Data Breach Notification Policy: Sept 2022 - Sept 2025
POLICY TITLE: 6.1.2
DOCUMENT NUMBER: Data Breach Notification Policy
GROUPING POLICY: Security, Confidentiality & Information
AUTHOR / REVISOR / OWNER: DPO
DATE OF CURRENT VERSION: Sept 2022
REVIEW DATE: Sept 2025
IMPACT ASSESSED: Yes
APPROVED BY: CMG
DATE: 19th October 2022
SCOPE
The policy relates to all members of staff, learners and visitors of the College and explains the process for identifying and notifying a data breach.
PURPOSE
The College’s key concern in relation to any breach affecting Personal Data is to contain the breach and take appropriate action to minimise, as far as possible, any adverse impact on any individual affected. The College has therefore implemented this Policy to ensure all College Personnel are aware of what a Personal Data Breach is and how they should deal with it if it arises.
POLICY STATEMENT
College Personnel will receive a copy of this Policy when they start and may receive periodic revisions of this Policy. This Policy does not form part of any College Personnel’s contract of employment and the College reserves the right to change this Policy at any time.
Staff and students will also receive training as part of their induction around GDPR and cyber security as both are inter-linked.
Learners and visitors will have access to this policy via the college website, in the policy section.
All College Personnel, learners and visitors are obliged to comply with this Policy at all times.
The College’s reputation and future growth are dependent on the way the College manages and protects Personal Data. As an organisation that collects and uses Personal Data, the College takes seriously its obligations to keep that Personal Data secure and to deal with security breaches relating to Personal Data when they arise.
CONTENTS
1. Definitions
2. What is a Personal Data Breach
3. Reporting a personal Data Breach
4. Managing a Personal Data Breach
5. Containment and Recovery
6. Assessment of Ongoing Risk
7. Notification
8. Evaluation and Response
1. DEFINITIONS
1.1 College - East Durham College.
1.2 College Personnel - Any College employee or contractor who has been authorised to access any of the College’s Personal Data and will include employees, consultants, contractors, and temporary personnel hired to work on behalf of the College.
1.3 Data Protection Laws - The General Data Protection Regulation (Regulation (EU) 2016/679) and all applicable laws relating to the collection and use of Personal Data and privacy and any applicable codes of practice issued by a regulator including in the UK, the Data Protection Act 2018.
1.4 Data Protection Officer - The Data Protection Officer can be contacted by e-mail at dpo@eastdurham.ac.uk
1.5 ICO - The Information Commissioner’s Office, the UK’s data protection regulator.
1.6 Learners - Any individuals enrolled on a course or programme of study, past or present.
1. 7 Personal Data - Any information about an individual which identifies them or allows them to be identified in conjunction with other information that is held. Personal data is defined very broadly and covers both ordinary personal data from personal contact details and business contact details to special categories of personal data such as trade union membership, genetic data and religious beliefs. It also covers information that allows an individual to be identified indirectly for example an identification number, location data or an online identifier.
1.8 Special Categories of Personal Data - Personal data that reveals a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data (i.e. information about their inherited or acquired genetic characteristics), biometric data (i.e. information about their physical, physiological or behavioural characteristics such as facial images and fingerprints), physical or mental health, sexual life or sexual orientation and criminal record.
1.9 Visitors - Any individuals visiting the College premises - this includes contractors.
2. WHAT IS A PERSONAL DATA BREACH
2.1 The College takes information security very seriously and the College has security measures against unlawful or unauthorised processing of Personal Data and against the accidental loss of, or damage to, Personal Data. The College has in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction.
2.2 Personal Data breach is defined very broadly and is effectively any failure to keep Personal Data secure, which leads to the accidental or unlawful loss (including loss of access to), destruction, alteration, or unauthorised disclosure of Personal Data. Whilst most Personal Data breaches happen because of action taken by a third party, they can also occur as a result of something someone internal does.
2.3 A Personal Data breach could include any of the following:
2.3.1 loss or theft of Personal Data or equipment that stores Personal Data.
2.3.2 loss or theft of Personal Data or equipment that stores the College’s Personal Data from a College supplier.
2.3.3 inappropriate access controls meaning unauthorised College Personnel can access Personal Data.
2.3.4 any other unauthorised use of or access to Personal Data.
2.3.5 deleting Personal Data in error;
2.3.6 human error (which could be as simple as putting a letter in the wrong envelope, sending an unsecured e-mail outside the organisation or leaving a phone or laptop containing Personal Data on a train).
2.3.7 hacking attack resulting in the loss of personal data.
2.3.8 infection by ransom ware or any other intrusion on our systems/network.
2.3.9 ‘blagging’ offences where information is obtained by deceiving the organisation who holds it; or
2.3.10 destruction or damage to the integrity or accuracy of Personal Data.
2.4 A Personal Data breach can also include:
2.4.1 equipment or system failure that causes Personal Data to be temporarily unavailable.
2.4.2 unforeseen circumstances such as a fire, flood or power failure that causes Personal Data to be temporarily unavailable.
2.4.3 inability to restore access to Personal Data, either on a temporary or permanent basis; or
2.4.4 loss of a decryption key where Personal Data has been encrypted because this means the College cannot restore access to the Personal Data.
3. REPORTING A PERSONAL DATA BREACH
3.1 College Personnel must immediately notify any Personal Data breach to the DPO via the online GDPR Sentry system, no matter how big or small and whether or not College Personnel think a breach has occurred or is likely to occur. This allows the College to contain the breach as soon as possible and to consider a recovery plan to minimise any risk of damage to the individuals affected and to the College.
