More informationLCU Privacy Breach Response Plan
LCU Privacy Breach Response Plan Sept 2018 Prevention Communication & Notification Evaluation of Risks Breach Containment & Preliminary Assessment Introduction The Credit Union makes every effort to safeguard
More informationSecurity and Privacy Breach Notification
Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains
More informationData protection policy
Data protection policy Context and overview Introduction The ASHA Centre needs to gather and use certain information about individuals. These can include customers, suppliers, business contacts, employees
More informationPS 176 Removable Media Policy
PS 176 Removable Media Policy December 2013 Version 2.0 Statement of legislative compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010; Data
More informationCognizant Careers Portal Terms of Use and Privacy Policy ( Policy )
Cognizant Careers Portal Terms of Use and Privacy Policy ( Policy ) Introduction This Policy applies to the Careers portal on the Cognizant website accessed via www.cognizant.com/careers ("Site"), which
More informationData Protection Policy
The Worshipful Company of Framework Knitters Data Protection Policy Addressing the General Data Protection Regulation (GDPR) 2018 [EU] and the Data Protection Act 1998 (DPA) [UK] For information on this
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Colin Sloey Implementation Date: September 2010 Version Number:
More informationREPORTING INFORMATION SECURITY INCIDENTS
INFORMATION SECURITY POLICY REPORTING INFORMATION SECURITY INCIDENTS ISO 27002 13.1.1 Author: Owner: Organisation: Document No: Chris Stone Ruskwig TruePersona Ltd SP-13.1.1 Version No: 1.0 Date: 1 st
More informationIslam21c.com Data Protection and Privacy Policy
Islam21c.com Data Protection and Privacy Policy Purpose of this policy The purpose of this policy is to communicate to staff, volunteers, donors, non-donors, supporters and clients of Islam21c the approach
More informationINFORMATION TECHNOLOGY SECURITY POLICY
INFORMATION TECHNOLOGY SECURITY POLICY Author Responsible Director Approved By Data Approved September 15 Date for Review November 17 Version 2.3 Replaces version 2.2 Mike Dench, IT Security Manager Robin
More informationICT Portable Devices and Portable Media Security
ICT Portable Devices and Portable Media Security Who Should Read This Policy Target Audience All Trust Staff, contractors, and other agents, who utilise trust equipment and access the organisation s data
More informationADMA Briefing Summary March
ADMA Briefing Summary March 2013 www.adma.com.au Privacy issues are being reviewed globally. In most cases, technological changes are driving the demand for reforms and Australia is no exception. From
More informationCreative Funding Solutions Limited Data Protection Policy
Creative Funding Solutions Limited Data Protection Policy CONTENTS Section Title 1 Introduction 2 Why this Policy Exists 3 Data Protection Law 4 Responsibilities 5 6 7 8 9 10 Data Protection Impact Assessments
More informationBreach Notification Assessment Tool
Breach Notification Assessment Tool December 2006 Information and Privacy Commissioner of Ontario David Loukidelis Commissioner Ann Cavoukian, Ph.D. Commissioner This document is for general information
More informationEnviro Technology Services Ltd Data Protection Policy
Enviro Technology Services Ltd Data Protection Policy 1. CONTEXT AND OVERVIEW 1.1 Key details Rev 1.0 Policy prepared by: Duncan Mounsor. Approved by board on: 23/03/2016 Policy became operational on:
More informationIntroductory guide to data sharing. lewissilkin.com
Introductory guide to data sharing lewissilkin.com Executive Summary Most organisations carry out some form of data sharing, whether it be data sharing between organisations within the group or with external
More informationNDIS Quality and Safeguards Commission. Incident Management System Guidance
NDIS Quality and Safeguards Commission Incident Management System Guidance Version 1 - May 2018 Acknowledgment This guidance is published by the Australian Government, using resources developed by the
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Introduction The purpose of this document is to provide a concise policy regarding the data protection obligations of Youth Work Ireland. Youth Work Ireland is a data controller
More informationAbout the information we collect We collect and process personal data including but not limited to:-
Privacy Policy About us TP Supported Accommodation is responsible for collecting, processing, storing and safe keeping of personal information as part of our business activities. We manage information
More informationPolicy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.
