PERSONAL DATA BREACH NOTIFICATION POLICY

1. POLICY STATEMENT
1.1.This policy is to be read in conjunction with our Data Protection Policy, the Data Security Policy and any other related policies or documents, including any Data Protection Privacy Notices supplied to individuals we deal with.
1.2.We have a commitment to ensuring that personal data is processed in line with GDPR and relevant UK law and that all members of staff conduct themselves in line with this and other related policies. We have strict obligations to process personal data securely, adopt sufficient procedural and technological safeguards and lawfully handle data breaches. Our obligations include, in the event of a data breach, notifying the relevant authorities and in some cases affected individuals.

2. STATUS OF THE POLICY
2.1.The purpose of this policy is to explain what is required from you if you discover that personal data may have been lost, used or disclosed in an unauthorised way, amounting to a personal data breach, and the legal basis for the procedures we will adopt.
2.2.Our Privacy Officer is responsible for ensuring compliance with GDPR and with this policy.
Your manager can advise you who our Privacy Officer is. If we have cause to appoint a Data Protection Officer (an official appointment) or use a different title for a Privacy Officer, we will let you know and any reference to Privacy Officer shall include reference to a new title or a Data Protection Officer. Any questions or concerns about the operation of this policy should be referred in the first instance to the Privacy Officer.
2.3.If you consider that this policy has not been followed in any respect you should raise the matter with your manager or the Privacy Officer.

3. WHAT IS A PERSONAL DATA BREACH?
3.1.A personal data breach is identifiable as a security incident which has affected the
confidentiality, integrity or availability of personal data.
3.2.A personal data breach is wider in scope than the loss of personal data. The following are examples of personal data breaches:
● access by an unauthorised third party
● deliberate or accidental action (or inaction)
● sending personal data to an incorrect recipient
● computing devices containing personal data being lost or stolen
● alteration of personal data without permission
● loss of availability of personal data.

4. YOUR RESPONSIBILITIES
4.1.It is our aim to secure and protect personal data and not to have cause to use this personal data breach notification policy. Whilst we can put measures in place, we also require you to comply with all of those security measures and to understand and follow our data protection policies, including our Data Security Policy.
4.2.You are also required to be vigilant. The types of potential data security issues to look out for are:
a) You receive requests for personal data from third parties;
members but there is no explanation or the explanation given is questionable;
b) You become aware that emails from your account have been sent without your authority;
c) You become aware that your computer or device is being controlled;
d) You receive a call or email from someone unknown and unauthorised, claiming to manage your IT system, asking you to click links, give your login details or have access to your computer;
e) You receive a call or email from someone unknown and unauthorised, claiming to be from a reputable company (eg. Microsoft, Virus protectors, IT companies) asking you to confirm subscriptions or allow them to access your computer;
f) You receive any calls or emails which are unexpected and/or raise suspicion.

5. ASSESSING THE BREACH
5.1.In the event that a breach is identified, the Privacy Officer will:
a) enter details of the breach into our personal data breach records;
b) carry out an investigation into what happened and take appropriate steps to restrict the consequences of the breach;
c) assess whether the breach needs to be reported to the Information
Commissioner’s Office (‘ICO’);
d) assess whether the affected individual needs to be informed of the breach;
e) assess whether any third parties or other authorities need to be informed.

6. NOTIFIABLE BREACHES
6.1.A personal data breach will be a notifiable breach if it is likely to pose a risk to an individual’s rights and freedoms.
6.2.A risk to people’s freedoms can include physical, material or non-material damage such as discrimination, identity theft or fraud, financial loss and damage to reputation.
6.3.In some cases, the breach will easily be identified as notifiable, for example, a list of individual customers, their addresses and their bank details has been stolen by an ex-employee. In other cases, it will be necessary to assess the likelihood of the risks to individual’s rights and freedoms.
6.4.When making an assessment of the risks, the following will need to be considered and recorded:
a) Type of breach;
b) Nature, sensitivity and volume of personal data.
c) Ease of identification of individuals.
d) Severity of consequences for individuals.
e) Special characteristics of the individual (for example, children or other vulnerable individuals may be at greater risk).
f) Number of individuals affected.
g) Specific characteristics of the Data Controller (for example, a medical
organisation processing sensitive personal information such as Special Category Data will pose a greater threat than the mailing list of a newspaper).

