Personal Data Breach Handling Procedure

Document Information

Distribution List

Document Version History

*Enter document details in the in the tables above and make sure to update as changes are made

Contents

1. Introduction and Purpose

2. Scope

3. Roles and Responsibilities

4. References

5. Policy

    5.1. What is a personal data breach?

    5.2 Managing a personal data breach

    5.3 Notification of data breaches

1. INTRODUCTION AND PURPOSE

This procedure outlines what a data breach is, roles and responsibilities, and notification requirements.

2. SCOPE

This procedure applies to any staff member, contractor, volunteer, or individual acting on behalf of NCI. Managers, Directors, Heads of Schools, and Heads of Departments must ensure their staff are made aware of this procedure and that it is implemented within their Function

3. ROLES AND RESPONSIBILITIES

In order for NCI to be able to comply with the GDPR, it is essential that all incidents (including suspected incidents) which give rise to the risk of unauthorised disclosure, loss, destruction or alteration of personal data are reported without delay to the DPO. Where the DPO is unavailable, a secondary point of contact shall be identified, and the incident shall be reported in line with the agreed procedure. In the event of a suspected personal data breach happening, employees shall notify the DPO immediately. Employees shall not assume that the DPO is already aware of the suspected breach.

4. REFERENCES

• Data Breach Incident Procedure
• Personal Data Risk Classification Scheme
• Data Protection Policy
• General Data Protection Regulation
• Data Protection Act

5. POLICY

5.1 WHAT IS A PERSONAL DATA BREACH?

A “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. 

Examples of typical data breaches are:

1. Loss or theft of data or equipment on which data is stored
2. Loss or theft of documents/folders
3. Unforeseen circumstances such as a flood or fire which destroys information
4. Inappropriate access controls allowing unauthorised use
5. A hacking/cyber attack
6. Obtaining information from the organisation by deception, misaddressing of e-mails, human error, etc.

The above examples include the accidental loss of personal data as statistics indicate that most breaches are internal in nature and due to non-malicious user behaviour (e.g. loss of unencrypted laptop or USB, paper files, etc.).

5.2 MANAGING A PERSONAL DATA BREACH

GDPR requires that NCI document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance.

In the event of a suspected personal data breach, a summary of the personal data breach shall be recorded in the NCI Data Breach Log. Each summary shall contain the facts relating to the personal data breach, its effects, and the remedial action taken. The NCI Data Breach Log shall be maintained by the DPO. Within NCI, the DPO will assess the breach, and make a decision on the next steps to be taken.

5.3 NOTIFICATION OF PERSONAL DATA BREACHES

(i) Notification to a Supervisory Authority

After review of the breach by the DPO, if the data breach likely affects the rights and freedoms of a data subject, the DPO shall inform the Irish Data Protection Commissioner within an elapsed time of 72 hours of NCI becoming aware of the breach. The details of the notification will include: 

1. Description of the nature of the personal data breach including, where possible, the approximate number of data subjects concerned, the categories of data concerned, and the approximate volume of data records concerned. 
2. Description of the likely consequences of the personal data breach.
3. Description of the measures taken, or proposed to be taken, by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

(ii) Notification to Data Subjects

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, NCI shall communicate the personal data breach to the data subject without undue delay. The notification shall describe in clear and plain language the nature of the personal data breach and contain at least: 

1. Name and contact details of the NCI DPO.
2. Description of the likely consequences of the personal data breach.
3. Description of the measures taken or proposed to be taken by NCI to address the
   personal data breach, including, where appropriate, measures to mitigate its possible
   adverse effects. 

(iii) Notification to Controllers

Where NCI performs the role of data processor the DPO will notify all data controllers without undue delay after becoming aware of a personal data breach including:

1. Description of the nature of the personal data breach including, where possible, the approximate number of data subjects concerned, the categories of data concerned, and the approximate volume of data records concerned.
2. Description of the likely consequences of the personal data breach.
3. Description of the measures taken or proposed to be taken by the controller to address
   the personal data breach, including, where appropriate, measures to mitigate its
   possible adverse effects.

• 20220915 Personal Data Breach Handling Procedure.pdf300 KB