Data Breach Policy
Date created: 26 June 2018
Data security breaches are increasingly common occurrences whether they are caused through human error or malicious intent. This document explains how the Society will respond to any data security breach.
Data security breach definition
A data breach is considered by the Society to be “any loss or unauthorised access to personal data held by the Society or their data processors”. Data breaches may include but not be limited to:
- Loss or theft of data or equipment on which data is stored
- Unauthorised access to data held by the Society
- Equipment failure
- Human error
- Unforeseen circumstances such as a fire or flood
- Hacking attack
- Where information is obtained by deceit
Data breach reporting
It is the responsibility of the following to notify the Society Data Protection Lead, by letter to the Society at 52 Northern Road, Cosham, PO6 3DP, by fax or to firstname.lastname@example.org , of any data breach within 72 hrs of the breach occurring:
- Members of the Society Executive Committee
- Volunteers working at the Society office
- Society Group Leaders
- Society Data Processors
UK Information Commissioner’s Office
Upon receiving notification of a data breach the Society Data Protection Lead will review and discuss the severity of the breach with the Officers of the Society Executive Committee and any involved Society Data Processors. If considered necessary the Data Protection Lead will report the breach to the UK Information Commissioners Office.
Data breach management
In consultation with the Officers of the Society Executive Committee and any involved Society Data Processors the Society Data Protection Lead will implement a plan to notify Society members and customers of the data breach, contain the breach, recover the breached data, and assess and then mitigate any further risks to Society member and customer personal data. Society members and customers will be notified of actions taken.