London School of Economics & Political Science IT Services Policy Remote Access Policy Jethro Perkins Information Security Manager Summary This document outlines the controls from ISO27002 that relate
More informationCardiff University Security & Portering Services (SECTY) CCTV Code of Practice
Cardiff University Security & Portering Services (SECTY) CCTV Code of Practice Document history Author(s) Date S Gamlin 23/05/2018 Revision / Number Date Amendment Name Approved by BI annual revision Date
More informationInformation Security Policy
Information Security Policy Title: Information Security Reference: IS-01 Status: Approved Version: 1.1 Date: July 2017 Classification: Non-Sensitive/Open Author(s) Head of Information Assurance Approved
More informationPrivacy Breach Policy
1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure
More informationInstitute of Technology, Sligo. Information Security Policy. Version 0.2
Institute of Technology, Sligo Information Security Policy Version 0.2 1 Document Location The document is held on the Institute s Staff Portal here. Revision History Date of this revision: 28.03.16 Date
More informationInformation Security Strategy
Security Strategy Document Owner : Chief Officer Version : 1.1 Date : May 2011 We will on request produce this Strategy, or particular parts of it, in other languages and formats, in order that everyone
More informationData protection. 3 April 2018
Data protection 3 April 2018 Policy prepared by: Ltd Approved by the Directors on: 3rd April 2018 Next review date: 31st March 2019 Data Protection Registration Number (ico.): Z2184271 Introduction Ltd
More informationData Processing Agreement DPA
Data Processing Agreement DPA between Clinic Org. no. «Controller». and Calpro AS Org. nr. 966 291 281. «Processor» If the parties have executed a Data Management Agreement, the Date Management Agreement
More information1 Privacy Statement INDEX
INDEX 1 Privacy Statement Mphasis is committed to protecting the personal information of its customers, employees, suppliers, contractors and business associates. Personal information includes data related
More informationElement Finance Solutions Ltd Data Protection Policy
Element Finance Solutions Ltd Data Protection Policy CONTENTS Section Title 1 Introduction 2 Why this Policy Exists 3 Data Protection Law 4 Responsibilities 5 6 7 8 9 10 Data Protection Impact Assessments
More informationCompany Policy Documents. Information Security Incident Management Policy
Information Security Incident Management Policy Information Security Incident Management Policy Propeller Studios Ltd is responsible for the security and integrity of all data it holds. Propeller Studios
More informationIt applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).
Our Privacy Policy 1 Purpose Mission Australia is required by law to comply with the Privacy Act 1988 (Cth) (the Act), including the Australian Privacy Principles (APPs). We take our privacy obligations
More informationInformation Governance Policy
2015 Information Governance Policy University of Wolverhampton Version 1.0 28 th October 2015 Policy Approval Procedure Information Governance Policy Policy Author: Stephen Hill Dept.: DAS Information
More informationVirginia State University Policies Manual. Title: Information Security Program Policy: 6110
Purpose Virginia State University (VSU) uses information to perform the business services and functions necessary to fulfill its mission. VSU information is contained in many different mediums including
More informationGDPR Compliance. Clauses
1 Clauses GDPR The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a privacy and data protection regulation in the European Union (EU). It became enforceable from May 25 2018. The
More informationSchedule EHR Access Services
This document (this Schedule") is the Schedule for Services ( EHR Access Services ) related to access to the electronic health records ( EHR ) maintained by ehealth Ontario and the use of information in
More informationHOW WE USE YOUR INFORMATION
HOW WE USE YOUR INFORMATION Herold Mediatel Ltd compiles the Gibraltar Telephone Directory on behalf of Gibtelecom. Every care is taken to render this Directory as accurate as possible but neither Herold
More informationCayman Islands Data Protection Law Guide Book
Cayman Islands Data Protection Law Guide Book 2017 Guide Book Cayman Islands Data Protection Law, 2017 1. Background and Overview On 27 March 2017 the Data Protection Law, 2017 (Law) was passed by the
More informationGeneral Legal Requirements under the Act and Relevant Subsidiary Legislations. Personal data shall only be processed for purpose of the followings:
General Legal Requirements regarding the Personal Data Protection ( PDP ) Principles under the PDP Act 2010 ( Act ) and the relevant Subsidiary Legislations PDP Principles General Principle Data users
More informationUKIP needs to gather and use certain information about individuals.
UKIP Data Protection Policy Context and overview Key details Policy Update Prepared by: D. Dennemarck / S. Turner Update approved by Management on: November 6, 2015 Policy update became operational on:
More informationma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018
ma recycle.com Rely and Comply... GDPR Privacy Policy Policy Date: 24 May 2018 Max Recycle Hawthorne House Blackthorn Way Sedgeletch Industrial Estate Fencehouses Tyne & Wear DH4 6JN T: 0845 026 0026 F:
More informationComputer Security Policy
Administration and Policy: Computer usage policy B 0.2/3 All systems Computer and Rules for users of the ECMWF computer systems May 1995 Table of Contents 1. The requirement for computer security... 1
More informationAcceptable Usage Policy (Student)
Acceptable Usage Policy (Student) Author Arthur Bogacki Date 18/10/2017 Version 1.1 (content sourced and consolidated from existing Email and Electronic Communication, and User Code of Practice policies.)
More informationEmployee Security Awareness Training Program
Employee Security Awareness Training Program Date: September 15, 2015 Version: 2015 1. Scope This Employee Security Awareness Training Program is designed to educate any InComm employee, independent contractor,
More informationPolemic is a business involved in the collection of personal data in the course of its business activities and on behalf of its clients.
Privacy policy 1 Background This document sets out the policy of Polemic Forensic ABN 60 392 752 759 ( Polemic ) relating to the protection of the privacy of personal information. Polemic is a business
More informationDate Approved: Board of Directors on 7 July 2016
Policy: Bring Your Own Device Person(s) responsible for updating the policy: Chief Executive Officer Date Approved: Board of Directors on 7 July 2016 Date of Review: Status: Every 3 years Non statutory
More informationThe Data Protection Act 1998
The Data Protection Act 1998 1. Terms 2. The principles of The Data Protection Act 3. Disclosure of Information 4. Subject Access 5. Enforcement 6. Data Security 7. Recording of Contact Exemptions All
More informationNWQ Capital Management Pty Ltd. Privacy Policy. March 2017 v2
NWQ Capital Management Pty Ltd Privacy Policy March 2017 Page 1 of 8 Privacy and Spam Policy NWQ Capital Management Pty Ltd s Commitment NWQ Capital Management Pty Ltd (NWQ) is committed to providing you
More informationRemote Working & Mobile Devices Security Standard
TRUST-WIDE NON-CLINICAL DOCUMENT Remote Working & Mobile Devices Security Standard Standard Number: Scope of this Document: Recommending Committee: Approving Committee: SS02 All Staff Joint Information
More informationThis policy should be read in conjunction with LEAP s Conflict of Interest Policy.
Policy Number 4.1 Policy Name Release No. 2 Release Date August 2017 Date For Next Review August 2018 Policy LEAP Social Services/Different Abilities Services (LEAP) is committed to the effective, timely
More informationStatutory Notifications
Registration under the Health and Social Care Act 2008 Statutory Notifications Guidance for registered providers and managers of NHS GP and other primary medical services May 2013 Statutory notifications
More informationA Homeopath Registered Homeopath
A Homeopath Registered Homeopath DATA PROTECTION POLICY Scope of the policy This policy applies to the work of homeopath A Homeopath (hereafter referred to as AH ). The policy sets out the requirements
More informationPrivacy Policy Wealth Elements Pty Ltd
Page 1 of 6 Privacy Policy Wealth Elements Pty Ltd Our Commitment to you Wealth Elements Pty Ltd is committed to providing you with the highest levels of client service. We recognise that your privacy
More informationData Breach Notification: what EU law means for your information security strategy
Data Breach Notification: what EU law means for your information security strategy Olivier Proust December 8, 2011 Hunton & Williams LLP Key points 1. Introduction 2. Overview of data breach requirements
More informationThe Data Protection Act 1998 and the Use of Personal Data for IT Administration
Introduction The Data Protection Act 1998 and the Use of Personal Data for IT Administration 1. This document has been drawn up to provide guidance to University IT staff who need to use real data about
More information