Unauthorised disclosure or loss of personal data
Smart Communities Ltd (SCL) is required under the Data Protection Act 1998 and General Data Protection Regulations 2018 to ensure the security and confidentiality of all the personal and sensitive personal data it processes, including that processed by third parties acting on its behalf. Every care should be taken by employees (current, past and prospective), Trustees, volunteers, clients, consultants and suppliers to protect the personal data they work with and to avoid the unauthorised disclosure or loss of personal data.
There are eight Data Protection Principles contained in the Data Protection Act which must be complied with when processing personal data. Failure to comply with any of these Principles is a breach of the Data Protection Act.
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
(a) at least one of the legal basis in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
This policy is concerned with the seventh Data Protection Principle: ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’
Examples of a breach of this Principle would include:
• personal data accidentally being sent to someone (either internally or externally) who does not have a legitimate need to see it;
• databases containing personal data being compromised, for example;
– being illegally accessed by individuals outside the SCL;
– loss or theft of laptops, mobile devices, or paper records containing personal data;
• paper records containing personal data being left unprotected for anyone to see, for example:-
— files left out when the owner is away from their desk and at the end of the day;
— papers not properly disposed of in secure disposal bins that can then be extracted or seen by others;
— papers left at photocopying machines;
• staff accessing or disclosing personal data outside the requirements or authorisation of their job;
• being deceived by a third party into improperly releasing the personal data of another person; and the loss of personal data due to unforeseen circumstances such as a fire or flood.
A data breach relates to the loss of personal data and should be notified following the procedure described below. A security breach relates to the loss of equipment containing personal data. Where a security breach has been notified that also involves personal data staff must also follow the data breach policy.
Action to be taken in the event of a data breach
On discovery of a data breach the following actions should be taken:-
• Contact your DPO who has 72 hours to contact ICO if reportable
• Containment and recovery
• Assessing the risk – and notifying the individuals it is relating to if appropriate.
• DPO will notify if a reportable breach has occurred Information Commissioner’s Office (ICO)
• Evaluation and response by SCL management Team
Containment and recovery
Who is responsible for action? – The individual committing the breach, their line manager. On discovery of a data breach the individual must notify their line manager as soon as possible and contact the DPO.
Action to be taken
The immediate priority is to contain the breach and limit its scope and impact.
Where personal data has been sent to someone not authorised to see it staff should:
• tell the recipient not to pass it on or discuss it with anyone else;
• tell the recipient to destroy or delete the personal data they have received and get them to confirm in writing that they have done so;
• warn the recipient of any implications if they further disclose the data; and inform the data subjects whose personal data is involved what has happened so that they can take any necessary action to protect themselves.
The line manager responsible for the staff member, volunteer / trustee where the breach occurred must be notified and they must immediately report it to Data Protection Officer (DPO), the DPO and providing the following information:
• date and time of the breach;
• date and time breach detected;
• who committed the breach;
• details of the breach;
• number of data subjects involved; and
• details of actions already taken in relation to the containment and recovery.
Assessing the risk
Who is responsible for action? – DPO.
Action to be taken
The DPO will conduct an investigation into the breach and prepare a report. This report will follow the ICO’s guidance on Breach Management and will consider the following:
• How the breach occurred.
• The type of personal data involved.
• The number of data subjects affected by the breach.
• Who the data subjects are.
• The sensitivity of the data breached.
• What harm to the data subjects can arise? For example, are there risks to physical safety, reputation or financial loss?
• What could happen if personal data is used inappropriately or illegally?
• For personal data that has been lost or stolen, are there any protections in place such as encryption?
• Notifying the Information Commissioner Office
Responsibility for notifying the ICO rests with the DPO. They will complete a breach notification form.
Evaluation and response
Who is responsible for action? The managers of the person who created the breach.
Overall responsibility for this policy lies with the SCL Board of Directors / Trustees and its implementation with the Senior Management Team.