Data Breach Notification Policy
Approved 1 December 2021
Adopted by Shavington-cum-Gresty Parish Council on 17 May 2023
We are aware of the obligations placed on us by the DPA 2018 in relation to processing data lawfully and to ensure it is kept securely.
One such obligation is to report a breach of personal data in certain circumstances and this policy sets out our position on reporting data breaches.
PERSONAL DATA BREACH
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or processed.
The following are examples of data breaches:
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a data controller or data processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission;
- loss of availability of personal data.
INVESTIGATION INTO SUSPECTED BREACH
In the event that we become aware of a breach, or a potential breach, an investigation will be carried out. This investigation will be carried out by a Data Protection Officer who will provide guidance to the council to help it determine whether the breach is required to be notified to the Information Commissioner. A decision will also be made over whether the breach is such that the individual(s) must also be notified.
WHEN A BREACH WILL BE NOTIFIED TO THE INFORMATION COMMISSIONER
In accordance with the DPA 2018, we will undertake to notify the Information Commissioner of a breach which is likely to pose a risk to people’s rights and freedoms. A risk to people’s freedoms can include physical, material or non-material damage such as discrimination, identity theft or fraud, financial loss and damage to reputation.
Notification to the Information Commissioner will be done without undue delay and at the latest within 72 hours of discovery. If we are unable to report in full within this timescale, we will make an initial report to the Information Commissioner, and then provide a full report in more than one instalment if so required.
The following information, as a minimum, will be provided when a breach is notified:
- a description of the nature of the personal data breach including, where possible:
- the categories and approximate number of individuals concerned; and
- the categories and approximate number of personal data records concerned
- the name and contact details of the Data Protection Office is: JDH Business Services Ltd, Carreg Lwyd, Cefn Bychan Road, Pantymwyn, Flintshire. CH7 5EW where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
- A description of the Agencies informed of the breach
WHEN A BREACH WILL BE NOTIFIED TO THE INDIVIDUAL
In accordance with the DPA 2018, we will undertake to notify the individual whose data is the subject of a breach if there is a high risk to people’s rights and freedoms. A high risk may be, for example, where there is an immediate threat of identity theft, or if special categories of data are disclosed online.
This notification will be made without undue delay and maybe dependent on the circumstances, be made before the supervisory authority is notified.
The following information will be provided when a breach is notified to the affected individuals:
- a description of the nature of the breach
- a description of the likely consequences of the personal data breach and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
RECORD OF BREACHES
The council records all personal data breaches regardless of whether they are notifiable or not as part of its general accountability requirement under GDPR. It records the facts relating to the breach, its effects and the remedial action taken in a data breach register.