The OA is committed to maintaining the highest standards of Data Protection; view the full Privacy and Data Handling Policies. This includes taking appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction or damage to personal data. Nonetheless, a breach may occur through, for example:
- Loss or theft of data or equipment on which data is stored.
- Weakness in access controls allowing unauthorised use.
- Equipment failure.
- Human error.
- Unforeseen circumstances such as a fire/flood.
- Hacking attack.
- ‘Blagging’ offences where information is obtained by deceit.
This policy and procedure will be reviewed regularly to comply with current best practice and advice offered by the Information Commissioner’s Office (ICO). In the event of a breach, the OA will co-operate, as appropriate, with the ICO and other authorities to minimise the risk to data subjects and to reduce the risk of a breach re-occurring.
This document should be read in conjunction with the OA’s Information Security Statement.
The following procedure will vary in practice according to the nature and amount of data lost, but consists of 4 elements:
- Containment and recovery.
- Assessment of ongoing risk.
- Notification of breach.
- Evaluation and response.
This procedure is designed to comply with the GDPR requirement that, breaches resulting in a risk to the rights and freedoms of individuals, should be reported to the ICO within 72 hours and that in a breach resulting in a high risk to the rights and freedoms of individuals the individuals must be informed.
The OA considers data breaches and potential data breaches as a senior management responsibility to be dealt with in accordance with ICO guidelines.
All staff members are required to comply with this policy and accompanying procedures.
If you suspect a data breach has occurred which may affect you, please contact the OA Data Protection Officer as soon as possible at firstname.lastname@example.org or 07783 169718.