3.2 If College Personnel discover a Personal Data breach outside working hours, College Personnel must notify it to the College’s Data Protection Officer as soon as possible. dpo@eastdurham.ac.uk
3.3 College Personnel may be notified by a third party (e.g. a supplier that processes Personal Data on the College’s behalf) that they have had a breach that affects College Personal Data. College Personnel must notify this breach to the College’s Data Protection Officer and the College’s Data Breach Notification Procedure shall apply to the breach.
4. MANAGING A PERSONAL DATA BREACH
4.1 There are four elements to managing a Personal Data breach or a potential one and this Policy considers each of these elements:
4.1.1 Containment and recovery
4.2.2 Assessment of on-going risk
4.2.3 Notification
4.2.4 Evaluation and response
4.2 At all stages of this Policy, the Data Protection Officer in conjunction with CLG and/or CMG will consider whether the breach is serious enough to be informed to the insurers and/or to seek external legal advice.
5. CONTAINMENT AND RECOVERY
5.1 An initial assessment of the Personal Data breach will be carried out by the Data Protection Officer.
5.2 If the Personal Data breach is unlikely to result in a risk to the rights and freedoms of the individuals affected, then it will be added to the College’s Data Breach Register and no further action will be taken.
5.3 If the Personal Data breach may impact on the rights and freedoms of the individuals affected, then the College will put together and implement a bespoke Personal Data breach plan to address the breach concerned in accordance with the College’s Data Breach Notification Procedure. This will include consideration of:
5.3.1 whether there are any other people within the College who should be informed of the breach, such as IT team members, to ensure that the breach is contained.
5.3.2 what steps can be taken to contain the breach, recover the loss of any Personal Data or to prevent damage being caused; and
5.3.3 whether it is necessary to contact other third parties such as students, parents, banks, the ICO or the police particularly in the case of stolen Personal Data. All notifications shall be made by the Data Protection Officer.
5.4 All actions taken in relation to a Personal Data breach will be in accordance with the Data Breach Notification Procedure which is maintained and administered by the Data Protection Officer.
5.5 The Data Protection Officer is responsible for ensuring that the Data Breach Register is kept updated on the GDPR Sentry system.
6. ASSESSMENT OF ONGOING RISK
As part of the College’s response to a Personal Data breach, once the breach has been contained the College will consider the on-going risks to the College and to any other party caused by the breach and what remedial action can be taken to minimise the impact of the breach. This will be undertaken in accordance with the College’s Data Breach Notification Procedure.
7. NOTIFICATION
7.1 Under Data Protection Laws, the College may have to notify the ICO and also possibly the individuals affected about the Personal Data breach.
7.2 Any notification will be made by the Data Protection Officer following the College’s Data Breach Notification Procedure. The notification shall comply with the requirements of the ICO.
7.3 Notification of a Personal Data breach must be made to the ICO without undue delay and where feasible within 72 hours of when the College becomes aware of the breach unless it is unlikely to result in a risk to the rights and freedoms of individuals. It is therefore imperative that College Personnel notify all Personal Data breaches to the College in accordance with the Data Breach Notification Procedure immediately.
7.4 Notification of a Personal Data breach must be made to the individuals affected without undue delay where the breach is likely to result in a high risk to the rights and freedoms of individuals.
7.5 Please note that not all Personal Data breaches are notifiable to the ICO and/or the individuals affected, and the College will decide whether to notify and who to notify in accordance with the Data Breach Notification Procedure.
7.6 Where the Personal Data breach relates to a temporary loss of availability of the College’s systems, the College does not have to notify if the lack of availability of Personal Data is unlikely to result in a risk to the rights and freedoms of individuals. The College does not consider that it has any systems where temporary unavailability would cause a risk to the rights and freedoms of individuals, but this will be assessed on a case-by-case basis in accordance with the Data Breach Notification Procedure.
7.7 In the case of complex breaches, the College may need to carry out in-depth investigations. In these circumstances, the College will notify the ICO with the information that it has within 72 hours of awareness and will notify additional information in phases. Any delay in notifying the ICO must be seen as exceptional and shall be authorised in accordance with the Data Breach Notification Procedure.#
7.8 Where a Personal Data breach has been notified to the ICO, any changes in circumstances or any relevant additional information which is discovered in relation to the Personal Data breach shall also be notified to the ICO in accordance with the Data Breach Notification Procedure.
7.9 When the College notifies the affected individuals, it will do so in clear and plain language and in a transparent way. Any notifications to individuals affected will be done in accordance with the Data Breach Notification Procedure. Any notification to an individual should include details of the action the College has taken in relation to containing the breach and protecting the individual. It should also give any advice about what they can do to protect themselves from adverse consequences arising from the breach.
7.10 The College may not be required to notify the affected individuals in certain circumstances as exemptions apply. Any decision whether to notify the individuals shall be done in accordance with the Data Breach Notification Procedure and shall be made by the Data Protection Officer.
8. EVALUATION AND RESPONSE
8.1 It is important not only to investigate the causes of the breach but to document the breach and evaluate the effectiveness of the College’s response to it and the remedial action taken.
8.2 There will be an evaluation after any breach of the causes of the breach and the effectiveness of the College’s response to it. All such investigations shall be carried out in accordance with the Data Breach Notification Procedure and will be recorded on the Personal Data Breach Register.
8.3 Any remedial action such as changes to the College’s systems, policies or procedures will be implemented in accordance with the GDPR legislation, including revision of the DPIA (Data Privacy Impact Assessment) and the processes held on the GDPR Sentry system.
Supporting Documents and Records
- Data Breach Notification Procedure
- General Data Protection Regulation Policy
Document Control
This document is issued and controlled by Quality & Standards and may only be modified by the designated group after proposed modifications have been accepted by the College Management Group. The latest version of the policy will be maintained on the College Extranet.
Please feedback to Quality & Standards any constructive suggestions on how any aspect of the policy may be clarified or improved.