7. NOTIFICATION TO THE ICO
7.1.It is our responsibility as Data Controller to notify the ICO of the notifiable breaches.
7.2.The Privacy Officer is responsible for notifying and dealing with the ICO.
7.3.Notifications must be made without undue delay and no later than 72 hours of becoming
aware of the breach. If it is not possible to notify the ICO within the required 72 hours, we will provide an explanation within 72 hours.
7.4.The following information will be provided when a breach is notified:
a) A description of the nature of the personal data breach including, where possible the categories and approximate number of individuals concerned and the categories and approximate number of personal data records concerned.
b) The name and contact details of the Data Protection Officer, Privacy Officer or other person to approach for further information.
c) A description of the likely consequences of the personal data breach.
d) A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
7.5.If it has not been possible to conduct a full investigation into the breach and it is not possible to give all the required details within 72 hours, we will provide
Personal Data Breach the ICO with the information we have, give reasons for the incomplete notification and an estimated timetable for full notification. The initial notification will be followed up with further
details.

8. NOTIFICATION TO AFFECTED INDIVIDUALS
8.1.Where a notifiable breach has a high risk to the rights and freedoms of individuals, we have a duty to notify the affected individuals. High risk may be, for example, where there is an immediate threat of identity theft, or if Special Category Data is disclosed online.
8.2.It is our responsibility as Data Controller to notify the individuals of the notifiable breach.
8.3.The Privacy Officer or other designated person is responsible for notifying and dealing with the affected individuals.
8.4.Notifications of notifiable personal data breaches to affected individuals must be made without undue delay and may be made before notifying the ICO if necessary.
8.5. The following information will be provided when a breach is notified:
a) A description of the nature of the personal data breach.
b) The name and contact details of the Data Protection Officer, Privacy Officer or other person to approach for further information.
c) A description of the likely consequences of the personal data breach.
d) A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

9. RECORD OF BREACHES
9.1.We will record all personal data breaches regardless of the severity of the risk involved and whether they are notifiable or not. Our records will include the nature of the personal data breach, the consequences and the remedial action taken.
9.2.We will review any personal data breaches on a regular basis, learn from them and take appropriate steps to minimise any future risks.

10. MONITORING AND REVIEW OF THE POLICY
10.1. We will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives.

 

 

DATA PROTECTION POLICY (PRIVACY STANDARD)

1. POLICY STATEMENT
1.1.Everyone has rights with regard to how their personal information is handled. During the course of our activities we will collect, store and process personal information about our staff, suppliers and customers and any others we communicate with, and we recognise the need to treat it in an appropriate and lawful manner.
1.2.The types of information that we may be required to handle include details of current, past and prospective employees, suppliers, customers, and others that we communicate with. The information, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the EU General Data Protection Regulation (GDPR) and other UK data protection law. These laws impose restrictions on how we may use that information.
1.3.We have a commitment to ensuring that personal data is processed in line with GDPR and relevant UK law and that all our employees conduct themselves in line with this and other related policies. Where third parties process data on our behalf, we will ensure that the third party takes the necessary measures to maintain our commitment to protecting personal data.

2. STATUS OF THE POLICY
2.1.This policy sets out our rules on data protection and the legal conditions that must be satisfied in relation to the obtaining, handling, processing, storage, transportation and destruction of personal information.
2.2.Our Privacy Officer is responsible for ensuring compliance with GDPR and with this policy. If we have cause to appoint a Data Protection Officer (an official appointment) or use a different title for a Privacy Officer, we will let you know and any reference to Privacy Officer shall include reference to a new title or a Data Protection Officer. Any questions or concerns about the operation of this policy should be referred in the first instance to the Privacy Officer.

3. DEFINITION OF DATA PROTECTION TERMS
3.1.Data is personal information about an individual who can be directly or indirectly identified from that information. Data can be factual (such as a name, address or date of birth) or it can be an opinion (such as a performance appraisal). Data protection policy ©Copyright citrusHR. All Rights Reserved. Last Updated February 2019 Page 1
This personal information is referred to as ‘Data’ in the remainder of this policy.
3.2. Data Subjects for the purpose of this policy include all living individuals about whom we hold Data. A Data Subject need not be a UK national or resident. All Data Subjects have legal rights in relation to their Data.
3.3.Data Controllers are the people who or organisations which determine the purposes for which, and the manner in which, any Data is processed. They have a responsibility to establish practices and policies in line with relevant laws. We are the Data Controller of all Data used in our business.
3.4.Data Users include employees whose work involves using Data. Data Users have a duty to protect the Data they handle by following our data protection and security policies at all times. All employees have a responsibility when using Data, to comply with any security safeguards and procedures we put in place.
3.5.Data Processors include any people who or organisations which process Data on behalf of a Data Controller. Employees of Data Controllers are excluded from this definition but it could
include third party suppliers which handle Data on our behalf.
3.6.Processing is any activity that involves use of Data. It includes obtaining, recording or holding Data, or carrying out any operation or set of operations on Data including organising,
amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Data to third parties.
3.7.Special Categories of Data are sensitive categories of Data about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, or sexual orientation. It also includes genetic and biometric Data (where used for ID purposes). Special Categories of Data can only be processed under strict conditions, and may require the explicit consent of the person concerned.
3.8.Criminal Offence Data is Data which relates to an individual’s criminal convictions and offences. It can only be processed under strict conditions and may require the explicit consent of the person concerned.
3.9.Data Breach is any act or omission which compromises the security, confidentiality, integrity or availability of Data, or the safeguards that we or a third party put in place to protect the Data, including losing the Data or disclosing it to unauthorised people.

4. DATA PROTECTION PRINCIPLES
4.1. Anyone processing Data must comply with the eight enforceable principles of good
practice. These provide that personal data must be:
(a) Processed fairly, lawfully, and in a transparent manner. (Fairness, Lawfulness and
Transparency)
(b) Processed for specified, explicit and legitimate purposes and in an appropriate way. (Purpose Limitation)
(c) Adequate, relevant and limited to what is necessary for the stated purpose. (Data Minimisation)
Data protection policy
(d) Kept accurate and up to date(Accuracy)
(e) Not kept longer than necessary for the stated purpose. (Storage Limitation)
(f) Processed in a manner that ensures appropriate security of Data, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, by using appropriate technical or organisational measures. (Security, Integrity and Confidentiality)
(g) Not transferred to another country without appropriate safeguards being in place. (Transfer Limitation)
(h) Processed in line with Data Subjects’ rights. (Data Subject’s Rights and Requests)
4.2.We are responsible for and need to demonstrate compliance with the data protection principles listed above (Accountability).

5. FAIRNESS AND LAWFULNESS
5.1.The purpose of GDPR and UK data protection laws is not to prevent the processing of Data, but to ensure that it is done fairly and without adversely affecting the rights of the Data Subject. The Data Subject must be told who the Data Controller is (in this case the Company), who the Data Controller’srepresentative is (in this case the Privacy Officer), the purpose for which the data is to be processed by us and the legal basis for doing so, and the identities of anyone to whom the Data may be disclosed or transferred.
5.2.GDPR allows processing of Data for specific purposes, which are where it is needed:
(a) for the performance of a contract, such as an employment contract
(b) to comply with a legal obligation
(c) in order to pursue our legitimate interests (or those of a third party) and where the interests and fundamental rights of the Data Subject do not override those interests
(d) to protect the Data Subject’s vital interests
(e) in the public interest, or
(f) in situations where the Data Subject has given explicit consent.
5.3. We, as Data Controller, will only process Data on the basis of one or more of the lawful bases set out in 5.2 above. Where consent is required, it is only effective if freely given, specific, informed and unambiguous. The Data Subject must be able to withdraw consent easily at any time and any withdrawal will be promptly honoured.
5.4. Special Categories of Data and Criminal Convictions Data will only be processed with explicit consent of the Data Subject, unless the Data Controller can rely on Data protection policy ©Copyright citrusHR. All Rights Reserved. Last Updated February 2019 one or more of the other lawful bases set out in 5.2 above, and any additional legal bases for processing specific to these types of data, details of which have been set out in an appropriate Privacy Notice issued to the Data Subject.

6. TRANSPARENCY
6.1.We will provide all required, detailed and specific information to Data Subjects about the use of their Data through appropriate Privacy Notices which will be concise, transparent, intelligible, easily accessible and in clear and plain language.

7. PURPOSE LIMITATION
7.1.Data may only be processed for the specific purposes notified to the Data Subject via the Privacy Notice. This means that Data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the Data is processed, the Data Subject must be informed of the new purpose via a new or amended Privacy Notice before any processing occurs.

8. DATA MINIMISATION
8.1.Data should only be collected to the extent that it is required for the specific purposes notified to the Data Subject in the Privacy Notice. Any Data which is not necessary for those purposes should not be collected in the first place.

9. ACCURACY
9.1.Data must be accurate, complete and kept up-to-date. Information which is incorrect is not accurate and steps should therefore be taken to check the accuracy of any Data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date Data should be amended or destroyed.

10. STORAGE LIMITATION
10.1.Data should not be kept longer than is necessary to carry out the specified purposes. This means that Data should be destroyed or erased from our systems when it is no longer required, and in accordance with our Data Retention Policy.

11. SECURITY, INTEGRITY AND CONFIDENTIALITY
11.1. We will ensure that appropriate technical and organisational security measures are taken against unlawful or unauthorised processing of Data, and against the accidental loss of, or damage to, Data. Data Subjects may apply to the courts for compensation if they have suffered damage from such a loss.
11.2. We will put in place procedural and technological safeguards appropriate to our size, scope and business, our available resources and the amount of Data we hold, to maintain the security of all Data from the point of collection to the point of destruction.
11.3.We will consider and use, where appropriate, the safeguards of encryption, anonymisation and pseudonymisation (replacing identifying information with artificial information so that the Data Subject cannot be identified without the use of additional information which is kept separately and secure).
11.4.We will regularly evaluate and test the effectiveness of these safeguards. Employees have a responsibility to comply with any safeguards we put in place.
11.5. Maintaining data security means guaranteeing the confidentiality, integrity and availability
of the Data, defined as follows:
(a) Confidentiality means that only people who are authorised to use the Data can access it.
(b) Integrity means that Data should be accurate and suitable for the purpose for which it is processed.
(c) Availability means that authorised users should be able to access the Data if they need it for authorised purposes.
11.6.Failure to follow rules on data security may be dealt with via the Disciplinary Procedure.

12. TRANSFER LIMITATION
12.1. We will not transfer Data to any recipients outside the European Economic Area (EEA)
13. DATA SUBJECT’S RIGHTS AND REQUESTS
13.1. Data must be processed in line with Data Subjects’ rights. Data Subjects have the following rights which apply in certain circumstances:
(a) The right to be informed about processing of Data
(b) The right of access to their own Data
(c) The right for any inaccuracies to be corrected (rectification)
(d) The right to have information deleted (erasure)
(e) The right to restrict the processing of Data
(f) The right to portability
(g) The right to object to the inclusion of Data
(h) The right to regulate any automated decision-making and profiling of Data
(i) The right to withdraw consent when the only legal basis for processing Data is consent
(j) The right to be notified of a Data Breach which is likely to result in high risk to their rights and freedoms
(k) The right to make a complaint to the Information Commissioner’s Office or other supervisory authority.
13.2.A formal request from a Data Subject for details of Data that we hold about them must be made in writing (Data Subject Access Request). Any member of staff who receives such a written request should forward it to their manager immediately.

14. AUTOMATED PROCESSING (INCLUDING PROFILING) AND AUTOMATED DECISIONMAKING(ADM)
14.1.Specific further rules to protect Data Subjects apply to any Automated Processing (including Profiling) and ADM related to that person’s Data.
14.2.Where you are involved in any data processing activity by us that involves profiling or ADM, you must comply with any separate guidelines we issue on profiling or ADM.

15. DIRECT MARKETING
15.1.We are also subject to further rules and privacy laws about the processing of Data when marketing to our customers.
15.2. You must comply with any separate guidelines we issue on direct marketing to customers.

16. BREACH NOTIFICATION
16.1. Where a Data Breach is likely to result in a risk to the rights and freedoms of the individual(s) concerned, we will report it to the Information Commissioner’s Office within 72 hours of us becoming aware of it, and it may be reported in more than one instalment.
16.2. Individuals will be informed directly if the breach is likely to result in a high risk to their rights and freedoms.
16.3.If the breach is sufficient to warrant notification to the public, we will do so without undue delay.
16.4.If you know or suspect that a Data Breach has occurred, do not attempt to investigate the matter yourself but contact your manager or the Data Privacy Officer immediately. You should preserve all evidence relating to the potential Data Breach.

17. TRAINING
17.1. New employees must read and understand this policy as part of their induction. All employees receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential Data Breach. All employees are trained to protect individuals’ data to which they have access, to ensure data security and to understand the consequences to themselves and us of any potential breaches of the provisions of this policy.

18. RECORDS
18.1. We will keep full and accurate records of all our data processing activities.

19. MONITORING AND REVIEW OF THE POLICY
19.1. We will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives.