How do I report a Breach?
Please contact the Information Compliance Team on firstname.lastname@example.org if you any of the following applies:
- You become aware that a Data Breach has occurred
- You suspect a Data Breach may have occurred or may soon occur
- A supplier, student, member of the public or other person informs you of a Data Breach
- There has been a ‘near-miss’ where a Data Breach almost occurred
- Everyone has a responsibility to report Data Breaches
- The law requires us to notify the ICO (the UK regulator) within 72 hours of becoming aware of a Breach
- Failure to notify the ICO within 72 hours when we should have done is a Breach in itself putting ARU at risk of a fine or reputational damage
What is a Data Breach?
Data Breaches are incidents where there is a risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may…lead to physical, material or non-material damage. In other words, something has happened with ARU personal data where our lack of control over it has created the possibility of harm to an individual.
Examples could be:
- Password sharing
- An email is sent to the wrong recipient
- Post has been sent to the wrong recipient
- A device storing or providing access to ARU data is lost or stolen
- Personal Data has been published in error
- Data is disclosed verbally to the wrong person
- ARU data has been hacked
- A phishing attack has resulted in ARU data being obtained or made vulnerable
- Malware has put ARU data at risk
- A file containing personal data is lost
- An unauthorised person has gained physical access to areas of our buildings putting personal data at risk
- We have used personal data for a new purpose without gaining the consent or informing data subjects
- We have retained personal data for longer than stated on our retention schedules
- We have given a member of staff or an external person access to personal data that they are not entitled to have
What can I do to help reduce the impact of a Breach?
The single most important action to take to reduce the impact of a Breach is to report it to email@example.com so we can begin to manage the situation
Report this to firstname.lastname@example.org
- attaching the email sent in error to help with a review on the severity of the incident
- confirming that you will undertake Step 2.
- make a note of the Incident reference you will receive in response and use it in any further communication with the Information Compliance Team.
Send a follow-up email with the following text (or amend to suit the circumstances and your relationship with the incorrect recipient) to the individual(s) who received the initial email in error, copying-in email@example.com:
You recently received an email from me which contained personal data which was sent to you in error. This is being managed under ARU’s Data Breach procedures. I need to ask you to take the following action to help us manage this matter. Please reply to this email confirming the following:
You have deleted the original email from your mailbox (inbox or email sub-folder, your deleted items and your ‘Recover Deleted Items’ facility) so that you no longer have access to it.
You have not copied or saved the email or its contents to any device or your company’s file storage network or cloud storage. If you have, you have now deleted the data and removed it from any recycle facility.
You have not forwarded the email to another recipient. If you have done so, you have now:
- deleted the email from your mailbox
- forwarded this message to make clear to other recipients that they too should follow these actions
- advised us of how many further recipients received the forwarded message
I apologise for this error and for the inconvenience in asking you to undertake the actions above which are necessary to ensure there is no further breach of Data Protection law.
The Data Breach Management Process will determine whether there is a need to inform the Information Commissioner’s Office (ICO) and/ or the Data Subjects therefore there is no need for you to do this.
If you have any concerns or queries over the above actions, please let me know. If you have any general Data Protection questions about our Breach Management procedure please contact our Information Compliance Team at firstname.lastname@example.org
- Forward any email you receive from the incorrect recipient(s) in response to Step 2 to email@example.com or inform the Information Compliance Team via this email address of any refusal by an incorrect recipient to undertake the requested actions. This is required to evidence that the Breach is ‘contained’ and we are therefore justified in not informing the ICO or the Data Subjects.
- Re-familiarise yourself with ARU’s Email Policy and Acceptable Use Policy.
Typically you are made aware of such Breaches either by:
- Realising after the event that an addressing error has been made or
- An incorrect recipient contacts you to state that a letter intended for someone else has been received by them in error.
For a), please contact firstname.lastname@example.org details of the intended and actual recipients and the personal data that was sent.
For b) Please direct the recipient to:
- Shred the item(s) if they have access to an appropriate quality shredding device
- Retain the item(s) securely until an ARU staff member collects the item(s) from where they have been delivered
- If the post item contained a pre-paid return envelope, direct the recipient to use this to return the data to us
- If the recipient is at a business address, ask them to post the data back to us and arrange for any costs to be refunded by invoice.
Ask the recipient to confirm the preferred method in Step 1. Our preference would be for them to confirm this has been completed by email so that this can be forwarded to email@example.com as evidence. It is understandable that they may not wish to share their personal data with us, therefore we can accept a verbal confirmation which you then confirm was given to you by emailing the details to firstname.lastname@example.org evidence.
If you have lost or had stolen a personal device (one not provided to you by ARU) but that device had access to or has stored copies of ARU personal data then please contact email@example.com with details. A device can mean a laptop or desktop computer, a USB memory stick or external hard-drive, a tablet or smart phone, or an audio recording device etc. Even though this may be a personal device, if it holds ARU data or provides the means of accessing ARU data (e.g. Outlook web access) we will need to understand what risk there is of that data being accessed by an unauthorised individual and take appropriate action.
How does ARU manage Data Breaches?
Once an incident has been reported to the Information Compliance Team the Data Breach Management process commences.
- From information provided by the reporter the incident is logged, provided a reference number and a case record opened to which all subsequent records related to the case are added.
- The incident will be reviewed against the feasibility of undertaking the standard mitigation actions above to help reduce the risks of the Breach promptly.
- After reviewing the initial report and following enquiries with key contacts identified by the Information Compliance Team a draft severity rating is applied using the following form based on the Enisa methodology. This is a methodology reference by the European Data Protection Board and is designed to provide a means of advising Data Controllers in establishing the severity of a Breach, not as the sole means of determining this. It informs a decision.
The investigation may involve co-operation with the IT Major Incident process, interviews with staff, students or employees of suppliers and obtaining documentary evidence of activity with potential recourse to the Procedure for Accessing ARU User Data without Consent.
Data Breach Risk Rating Outcome
- The risk scoring will be revised by the Data Protection Officer as new information becomes available as the investigation progresses. Within a period of 72 hours from becoming aware of the Breach and where there is any doubt about whether the Breach is notifiable to the ICO in compliance with GDPR Article 33 the Data Protection Officer will present a draft Incident Report to the Head of Compliance & Risk for consultation on the appropriate course of action.
Data Breach Incident Report
- The final decision on notification to the ICO and to Data Subjects rests with the Secretary & Clerk acting as Senior Information Risk Owner informed by the recommendations of the Data Protection Officer and the Head of Compliance & Risk.
- If a decision to notify is made, the Data Protection Officer will draft an ICO Notification form for approval capturing the necessary Article 33 requirements:
Report a Data Breach
- Breach closure activities will take place once the Breach is fully mitigated or actions are agreed to put mitigations in place which appropriately manage the risk of re-occurrence of the Breach and, if Notification has taken place, the ICO has closed their investigations. The Breach record will record actions taken to mitigate and prevent reoccurrence and make note of any actions taken (relating to external audiences, internal processes and those employees responsible for the Breach). A note will be made of the specific lessons-learned as a result of the process.
- Analysis of Data Breaches will be presented to Data Champions at the quarterly Information Compliance Group (ICG) meetings for discussion, suggested actions and recommended changes to ARU policy. The Senior Information Risk Owner will be presented with an Annual Data Protection Compliance Report presenting data on the performance of the process and the nature and severity of Breaches, what is their cause, who has caused them, what data was involved and what actions were taken. Recommendations will be presented based on analysis of incidents and consultation with ICG and other stakeholders over changes to Policy and approach to communications and training.