01205 310221

Data Protection Breach Policy

Data Protection Breach Policy

Holy Trinity Boston

Data Protection Lead: 1st Trevor Dunnington

                                         2nd Dennis Pain

 

Purpose:

This Data Breach / Response procedure sets out the course of action to be followed by all staff and appointed persons at Holy Trinity Boston/ 1132300  if a data protection breach takes place or is suspected.

 

Types of Breach:

Data protection breaches could be caused by a number of factors.

This policy includes, but is not exclusive to:

• Loss or theft of data or the equipment on which data is stored;

• Inappropriate access controls allowing unauthorised use

• Equipment Failure

• Human Error

• Unforeseen circumstances such as fire or flood

• Hacking

• ‘Blagging’ offences where information is obtained by deception

 

Immediate Containment/Recovery:

In discovery of a data protection breach, the following steps should be followed.

1. The person discovering the potential breach should notify Trevor Dunnington  who is the Data Protection Lead or if they are unavailable the other contact is Dennis Pain, or their line manager / volunteer coordinator. This report should happen as soon as is practicably possible.

2. The Data Protection Lead should investigate the potential breach asap. Ideally this should be within a few hours, and certainly as soon as is practicably possible. (See Investigation below ).

3. Firstly, the Data Protection Lead must ascertain whether the breach is still occurring. If so, steps must be taken immediately to minimise the effect of the breach, including looking for any lost data, restricting physical access to the area where breach is suspected, changing passwords to online systems or shutting down I.T. systems where required.

4. If bank details have been lost/stolen, consider contacting banks directly for advice on preventing fraudulent use.

5. If the data breach includes any entry codes or IT system passwords, then these must be changed immediately, and the relevant agencies and members of staff informed.

 

Investigation

Data investigations should be documented and should cover:

• The type of data;

• Its sensitivity;

• What protections are in place (e.g. encryption);

• What has happened to the data;

• Whether the data could be put to any illegal or inappropriate use;

• How many people are affected;

• What type of people have been affected and whether there are wider consequences to the breach.

A clear record should be made of the nature of the breach and the actions taken to mitigate it. The investigation should be completed as a matter of urgency and, wherever possible, within 5 days of the breach being discovered/reported. A further review of the causes of the breach and recommendations for future improvements can be done once the matter has been resolved and this should be reviewed by the Data Protection Leads

Notification:

1. The Data Protection Lead must inform the Parochial Church Council for responsibility and an update, risk assessment and response plan must be discussed at the next meeting.

2. The Data Protection Lead should consider if the Police need to be informed. This is particularly appropriate in the event of suspected theft of data or where the data references sensitive information or data with safeguarding implications.

3. Under GDPR there is a mandatory responsibility to report breaches of data to the ICO.

(Please note that once the Data Protection Lead has been made aware of your concerns by you personally then your concern will be reported to the ICO with 72 hours)

4. Out of care for your church members, and as a legal obligation, you should report all data breaches to the people (subjects) affected. This should be done as soon as practicably possible, either by an email or posted letter, should outline the details of the breach and the nature of the data contained, provide some advice for how to respond, a method or route of complaint or query and some reassuring language about steps the church have taken to mitigate the effect.

Review and Evaluation:

After a breach has occurred and the appropriate steps have been taken, the response and this policy should be evaluated by the Data Protection Lead and then the findings and any development should be reported to board of trustees / church council.

 

Record of Data Protection Breach and subsequent investigation:

Name of Data Protection Lead / Appointed Person:

___________________________________________________________________________

Date of Breach:

___________________________________________________________________________

Date of Investigation:

___________________________________________________________________________

Nature of potential breach: (what has happened?)

___________________________________________________________________________

___________________________________________________________________________

___________________________________________________________________________

When? Where?

___________________________________________________________________________

What data has been compromised?

___________________________________________________________________________

What caused the breach? (lost, theft, human error, technical issue etc.?)

___________________________________________________________________________

Does this include bank and financial details? (if so what?)

___________________________________________________________________________

Does this include sensitive information? (if so what?)

___________________________________________________________________________

Is there a safeguarding implication (in particular relation to children or vulnerable adults)?

___________________________________________________________________________

Is there an immediate cause of concern to someone’s safety?

___________________________________________________________________________

Is there a risk of illegal activity?

___________________________________________________________________________

Have passwords or key codes been compromised?

___________________________________________________________________________

What protections are in place?

___________________________________________________________________________

Has a breach occurred?

___________________________________________________________________________

Is it ongoing or has the breach ceased?

___________________________________________________________________________

Who is affected?

___________________________________________________________________________

 

Who should be notified?

ICO Notification completed on: [date]_______________

Church Team Notification completed on: [date] _______________

Subject of Data Notification completed on: [date] _______________

SIRO (Trustee) Notification completed on: [date] _______________

Is there a continuing risk?

___________________________________________________________________________

What steps should be taken to rectify this breach and stop it reoccurring?

1…………….

2…………….

3……………..

Etc.

Report completed by:

___________________________________________________________________________

Date: ______________________________

Reviewed by Trustee: [on date] ________________________________________

16th August 2018
18th August 2018
19th August 2018
20th August 2018
21st August 2018
23rd August 2018
25th August 2018
26th August 2018