Clyst Vale Community College Data Breach Policy

Similar documents
Data Breach Notification Policy

DATA BREACH POLICY [Enniskillen Presbyterian Church]

Stopsley Community Primary School. Data Breach Policy

Data Breach Incident Management Policy

1. Introduction and Overview 3

National College for High Speed Rail DATA BREACH NOTIFICATION PROCEDURE

Information Security Incident Reporting Policy

Information Governance Incident Reporting Policy

Data Loss Assessment and Reporting Procedure

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

The GDPR toolkit. How to guide for Executive Committees. Version March 2018

Element Finance Solutions Ltd Data Protection Policy

PS 176 Removable Media Policy

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Eco Web Hosting Security and Data Processing Agreement

General Data Protection Regulation policy (exams) 2018/19

A Homeopath Registered Homeopath

PTLGateway Data Breach Policy

General Data Protection Regulation policy (exams) 2017/18

Creative Funding Solutions Limited Data Protection Policy

Information Security Policy

Healing School - A Science Academy GDPR Policy (Exams) 2018/19

GMSS Information Governance & Cyber Security Incident Reporting Procedure. February 2017

Information Governance Incident Reporting Policy and Procedure

The Data Protection Act 1998 Clare Hall Data Protection Policy

Company Policy Documents. Information Security Incident Management Policy

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Information Security Incident

PS Mailing Services Ltd Data Protection Policy May 2018

General Data Protection Regulation policy 2017/18

Data Privacy Breach Policy and Procedure

Data Protection Policy

Breach Notification Form

Corporate Information Security Policy

Privacy Breach Policy

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

Information Governance Incident Reporting Procedure

The University of British Columbia Board of Governors

REPORTING INFORMATION SECURITY INCIDENTS

Site Builder Privacy and Data Protection Policy

Information Governance Incidents Cyber Security Incidents and Near Misses Reporting Procedure

This policy should be read in conjunction with LEAP s Conflict of Interest Policy.

Privacy & Information Security Protocol: Breach Notification & Mitigation

How the GDPR will impact your software delivery processes

Data protection breach notification form

Made In Hackney Data Protection Policy Last Updated:

SCHOOL SUPPLIERS. What schools should be asking!

Retirement Investments Insurance Health. Helping you. understand. data governance

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

INFORMATION SECURITY POLICY

NEWSFLASH GDPR N 8 - New Data Protection Obligations

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Unified Communications Phase 2 Presentation to IT Services Users Group

SOUTHFIELD SCHOOL PROCEDURE FOR RECEIVING AND RESPONDING TO SUBJECT ACCESS REQUESTS

EXHIBIT A. - HIPAA Security Assessment Template -

UWC International Data Protection Policy

Information Security Strategy

Data Protection Policy

Data Protection and GDPR

AIRMIC ENTERPRISE RISK MANAGEMENT FORUM

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Employee Security Awareness Training Program

HPE DATA PRIVACY AND SECURITY

Privacy Breach Response and Reporting

The Role of the Data Protection Officer

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Mapping Cyber-Protections to Regulatory Requirements for Fintech

DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Subject: University Information Technology Resource Security Policy: OUTDATED

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

GDPR Compliance. Clauses

The JJs Hair Group Privacy Policy

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Regulation P & GLBA Training

Security and Privacy Breach Notification

Payment Card Industry Data Security Standard (PCI DSS) Incident Response Plan

2. Who we collect information (data) from & why we collect it

Dealing with Security and Security Breaches

Requirements for a Managed System

General Data Protection Regulation (GDPR)

Data Breaches and the EU GDPR

1.7 The Policy sets out the manner by which the University will respond to Subject Access Requests.

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

ISC10D026. Report Control Information

Data Protection Policy

DATA PROTECTION POLICY THE HOLST GROUP

Malpractice and Maladministration Policy

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

Breach Notification in the GDPR Era. Speakers: Sam Pfeifle, IAPP Dennis Holmes, PwC

Contract Services Europe

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

Talenom Plc. Description of Data Protection and Descriptions of Registers

Data protection. 3 April 2018

UTAH VALLEY UNIVERSITY Policies and Procedures

INFORMATION ASSET MANAGEMENT POLICY

Prohire Software Systems Limited ("Prohire")

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

Institute of Technology, Sligo. Information Security Policy. Version 0.2

Transcription:

Clyst Vale Community College Data Breach Policy Contents 1. Aim Page 2 2. Definition Page 2-3 3. Scope Page 3 4. Responsibilities Page 3 5. Reporting a data breach Page 3-4 6. Data breach plan Page 4 7. Discipline Page 4 8. Review Page 4 9. Form A Page 5 Next review date: Sept 2018 Last reviewed: May 2018 Page 1 of 6

