Data Breach Policy

This Policy and Plan aims to help the Charter manage personal data breaches effectively.

The Charter holds Personal Data about our, personnel, being voluntary members of our organisation, including Presidium and YCT members, Communications Officers and listed Municipality Personnel, as well as members – being participants in our activities and events. A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or processed.

SCOPE
This policy applies to all ‘staff’, personnel of the Charter that as a necessity of undertaking their duties, collect or manage personal information. You must be familiar with this policy and comply with its terms.

TRAINING
All staff will receive training on this policy. Training is provided through comprehensive Explanatory Instructions on collecting and managing personal information at each point where such activity occurs and covers applicable laws relating to data protection, and the Charter’s data protection and related policies and procedures. Receiving this instruction is compulsory.

PERSONAL DATA
Any use of sensitive Personal Data is to be strictly controlled in accordance with this policy.

While some data will always relate to an individual, other data may not, on its own, relate to an individual. Such data would not constitute Personal Data unless it is associated with, or made to relate to, a particular individual.

CAUSES
Data breaches may be caused by human error, parties external to the organisation, or computer system errors.

Human Error
Human Error causes include:

  • Loss of computing devices, data storage devices, or paper records containing personal data,
  • Sending/disclosing data to an incorrect recipient,
  • Handling data in an unauthorised way (eg: downloading a local copy of personal data),
  • Unauthorised access or disclosure of personal data by employees,
  • Improper disposal of personal data (eg: hard disk, storage media, or paper documents containing personal data discarded before data is properly deleted).

Malicious Activities
Malicious causes include:

  • Hacking incidents / Illegal access to databases containing personal data,
  • Theft of computing devices, data storage devices, or paper records containing personal data,
  • Scams that trick Charter personnel into releasing personal data of individuals.

Computer System Error
Computer System Error causes include

  • Failure of security / authentication / authorisation systems.

 

Reporting Breaches

All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:

  • Investigate the failure and take remedial steps if necessary,
  • Maintain a register of compliance failures,
  • Notify the Data Protection Commissioner of any compliance failures that is likely to pose a risk to peoples’ rights and freedoms. A risk to people’s freedoms can include physical, material or non-material damage such as discrimination, identity theft or fraud, financial loss and damage to reputation,
  • Under the GDPR, the Charter is legally obliged to notify the Data Protection Commissioner within 72 hours of the data breach. Individuals have to be notified after becoming aware of a personal data breach.

However, the Charter does not have to notify the data subjects if anonymised data is breached. Specifically, the notice to data subjects is not required, if the data controller has implemented pseudonymisation techniques like encryption along with adequate technical and organisational protection measures to the personal data affected by the data breach.

Reporting to the Data Protection Commissioner

The Data Protection Commissioner must be notified as soon as possible of any data breaches that might cause public concern or where there is a risk of harm to a group of affected individuals.

The notification should include the following information, where available:

  • Extent of the data breach,
  • Type and volume of personal data involved,
  • Cause or suspected cause of the breach,
  • Whether the breach has been rectified,
  • Measures and processes that the organisation had put in place at the time of the breach,
  • Information on whether affected individuals of the data breach were notified and if not, when the organisation intends to do so,
  • Contact details of the Charter staff with whom the Data Protection Commissioner can liaise for further information or clarification.

Where specific information of the data breach is not yet available, the Charter should send an interim notification comprising a brief description of the incident.

Notifications made by organisations or the lack of notification, as well as whether organisations have adequate recovery procedures in place, will affect the Data Protection Commissioner’s decision on whether an organisation has reasonably protected the personal data under its control or possession.

Reporting to the Individual

In accordance with the GDPR, Vita will undertake to notify the individual whose data is the subject of a breach if there is a high risk to that person’s rights and freedoms. A high risk may be, for example, where there is an immediate threat of identity theft, or if special categories of data are disclosed online.

This notification will be made without undue delay and may, dependent on the circumstances, be made before the Data Protection Commissioner is notified.

The following information will be provided when a breach is notified to the affected individuals:

  • Extent of the data breach,
  • Type and volume of personal data involved,
  • Description of the likely consequences of the data breach,
  • Measures and processes that the organisation has put in place and where appropriate measures taken to mitigate any possible adverse effects,
  • Contact details of the Charter personnel with whom the individual can liaise for further information or clarification.
Record of Breaches

The Charter records all personal data breaches regardless of whether they are notifiable or not as part of its general accountability requirement under GDPR. It records the facts relating to the breach, its effects and the remedial action taken.

Responding to a Data Breach

The Charter’s data breach management and response plan is:

  • Confirm the Breach,
  • Contain the Breach,
  • Assess Risks and Impact,
  • Report the Incident,
  • Evaluate the Response & Recovery to Prevent Future Breaches.
Consequences of Failing to Comply

The Charter takes compliance with this policy very seriously. Failure to comply puts both you and the organisation at risk.

The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our personnel procedures which may result in dismissal.