Procedures for the Management of a Suspected Data Security Breach
The University must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal data.
These procedures set out how the University will manage a report of a suspected data security breach.
A data security breach can happen for a number of reasons:
• Loss or theft of data or equipment on which data is stored
• Inappropriate access controls allowing unauthorised use
• Equipment failure
• Human error
• Unforeseen circumstances such as a fire or flood
• Hacking attack
• ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it
In managing any report of a suspected data security breach the University will take four distinct steps:
1. Containment and Recovery
2. Assessment of Risks
3. Consideration of Further Notification
4. Evaluation and Response
1. Containment and Recovery
Suspected data security breaches require the University to investigate and contain the situation and also draw up a recover plan which will include where necessary any damage limitation.
On being informed of a suspected data security breach Mrs Gwenan Hine, Head of Compliance will take steps to investigate, and in particular will:
• Establish who needs to be made aware of the breach and inform them of what they are expected to do to assist in the containment exercise. (This may include, for example, isolating or closing a compromised section of the network, taking steps to find a lost piece of equipment or changing the access codes on a door);
• Establish whether there is anything to be done to recover any losses and limit the damage the breach could cause;
• Where appropriate, inform the police
2. Assessment of Risks
Before deciding on what further steps are necessary beyond those taken to immediately contain the breach the Head of Compliance, in consultation with the relevant Senior Officers will, on behalf of the University, assess the risks which may be associated with that breach.
In assessing the risks the most important element to consider is an assessment of potential adverse consequences for individuals, how serious or substantial these are and how likely they are to happen.
In making this assessment the following factors will be considered:
• What type of data is involved?
• How sensitive is it?
• If data has been lost or stolen, are there any protections in place such as encryption?
• What has happened to the data?
• What could the data tell a third party about the individual?
• How many individuals’ personal data are affected by the breach?
• Who are the individuals whose data has been breached?
• What harm can come to those individuals? Are there risks to physical safety or reputation, of financial loss or a combination of these and other aspects of their life?
• Are there wider consequences to consider such as a risk to public health or loss of public confidence?
3. Consideration of Further Notification
When assessing whether it is necessary to notify either those individuals affected or the relevant Regulatory Authorities about the breach the Head of Compliance on behalf of the University and in consultation with relevant Senior Officers, will consider the following issues:
• Are there any legal or contractual requirements?
• Can notification help the University meet its security obligations with regard to the seventh data protection principle?
• Can notification help the individual manage the risks for example by cancelling a credit card or changing a password?
• How can notification can be made appropriate for particular groups of individuals, for example, children or vulnerable adults.
• Who will the University notify, what will they be told and how will the message be communicated?
• Who else should be notified, for example third parties such as the police, insurers, professional bodies, bank or credit card companies.
4. Evaluation and response
The University acknowledges that it is important not only to investigate the causes of any breach but also to evaluate the effectiveness of the University’s response to it.
In evaluating the causes of the breach and the effectiveness of its response to that breach the Head of Compliance will convene an Evaluation Group with a core composition including:
- A member of the Legal Compliance Task Group (Chair)
- University Legal Advisor
- Head of Compliance
- Relevant Heads of College, Heads of Central Service Department and / or College Managers determined by the nature of the breach
- Relevant operational managers determined by the nature of breach
The Evaluation Group will take into account the following key issues:-
• Can the University satisfy itself that it knows what personal data is held and where and how it is stored?
• In relation to personal data what and where are the biggest risks for the institution? For example where are sensitive personal data held?
• Are the risks associated with the sharing or disclosing of data suitably identified and managed?
• What are the potential weak points in the University’s current security measures - such as the use of portable storage devices?
• Ensure that staff awareness of security issues is monitored and look to fill any gaps through training or tailored advice.
On completion of their investigation the Chair of the Evaluation Group should submit a full report to the Legal Compliance Task Group at its next meeting, including any recommendations which may include action in accordance with the University’s Disciplinary Procedures.
Approved by the Legal Compliance Task Group 5th October 2009