Data Security Incident Procedure

HATFIELD & DISTRICT GROUP  PARISH COUNCIL

 DATA SECURITY INCIDENT PROCEDURE

Introduction

We have a responsibility to ensure that personal information is kept and used securely. If anything goes wrong and, for example, data is lost, stolen, misused, sent to the wrong address or inappropriately accessed or released, we equally have a responsibility to put things right.

All suspected information security incidents must be reported to H&DGPC This enables  to conduct a full investigation, and to identify areas of weakness and improvements that need to be made. It also enables  H&DGPC to take a decision as to whether the incident should be reported to the Information Commissioner’s Office as a data breach. The latter must be done within 72 hours of discovery, therefore all suspected incidents must be reported to  H&DGPC as soon as they are discovered.

When sensitive information has been put at risk, but has not actually been lost, stolen, misused or inappropriately accessed or released, it may not be an incident requiring reporting to the Information Commissioner’s Office however it is not good practice.  For example, a member of staff taking sensitive information home without authority but returning it safely the next day would have put data at risk. H&DGPC will still put measures in place to prevent a reoccurrence.

All staff and councillors must be made aware of this procedure.

Procedure

All identified incidents must be reported to  H&DGPC as soon as they are detected. Even where there is some difference of opinion regarding breach, err on the side of caution and report it.

Upon detecting a breach, it is important to act quickly. In particular it is important to let H&DGPC know the following:

  • The extent of the breach
  • The amount of information involved
  • The sensitivity of information involved

The H&DGPC will investigate the incident and establish why it happened, whether or not it constitutes a breach and what remedial action is necessary.

The H&DGPC will use their initial assessment to report the breach if it meets the necessary threshold for reporting to the Information Commissioner’s Office within 72 hours of the discovery of the breach. If this is done after 72 hours, the H&DGPC will provide an explanation for this.

The H&DGPC will prepare an incident report containing the following:

  • A timeline of dates and times concerning the incident
  • The potential for loss or damage to individuals, the parish council or any other body
  • What measures need to be taken and how quickly to address:-
    1. Restoring any lost information to our custody or control
    2. Whether to warn people about the loss, including who to warn and when. This may require a risk assessment.
  • Factors taken into account for deciding to report the loss to the Information Commissioner’s Office.
  1. Whether to report the loss to the Police.

The H&DGPC will consider taking statements from those involved, especially where the quality of evidence may be lost through time or people may not be present for long.

The H&DGPC will report any actions that need to be taken to prevent a reoccurance of the breach and the parish council will ensure that these are implemented.

The H&DGPC will write to any data subject(s) affected, if necessary dependant on the outcome of a risk assessment, and deal with any subsequent complaint. A standard letter template for this is in Appendix 1.

The H&DGPC will also correspond as applicable with any member of the public reporting a breach.

The H&DGPC will deal with any correspondence from the Information Commissioner’s Office, providing any further information requested and implementing any recommendations.