DUTIES OF THE ROLEPLAYERS
Information Officer
Where a data breach or compromise is discovered, you should have an incident response plan which must be activated.
The scope of the compromise must be established, as well as the measures required to restore the integrity of the information system. It is advisable to keep full records, and therefore a report should be completed which contains full details of:
- Date and time the breach was discovered
- How the breach was discovered
- Date and time the breach is believed to have occurred
- Nature of the breach e.g. theft, accidental destruction
- Information items included e.g. name, address, bank details, biometrics
- The extent of the breach and the volume of data involved
- Number of affected data subjects
- Security measures which were in place and which were breached
- Whether the data was encrypted and if encrypted, the strength of the encryption used
- To what extent the data was pseudonymised (i.e. whether living individuals can reasonably be identified from the data)
- Any other factors that are deemed to be relevant
The Information officer must ensure that the Information Regulator is notified of any data breach or compromise as soon as is reasonably possible after this has been discovered.
Keep full records of:
- Actions taken to manage the impact of the breach
- Any further developments
Written confirmation should be obtained from the Regulator that the breach notification has been received, including the date and time at which it was received.
RESPONSIBLE PARTY
Where your organisation is acting as an operator on behalf of one or more responsible parties, there is an obligation to inform each responsible party about the breach as soon as it is discovered. It will then be up to the responsible party to take subsequent actions.
Enough information should be provided to enable the responsible party to comply with their obligations, so consider reporting:
- Date and time the breach was discovered
- How the breach was discovered
- Date and time the breach is believed to have occurred
- Nature of the breach e.g. theft, accidental destruction
- Information items included e.g. name, address, bank details, biometrics
- The extent of the breach and the volume of data involved
- Number of affected data subjects
- Security measures which were in place and which were breached
- Whether the data was encrypted and if encrypted, the strength of the encryption used
- To what extent the data was pseudonymised (i.e. whether living individuals can reasonably be identified from the data)
- Any other factors that are deemed to be relevant
- Actions taken to manage the impact of the breach
- Contact details of the person handling the breach within our organisation
- Any other factors that are deemed to be relevant
Where more than one responsible party is involved, care must be taken to ensure that only information about each individual responsible party’s personal data is provided to them.
DATA SUBJECT DISCLOSURES
Where an incident affects personal data where you are the responsible party, a decision must be taken regarding the extent, timing, and content of communication with data subjects.
Although there is an obligation to notify affected data subjects as soon as reasonably possible after discovery, this may be delayed if a public body responsible for upholding the law (prevention, detection, investigation) determines that notifying the data subjects will compromise a criminal investigation. It is therefore important to ensure that this is not the case before making the required disclosures.
Where the disclosure of the breach is delayed, this must be recorded together with full reasons for this delay.
Where it is determined that the data subjects are to be notified this must be done in writing. The communication must be in the approved form and format and will be provided by way of at least one of the following methods:
- Mailed to the data subject’s last known physical or postal address;
- Sent by e-mail to the data subject’s last known e-mail address;
- Placed in a prominent position on our website;
- Published in the news media; or
- Communicated as directed by the Regulator;
In addition to the above, the Information Regulator may direct that the compromise is publicised if it believes this will protect a data subject.
The notification must include enough information for the data subject so that they know what measures to take to protect themselves against further breaches.
The breach notification must contain, as a minimum, details of:
- The identity of the unauthorised person if this is known
- Possible consequences of the compromise
- Measures that have been taken or will be taken to address the security compromise
- Recommendations of measures which the data subject can take to mitigate the possible adverse effects of the compromise
Full records must be maintained to provide evidence of the disclosures being made, the content of the disclosures, the recipients, and the date the disclosure was made.
CONTRACTUAL DISCLOSURES
There may be additional contractual obligations regarding what your organisation must do in the event of a data breach, which is set out in agreements with suppliers, customers, or other parties.
It is important to have an updated list of contacts where this would apply, in order to be able to provide the require notifications.
Where this is required, all parties should be notified of the breach as is contractually required, and confirmation of this notification recorded.
WHAT MUST YOU DO?
Ensure that you have processes in place to:
- alert you when personal information is accessed or modified without authorisation
- identify the source of a data breach
- contain and neutralise a breach
- prevent a reoccurrence
- notify the Information Regulator, the data subject and anyone else who must be notified
Where you accidentally receive information not intended for you, you need processes to ensure this is also handled correctly, for example:
- Immediately notify senders where you receive a misaddressed email informing the sender of their mistake, and permanently delete the copy you received without opening any attachments
- If possible, identify the sender of a misaddressed letter or package from the postmark, label or letterhead. Do not read through material not intended for you
- Agree with the responsible person how to resolve the mistake. It may be sufficient to permanently delete an email from your ‘inbox’ and ‘deleted files’ folders. The responsible person may arrange to collect a misaddressed letter or parcel from you, or you may agree to destroy it, for example by securely shredding the information and confirming in writing that you have done this
- If you keep information or materials pending retrieval by the lawful responsible person, keep it in a secure place where it cannot be mistakenly accessed or removed
Do not attempt to identify and contact the person the data belongs to as this is further processing the information.