Data Loss Assessment and Reporting Procedure

Transcription

1 Data Loss Assessment and Reporting Procedure Governance and Legal Services Strategy, Planning and Assurance Directorate Approved by: Data Governance & Strategy Group Approval Date: July 2016 Review Date: June 2019 Version: 2.1

2 Contents 1. Process flowchart Summary of Key Points Background Purpose Definitions Roles and responsibilities Report and contain potential damage Investigate and assess risks Information gathering Confidentiality Actions and notifications Incident evaluation and follow up Contact list for queries in relation to this Procedure... 9 APPENDIX APPENDIX APPENDIX

3 1. Process flowchart Report Report actual or suspected incidents to line manager and Information Management & Compliance (IMC) If a mobile device or storage device is lost or stolen ALSO report this to the IT Service Desk @kcl.ac.uk Contain If IMC determine that a data breach has occurred they will advise urgent containment action to minimise harm and data exposure If NHS Digital data, follow the HSCIC checklist and their reporting requirements Investigate Complete the Incident Report Form and submit to IMC as soon as possible Incident Report Form Action Follow instructions from IMC / Incident Response Team Evaluate Implement agreed follow-up actions and lessons learned to mitigate risk of future occurrence Information Security Forum Data Steward 3

4 2. Summary of Key Points 2.1. This Procedure covers any incident where it appears that personal data for which the university is responsible is lost, misused, wrongly or unlawfully disclosed or accessed, or there is a risk that an incident may allow unauthorised access to personal data It is designed to align with the ICO Guidance on Data Security Breach Management and also sets out the steps to be taken where a data security incident concerns data which is sourced from the Health and Social Care Information Centre (HSCIC) It describes roles and responsibilities of individuals involved in managing a data security incident, including: o Responsible staff member o Incident Owner o Head of Information Management and Compliance o Associate Director (Legal Services) o Information Security Forum o Data Stewards o IT Service Desk 2.4. Practical measures for immediate containment and recovery following reporting of a data security incident are described The Data Protection Policy and the Capability and Disciplinary Procedures both highlight negligence leading to a breach of the Data Protection Act 1998 as potential disciplinary matters. The Procedure sets out the circumstances in which, and process by which, disciplinary action will be initiated A framework tool for assessing the severity level of a data security incident is described, including reporting to the Information Commissioner s Office (ICO). In the case of data sourced from the NHS Digital (previously Health and Social Care Information Centre) it describes the action that must be taken in regard to reporting to NHS Digital Measures to be taken in agreeing and recording lessons learned and ensuring implementation of agreed actions are described A reporting form to be completed by the Incident Owner upon discovery of a breach or incident is appended. 3. Background 3.1. In order to comply with the Data Protection Act 1998, organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal data. Where such measures fail, this Data Loss Assessment and Report Procedure ( Procedure ) must be followed The requirements of this Procedure must be applied in conjunction with all applicable university policies and procedures, including, for example:- Data Protection Policy Information Security Policy Encryption Policy 4

5 Mobile Device Policy Research Data Management Policy Mobile Phone and SIM enabled Device Policy 4. Purpose 4.1. The purpose of this document is to describe the procedure for reporting incidents which involve the actual or suspected disclosure of personal data (as defined below) to unauthorised persons. It applies to all personal data made available to the university, irrespective of the source of the data or the media upon which it is held, and encompasses all university activities The implementation of this Procedure will: Facilitate a fast response to incidents in order to contain or minimise the impact of the incident on data subjects affected by the incident, and minimise the university s exposure to legal and regulatory consequences, financial loss and reputation damage; Clarify the responsibilities of those involved in reporting data security incidents; Provide support to those who are affected by the incident, including the data subjects and those directly involved with the incident; Provide information regarding the causes of data security breaches so that improvements can be made to mitigate the risk of a further occurrence Reporting incidents should be viewed positively and is to be encouraged, as they often result in improved services or provide clarification of procedures which have been missing. 5. Definitions 5.1. Personal data: any data which relates to a living individual who can be identified from that data, or from that data in conjunction with other readily available information Sensitive personal data: a sub-category of personal data that could cause harm or distress to an identifiable individual if generally released, including information relating to an individual s: Racial or ethnic origin Political opinions Religious beliefs or other beliefs of a similar nature Trade union membership Physical or mental health or condition Sexual life Commission or alleged commission of any criminal offence Proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings 5.3. Data subject: the person who the data concerns Disclosure: personal data should only be disclosed within the university to members of staff who need to know it in order to carry out their duties, or to others connected with the university who have been approved to receive such information in relation to university activities or events. Examples of the types of incidents which should be reported are included in Appendix 1. 5

6 6. Roles and responsibilities 6.1. Staff who experience or discover a data loss are responsible for reporting it as soon as possible and should know to whom they should report or escalate an incident. This will normally be their line manager, or principal investigator (PI) in the context of research projects. The line manager/pi should report the incident to the relevant Director of Administration or Head of Professional Service, and the Head of Information Management & Compliance Students should normally report incidents to their tutor or supervisor, who will be responsible for onward reporting of the incident to the relevant Director of Administration and the Head of Information Management & Compliance The incident owner will normally be the IT Major Incident Manager, Director of Administration or Head of Professional Service, or their nominated deputy, and has primary responsibility for investigating the incident and ensuring that steps are taken to address the incident. The incident owner must not be the same as the individual who experienced/discovered the data loss The incident response team is convened where necessary and is responsible for assisting the incident owner in managing the incident. It comprises the incident owner, the Head of Information Management & Compliance, the Responsible Staff Member (or their line manager) and other relevant staff. Where necessary, this team should meet as soon as possible after the data loss occurs. The group may meet remotely by telephone or The Responsible Staff Member is the person who has primary day to day responsibility for the data which has been lost, and may also be the person who experienced or discovered the loss. The Responsible Staff Member plays an important role in providing information about the data which has been lost. In some circumstances this person may be an affiliate or a contractor. If in doubt they should confirm responsibilities with the relevant King s manager The IT Service desk should ensure that incidents which are reported to them are reported to the Head of Information Management and Compliance, including an assessment of actual or potential security risks arising from an incident involving IT systems or equipment. This could include lost or stolen IT equipment or devices, or unauthorised access to data or systems Data loss incidents may occur as a result of, or in connection with, major IT incidents which are managed under the IT Major Incident Management Procedure. Where this occurs, the two procedures shall run in parallel (with this Procedure identifying the management steps to address the loss of personal data), but the incident owner shall be the IT Major Incident Manager under the Major Incident Management Procedure The Head of Information Management and Compliance will report the breach to the appropriate Data Steward and report findings of the investigation and actions taken to the Information Security Forum who will take a view on lessons learned and report to the appropriate Data Steward/s (where these exist)to ensure necessary remedial actions are undertaken. 7. Report and contain potential damage 7.1. It is important that incidents are reported to the Information Management & Compliance Office as a matter of urgency, in order that the seriousness of the incident can be determined as soon as 6

7 possible, and so that advice can be provided on any immediate containment action required to minimise harm and data exposure The two main types of incident are: Where someone knows or suspects that an incident has occurred which actually or potentially involves inappropriate disclosure of personal data - contact the Information Management & Compliance Office immediately Where a data storage device such as a PC, laptop, tablet, USB stick, or smart phone has been lost or stolen, regardless of the data it contains contact the IT Service Desk AND the Information Management & Compliance Office immediately If in doubt, it is better to report a suspected incident than to ignore it Contact details: Information Management & Compliance Office Tel legal-compliance@kcl.ac.uk IT Service Desk Tel @kcl.ac.uk 7.5. On becoming aware of a data security breach there may be immediate actions you can take to contain or lessen the impact. In the situations described, these could include: Immediately recalling an incorrectly sent . Or, if the recall is unsuccessful, by contacting the person/people to whom personal data has been disclosed, apologising and asking them to securely delete it from their systems (including from deleted items folders) and to immediately confirm that they have done so Immediately retrieving paper documents from any unintended recipients Immediately disabling any lost or stolen data storage devices. 8. Investigate and assess risks 8.1. Information gathering The Information Management & Compliance Office need to gather enough information to determine whether or not a data breach has actually occurred and the urgency of response required The Faculty/Directorate must co-operate promptly with the Information Management & Compliance Office to avoid any delays. This includes completing the Incident Report form shown at Appendix 2 as quickly as possible following initial notification If it is concluded that a breach has occurred, depending upon the seriousness and complexity of the incident, an Incident Response Team may be established, comprising appropriate university expertise to ensure that the incident is managed appropriately. 7

8 Any data security breach involving data sourced from NHS Digital (previously the Health and Social Care Information Centre) must be managed in accordance with the Checklist guidance for reporting, managing and investigating information governance and cybersecurity serious incidents requiring investigation and reported to NHS Digital (previously the Health and Social Care Information Centre) as required, without delay Responsibility for notifications to NHS Digital will rest with the Incident Owner, supported by the Head of Information Management & Compliance. Any additional requirements of the relevant NHS Digital data sharing agreement must also be fully observed If NHS Trust data is involved, early notification by the Head of Information Management and Compliance to the relevant Trust Caldicott Guardian is required and discussions will be necessary with the Trust to determine who is the data controller (in the sense of the Data Protection Act 1998) and whether the incident is the responsibility of the university or the Trust. Where it is determined that the incident is the responsibility of the Trust, the incident shall be passed to the Trust to manage and the incident for the university will be closed Confidentiality Any discussion of the incident or circulation of any related documents or s must be restricted to those directly involved in the investigation. Written or ed documents related to the incident must be headed Confidential To provide some privacy when reports and forms are circulated to the investigation team, individual data subjects must not be explicitly named in the reports or correspondence. 9. Actions and notifications Any further actions to be taken will be determined following the investigation The communication of any data security breach to affected data subjects must be handled with care and sensitivity and appropriate advice will be provided Wider communication of a breach, including notification to any regulatory authorities, such as the Information Commissioner s Office, will be managed by the Information Management & Compliance Office in accordance with the severity assessment tool set out in Appendix Incident evaluation and follow up The incident may highlight remedial action which is required in relation to procedures, additional training requirements, IT systems or the incident reporting procedure. Any agreed actions and target dates for completion will be recorded on the Incident Report Form The Head of Information Management & Compliance will ensure that the Incident Report Form is completed and: liaise with the relevant Incident Owner to ensure that local actions are completed; escalate any actions which have not been completed by the target date; 8

9 Ensure that guidance material is revised to reflect any learning outcomes; Report all data security breaches to the university s Data Governance & Strategy Group for monitoring and oversight; and Propose improvement plan and actions where appropriate to DGSG, and Data Steward via the Information Security Forum The Head of Information Management & Compliance may recommend the instigation of the relevant disciplinary procedure for staff or misconduct procedure for students where the circumstances of a particular incident under this Procedure make it appropriate to do so. Any such recommendation will be made to the Associate Director (Governance) who will determine whether a referral to the Human Resources Directorate is warranted This Procedure reflects the ICO Guidance on Data Security Breach Management which should be referred to for any queries. This Procedure will be reviewed at least every three years or when there are significant changes. 11. Contact list for queries in relation to this Procedure Role Name Telephone Head of Information Management & Compliance Contact Trevor Pearce below Information Compliance Manager Associate Director (Governance) Ben Daley / Trevor Pearce / ben.daley@kcl.ac.uk trevor.pearce@kcl.ac.uk 9

10 APPENDIX 1 EXAMPLES OF INCIDENTS WHICH SHOULD BE REPORTED IF UNSURE, REPORT IT Use the Incident Report Form for incidents involving: Misdirection of s or correspondence containing personal data; Sending non-essential personal data to otherwise valid recipients; Failure of access controls, such as incorrect allocation of permission or password sharing, which result in unauthorised access to personal data; Loss or theft of papers containing personal data; Personal data received in error; Publication of personal data on a website; Loss or theft of any university-owned data storage device regardless of the data it contains e.g., laptop, PC, USB/pen drive, ipad or other tablet, removable hard drive, smart phone or other portable devices; or Theft of any privately owned devices should only be reported if they contain personal data related to university activities. 10

11 APPENDIX 2 DATA PROTECTION INCIDENT REPORT FORM To be completed by the Incident Owner or their nominee and sent urgently to the Information Management & Compliance Office (and the IT Service Desk where applicable). This should be completed as soon as possible following discovery of the incident following initial notification to the Head of Information Management and Compliance. Please note that circulation of this form and any related documents must be restricted to those directly involved in investigating the incident. Please do not reference any data subjects by name in this report. Report completed by [name, job title] Faculty/Directorate Telephone Date of report 1. Description of data lost, stolen or disclosed [include examples of type of data, volumes of records affected and number of data subjects involved. Where relevant specify device make, model and serial number. Where a mobile device has been lost or stolen, please include the k number of the person who lost it] 2. Circumstances of the loss, theft or disclosure [include timing of events; location; IT media and applications involved; details of actions taken to date, e.g., anyone who has been contacted in relation to the incident] 3. Details of any other regulatory body or collaborative partner who may need to be informed [e.g., NHS Trust, NHS Digital, etc.] 4. What were the causes of the incident? What improvements could be made to prevent a recurrence? [Assessment of any related policies, procedures or guidance which have been breached or wider issues; provide copies of any local guidelines or procedures which have not been followed] 11

12 5. Has the person/s responsible of or involved in the loss, completed the university s Mandatory Data Protection Training Module? -- To be completed by the Information Management & Compliance Office -- Incident Reference: Incident Severity Rating: Improvements to be considered / actions to be completed Target date and action owner Comments 12

13 SEVERITY ASSESSMENT TOOL (FOR USE BY INFORMATION AMANGEMENT AND COMPLIANCE TEAM) APPENDIX 3 Where the data involved has been sourced from NHS Digital, previously the Health and Social Care Information Centre (HSCIC), the HSCIC Checklist guidance for reporting, managing and investigating information governance and cybersecurity serious incidents requiring investigation must be followed in respect of assessing the severity of the incident and reporting requirements. For all other incidents, the Head of Information Management & Compliance or the Incident Response Team will assess the severity of the incident on a scale of 0-3. The tool below is intended as a guide only and should not be relied on to reflect all relevant circumstances. No. of individuals whose data has been disclosed or put at risk ,000 1,001 plus Sensitivity factors should be applied to the initial score as follows: For each of the following sensitivity factors reduce score by 1 (not applicable in the case of a score of 0) A) No sensitive personal data B) Information already accessible or in public domain C) Low level of harm to individuals For each of the following factors increase score by 1 D) Detailed information at risk e.g. clinical care case notes, social care notes E) High risk confidential information F) One or more previous similar incidents in last 12 months G) Failure to implement, enforce or follow technical safeguards to protect information H) Likely to attract media interest or other reputational damage and/or a complaint has been made to the ICO by an organisation or individual I) Individuals are likely to suffer substantial damage or distress including significant embarrassment or detriment J) Individuals likely to have been placed at risk of incurred physical harm Sensitivity factors which would not be relevant should be excluded as follows. When user selects this A B C D The following sensitivity factors are excluded D,E D,E,I,J I,J A,B 13

14 E F G H I J A,B None None None B,C B,C Where an incident scores 3 or more, it should be referred to the Head of Administration and College Secretary for a decision on whether to report the incident to the Information Commissioner s Office. Amended 15 September 2016 Contact details of Head of IMC and Associate Director of Governance 14