Data Breaches

Data Breaches are incidents where there is a risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may…lead to physical, material or non-material damage.

In other words, something has happened with ARU personal data where our lack of control over it has created the possibility of harm to an individual.

Examples could be:

• Password sharing
• An email is sent to the wrong recipient
• Post has been sent to the wrong recipient
• A device storing or providing access to ARU data is lost or stolen
• Personal Data has been published in error
• Data is disclosed verbally to the wrong person
• ARU data has been hacked
• A phishing attack has resulted in ARU data being obtained or made vulnerable
• Malware has put ARU data at risk
• A file containing personal data is lost
• An unauthorised person has gained physical access to areas of our buildings putting personal data at risk
• We have used personal data for a new purpose without gaining the consent or informing data subjects
• We have retained personal data for longer than stated on our retention schedules
• We have given a member of staff or an external person access to personal data that they are not entitled to have

Once an incident has been reported to the Information Compliance Team the Data Breach Management process commences.

• From information provided by the reporter the incident is logged, provided a reference number and a case record opened to which all subsequent records related to the case are added.
• The incident will be reviewed against the feasibility of undertaking the standard mitigation actions above to help reduce the risks of the Breach promptly.
• After reviewing the initial report and following enquiries with key contacts identified by the Information Compliance Team a draft severity rating is applied using the following form based on the Enisa methodology. This is a methodology reference by the European Data Protection Board and is designed to provide a means of advising Data Controllers in establishing the severity of a Breach, not as the sole means of determining this. It informs a decision.
• The investigation may involve co-operation with the IT Major Incident process, interviews with staff, students or employees of suppliers and obtaining documentary evidence of activity with potential recourse to the Procedure for Accessing ARU User Data without Consent.
• The risk scoring will be revised by the Data Protection Officer as new information becomes available as the investigation progresses. Within a period of 72 hours from becoming aware of the Breach and where there is any doubt about whether the Breach is notifiable to the ICO in compliance with GDPR Article 33 the Data Protection Officer will present a draft Incident Report to the Head of Compliance & Risk for consultation on the appropriate course of action. 
• The final decision on notification to the ICO and to Data Subjects rests with the Secretary & Clerk acting as Senior Information Risk Owner informed by the recommendations of the Data Protection Officer and the Head of Compliance & Risk.
• If a decision to notify is made, the Data Protection Officer will draft an ICO Notification form for approval capturing the necessary Article 33 requirements:
• Breach closure activities will take place once the Breach is fully mitigated or actions are agreed to put mitigations in place which appropriately manage the risk of re-occurrence of the Breach and, if Notification has taken place, the ICO has closed their investigations. The Breach record will record actions taken to mitigate and prevent reoccurrence and make note of any actions taken (relating to external audiences, internal processes and those employees responsible for the Breach). A note will be made of the specific lessons-learned as a result of the process.
• Analysis of Data Breaches will be presented to Data Champions at the quarterly Information Compliance Group (ICG) meetings for discussion, suggested actions and recommended changes to ARU policy. The Senior Information Risk Owner will be presented with an Annual Data Protection Compliance Report presenting data on the performance of the process and the nature and severity of Breaches, what is their cause, who has caused them, what data was involved and what actions were taken. Recommendations will be presented based on analysis of incidents and consultation with ICG and other stakeholders over changes to Policy and approach to communications and training.