1. AIM The aim of this policy is to standardise Clyst Vale s response to any data breach and to ensure that we log and manage data breaches in accordance with the GDPR law and best practices This will ensure that: Incidents will be reported quickly and can be thoroughly investigated Incidents will be dealt with in a timely manner and normal working operations can be restored as quickly as possible Any breach Incidents are recorded and also documented fully Quick understanding of the impact of an incident, and swift action taken to prevent further issues The data subjects and ICO are informed if the severity justifies reporting Incidents will be reviewed and processes and procedures improved to prevent repeat 2. DEFINITION Article 4 (12) of the GDPR states that a data breach is: a breach of security leading to the unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. Clyst Vale is required under the GDPR to act when a breach occurs. This procedure sets out how Clyst Vale Community College will respond to a suspected data breach. This will ensure that where data is misdirected, lost, hacked or stolen, inappropriately accessed or damaged, the breach is fully investigated and reported, and any necessary action is swiftly taken to resolve the incident. A personal data security breach can come in many forms, the most common being: Theft, or loss of paper or other hard copies Personal data sent via a postal service, e-mailed or faxed to an incorrect recipient Theft or loss on devices on which personal data is stored Inappropriate sharing or dissemination. Staff accessing information to which they are not entitled Virus, hacking, malware and data corruption Information is obtained by deception or fraudulent actions Equipment failure, flood or fire Page 2 of 6

Visitors accessing data that are not relevant to them Improper destruction and disposal of data Where staff are uncertain whether a specific incident constitutes to being a breach of security, either report it to the Data Protection Officer (DPO) or the Senior Information Risk Owner (SIRO). If the issues are regarding a security breach of the network, the IT department should be informed immediately. 3. SCOPE This policy applies to all at Clyst Vale, regardless of the data format and is applicable to all staff, visitors, contractors, partner organisations and data processors acting on behalf of Clyst Vale 4. RESPONSIBILITIES Information users: The GDPR applies to both Data Controllers (Clyst Vale) and to Data Handlers and Data Processors. All information users are responsible for reporting actual, suspected, threatened or potential information security incidents and for assisting with investigations as required, particularly if urgent action must be taken to prevent further damage. Managers: Heads of Subjects and Departments are responsible for ensuring that staff in their area act in compliance with this policy and assist with investigations as required. The DPO will be responsible for overseeing the management of the breach. Suitable further delegation may be appropriate in some circumstances. 5. REPORTING A DATA BREACH Suspected data security breaches should be reported promptly to the DPO as the primary point of contact at email: i-west@bathnes.gov.uk The report must contain full and accurate details of the incident including who is reporting the incident, and specify the type of data involved. The report form should be completed as part of the reporting process. See FORM A Once a breach has been reported, an initial assessment will be done to establish the severity of the breach. All data security breaches will be logged by the DPO ensuring appropriate oversight into the types and frequency of confirmed incidents for management and reporting purposes. External Article 33 of the GDPR requires Clyst Vale or the DPO (as the Data Controller) to notify the ICO only when the breach is likely to result in a risk to the freedoms and rights of natural persons. A breach of this severity must also be communicated to the data subject (with certain exceptions). Notification must be made without undue delay and within 72 hours of becoming aware of it. If Clyst Vale fails to do this, we must explain the reason for the delay. Article 33(5) requires that Clyst Vale must record and Page 3 of 6

maintain documentation on data breaches. This should include the nature of the breach and the remedial action taken. When reporting to the ICO, details of the breach must contain information as to the nature of the breach, categories of data,, number of data records, number of people affected, name and contact details of our DPO, and the likely consequences of the breach as well as any action already taken. 6. DATA BREACH PLAN Clyst Vale s response to any reported data security breach will involve the following four elements: 1. Containment and Recovery 2. Assessment of Risks 3. Consideration of Further Notification 4. Evaluation and Response Each of the above elements will need to be conducted in accordance with the checklist. An activity log recording the timeline of the incident management should also be completed. Note: This reflects current guidance from the ICO, which is likely to change 7. DISCIPLINE Staff, contractors, visitors or partner organisations who act in breach of our policy may be subject to disciplinary procedures or other appropriate sanctions. 8. REVIEW This Policy document will be subject to annual review by SLT, Governors and DPO 9. SOURCES The GDPR https://gdpr-info.eu ICO GUIDANCE ON DATA BREACHES https://ico.org.uk/media/fororganisations/documents/1562/guidance_on_data_security_ breach_management.pdf Page 4 of 6

FORM A - Reporting a data breach template Reported by: Name: Job Title: Date: Eg. Who, what, when, who A Summary of event and circumstances B Type and amount of personal data Eg. Title of document(s) / information included / name / contact details / financial / sensitive / special category data. C Action taken by recipient D E F G H Action taken to retrieve data and respond to breach Procedure/policy in place to minimise risk Breach of policy/procedure by officer/member Details of notification to data subject. Complaint received? Details of GDPR training provided. Eg. Communication, secure storage, sharing, exchange. Eg. Has there been a breach of policy and has appropriate management action been taken? Eg. Has the data subject been notified? If not, explain why. What advice has been offered? Eg. Date of most recent training by staff involved I Risk assessment and changes need to prevent further data loss J Conclusions and learning points Page 5 of 6

Page 6 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback