Data Breach Policy
This policy explains how information about reporting incidents is provided, who is responsible for reporting, responding and investigating and how these are handled.
It applies to everyone who is involved in an actual, suspected, threatened or potential incident which involves data loss or a breach of information security.
This potentially includes all staff, students, associates, and anyone else authorised to use Tarameen’s facilities and information
1. Policy
1.1 It is the policy of Tarameen Ltd that information security incidents will be handled properly, effectively and in a manner that minimises the adverse impact to the business and the risk of data loss to its customers.
1.2 Tarameen will ensure that:
- incidents are reported in a timely manner and can be properly investigated
- incidents are handled by appropriately authorised and skilled personnel
- appropriate levels of Tarameen management are involved in the determination of response actions
- incidents are recorded and documented
- the impact of the incidents are understood and action is taken to prevent further damage
- evidence is gathered, recorded and maintained in a form that will withstand internal and external scrutiny
- external bodies or data subjects are informed as required
- the incidents are dealt with in a timely manner and normal operations restored
- the incidents are reviewed to identify improvements in policies and procedures.
1.3 Tarameen will provide information on its website, and through other training and communications channels, which explains how information security incidents should be reported and will encourage the reporting of all incidents whether they are actual, suspected, threatened or potential.
1.4 The Tarameen Board will monitor and review information security incidents to identify recurring incidents and areas of risk. The review process will be used to identify requirements for new or changed policies, to update Tarameen risk register and to identify any other relevant controls.
1.5 If an information security incident occurs which requires a coordinated response across Tarameen or the incident has possible external or media interest, Tarameen’s business continuity plan will be triggered.
1.6 Tarameen will conduct periodic testing of the information security handling procedures to maintain and improve staff awareness of the procedures and the actions required.
2. Scope
2.1 This policy applies to all Tarameen’s information and to all methods of accessing that information.
3. Oversight
3.1 The Tarameen Board, chaired by the Managing Director, will monitor the effectiveness of this policy and carry out regular reviews.
4. Responsibilities
The GDPR applies to both Data Controllers and to Data Handlers within Tarameen. Therefore, all information users are responsible for reporting actual, suspected, threatened or potential
information security incidents and for assisting with investigations as required, particularly if urgent action must be taken to prevent further damage.
Managers
Heads of Department are responsible for ensuring that staff in their area act in compliance with this policy and assist with investigations as required.
Lead Responsible Officers
The Managing Director and Data Protection Manager will be responsible for overseeing management of the breach in accordance with the Data Breach Management Plan. Suitable further delegation may be appropriate in some circumstances.
5. Data Breach Management Plan
Tarameen’s response to any reported data security breach will involve the following four elements.
- Containment and Recovery
- Assessment of Risks
- Consideration of Further Notification
- Evaluation and Response
Each of these four elements will need to be conducted in accordance with the checklist. An activity log recording the timeline of the incident management should also be completed.
6.Disciplinary
Officers, members, contractors, visitors or partner organisations who act in breach of this policy may be subject to disciplinary procedures or other appropriate sanctions
7. Review
This document shall be subject to annual review by the Board and Senior Management at Tarameen.
Appendix A – Definitions
Information Security Incident: an adverse event in relation to the security of University information or IT systems which has already occurred, is suspected, has been threatened or has the potential to occur.
Examples of information security incidents include:
- Data loss due to any cause
- Attempts (either failed or successful) to gain unauthorized access to a system or its data
- Theft or other loss of a laptop, desktop, PDA, or other device that stores Tarameen’s information, whether or not the device is owned by Tarameen.
- Unwanted disruption or denial-of-service
- Unauthorized use of a system for the processing or storage of data
- Uncontrolled system changes
- Malfunctions of software or hardware
- Noncompliance with information security and acceptable use policies
- Human error e.g. personal data being emailed to the wrong recipient
Appendix B – Data Breach Reporting Template
| Report by: | Name:
Job Title: Service: Date: |
|
| 1 | Summary of event and circumstances | Who, what, when, who etc. |
| 2 | Type and amount of personal data | Title of document(s)-what information is included-name, contact details, financial, sensitive or special category data. |
| 3 | Action taken by recipient | |
| 4 | Action taken to retrieve data and respond to breach | |
| 5 | Procedure/policy in place to minimise risk | Communication, secure storage, sharing, exchange. |
| 6 | Breach of policy/procedure by officer/member | Has there been a breach of policy and has appropriate management action been taken? |
| 7 | Details of notification to data subject. Complaint received? | Has data subject been notified? If not, explain why. What advice has been offered? |
| 8 | Details of Data Protection training provided. | Date of most recent training by staff/ manager involved |
| 9 | Risk assessment and changes need to prevent further data loss | |
| 10 | Conclusions and learning points |
Policy published date: 10 May 2018
Last review date: 10 May 2018
