Personal Data Security Breach Management Policy

Transcription

1 Persnal Data Security Breach Management Plicy 1.0 Purpse The Data Prtectin Acts 1988 and 2003 impse bligatins n data cntrllers in Western Care Assciatin t prcess persnal data entrusted t them in a manner that respects the rights f data subjects (Service Users, families and emplyees) t have their data prcessed fairly. Infrmatin /data is ne f ur mst imprtant assets and each ne f us has a respnsibility t ensure the security f this infrmatin. Accurate, timely, relevant and prperly prtected recrds are essential. Smetimes a breach f infrmatin/data security may ccur because this infrmatin/ data is accidentally disclsed t unauthrized persns r, lst due t a fire r fld r, stlen as result f a targeted attack r the theft f a mbile cmputer device. The purpse f this plicy is t ensure that a natinal standardised management apprach is implemented thrughut the rganisatin in the event f an infrmatin/data breach. This plicy is mandatry and by accessing any f Western Care Assciatin Infrmatin/data, users are agreeing t abide by the terms f this plicy. 2.0 Scpe This plicy applies t all emplyees, service prviders and third parties that access, use, stre r prcess infrmatin n behalf f Western Care Assciatin. This plicy is authrised by the Executive Directr in Western Care Assciatin. 3.0 Legislatin Western Care Assciatin has an bligatin t abide by all relevant Irish legislatin and Eurpean legislatin. The relevant acts, which apply in Irish law t Infrmatin Systems, include but are nt limited t: 4.0 Plicy The Data Prtectin Act (1988/2003) Eurpean Cmmunities Data Prtectin Regulatins, (2001) Eurpean Cmmunities (Data Prtectin and Privacy in Telecmmunicatins) Data Prtectin EU Directive 95/46/EC Criminal Damages Act (1991) It is the plicy f Western Care Assciatin that in the event that an infrmatin/data breach happens, the fllwing breach management plan is strictly adhered t.

2 It is imprtant that each manager puts int place their wn lcal prcedures t enable them t implement the breach management plan shuld such a data breach ccur. There are five elements t any breach management plan: Identificatin and Classificatin Cntainment and Recvery Risk Assessment Ntificatin f Breach Evaluatin and Respnse 5.0 Breach Management Plan 5.1 Identificatin and Classificatin Senir Management must put in place prcedures that will allw any staff member t reprt any infrmatin/data security breach. It is imprtant that all staff are aware t whm they shuld reprt such a breach. Yu must reprt any breach f infrmatin /data t yur manager as sn as yu detect it. Having such a prcedure in place will allw fr early recgnitin f the breach s that it can be dealt with in the mst apprpriate manner. Details f the breach shuld be recrded accurately by the persn wh detected the breach r their manager. Yu must include the date and time the breach ccurred, the date and time it was detected, wh reprted the breach, descriptin f the breach, details f any cmputer systems invlved and frwarded t the apprpriate Manager. (See Frm attached). In this respect, staff need t be made fully aware as t what cnstitutes a breach. In respect f this plicy a breach maybe defined as the unintentinal release f cnfidential r persnal infrmatin/data t unauthrised persns, either thrugh the accidental disclsure, lss r theft f the infrmatin/data. 5.2 Cntainment and Recvery Cntainment invlves limiting the scpe and impact f the breach f data/infrmatin. If a breach ccurs, management shuld: Decide n wh wuld take the lead in investigating the breach and ensure that the apprpriate resurces are made available fr the investigatin. Establish wh in the rganisatin needs t be made aware f the breach and infrm them f what they are expected t d t assist in the cntainment exercise. Fr example, finding a lst file.

3 Establish whether there is anything that can be dne t recver lsses and limit the damage the breach can cause. 5.3 Risk Assessment In assessing the risk arising frm the security breach, managers shuld cnsider what wuld be the ptential adverse cnsequences fr individuals, i.e. hw likely it is that adverse cnsequences will materialise and, in the event f materialising, hw serius r substantial are they likely t be. In assessing the risk, managers shuld cnsider the fllwing pints: What type f Infrmatin/data is invlved? Hw sensitive is the infrmatin/data? Are there any security mechanism s in place (e.g. passwrd, prtected, encryptin)? What culd the infrmatin/data tell a third party abut the individual? Hw many individuals are affected by the breach? 5.4 Ntificatin f Breaches If the data cncerned is prtected by technlgical measures such as t make it unintelligible t any persn wh is nt authrised t access it, the data cntrller may cnclude that there is n risk t the data and therefre n need t infrm data subjects. Such a cnclusin wuld nly be justified where the technlgical measures (such as encryptin) were f a high standard. All incidents f lss f persnal data in manual r electrnic frm by a data prcessr must be reprted t their manager /relevant data cntrller as sn as the data prcessr becmes aware f the incident. All incidents in which persnal data has been put at risk shuld be reprted t the Office f the Data Prtectin Cmmissiner as sn as the data cntrller becmes aware f the incident, except when the full extent and cnsequences f the incident has been reprted withut delay directly t the affected data subject(s) and it affects n mre than 100 data subjects and it des nt include sensitive persnal data r persnal data f a financial nature. Data cntrllers reprting t the Office f the Data Prtectin Cmmissiner in accrdance with this plicy shuld make initial cntact with the Office within tw wrking days f becming aware f the incident, utlining the circumstances surrunding the incident. This initial cntact may be by (preferably), telephne r fax and must nt invlve the cmmunicatin f persnal data. The Office f the Data Prtectin Cmmissiner will make a determinatin regarding the need fr a detailed reprt and/r subsequent investigatin based n the nature f

4 the incident and the presence r therwise f apprpriate physical r technlgical security measures t prtect the data. Shuld the Office f the Data Prtectin Cmmissiner request a data cntrller t prvide a detailed written reprt f the incident, the Office will specify a timeframe fr the delivery f the reprt based n the nature f the incident and the infrmatin required. Such a reprt shuld reflect careful cnsideratin f the fllwing elements: the amunt and nature f the persnal data that has been cmprmised the actin being taken t secure and / r recver the persnal data that has been cmprmised; the actin being taken t infrm thse affected by the incident r reasns fr the decisin nt t d s; the actin being taken t limit damage r distress t thse affected by the incident; a chrnlgy f the events leading up t the lss f cntrl f the persnal data; and the measures being taken t prevent repetitin f the incident. Depending n the nature f the incident, the Office f the Data Prtectin Cmmissiner may investigate the circumstances surrunding the persnal data security breach. Investigatins may include n-site examinatin f systems and prcedures and culd lead t a recmmendatin t infrm data subjects abut a security breach incident where a data cntrller has nt already dne s. If necessary, the Cmmissiner may use his enfrcement pwers t cmpel apprpriate actin t prtect the interests f data subjects. Even where there is n ntificatin t the Office f the Data Prtectin Cmmissiner, the data cntrller shuld keep a summary recrd f each incident which has given rise t a risk f unauthrised disclsure, lss, destructin r alteratin f persnal data. The recrd shuld include a brief descriptin f the nature f the incident and an explanatin f why the data cntrller did nt cnsider it necessary t infrm the Office f the Data Prtectin Cmmissiner. Such recrds shuld be prvided t the Office f the Data Prtectin Cmmissiner upn request. 5.5 Evaluatin and Respnse Subsequent t any infrmatin/data security breach a thrugh review f the incident shuld ccur. The purpse f this review is t ensure that the steps taken during the incident were apprpriate and t identify areas that may need t be imprved.

5 Any recmmended changes t plicies and/r prcedures shuld be dcumented and implemented as sn as pssible thereafter. Senir Management shuld identify a grup f peple within the rganisatin wh will be respnsible fr reacting t reprted breaches f security. 6.0 Rles and Respnsibilities 6.1 Line Managers Managers are respnsible fr: 6.2 Users The implementatin f this plicy. Ensuring that all emplyees wh reprt t them are made aware f and are instructed t cmply with this plicy and all ther related plicies. Agreeing the apprpriate prcedures t fllw when a breach f this plicy has ccurred. Each user is respnsible fr: Cmplying with the terms f this plicy and all ther relevant Western Care plicies, prcedures, regulatins and applicable legislatin; Respecting and prtecting the privacy and cnfidentiality f the infrmatin they prcess at all times; Reprting all misuse and breaches f this plicy t their manager. 7.0 Enfrcement Western Care Assciatin reserves the right t take such actin as it deems apprpriate against users wh breach the cnditins f this plicy. Western Care Assciatin emplyees wh breach this plicy may be denied access t the rganisatins infrmatin technlgy resurces, and maybe subject t disciplinary actin. 8.0 Review & Update This plicy will be reviewed and updated annually r mre frequently if necessary, t ensure that any changes are prperly reflected in the plicy.

6 Details f Data Security Breaches DATE & TIME BREACH OCCURED DATE & TIME BREACH DETECTED WHO REPORTED THE BREACH DESCRIPTION OF THE BREACH DETAILS OF ANY COMPUTER SYSTEMS INVOLVED Signed: Date: Name & Tile f Persn Cmpleting Frm Once cmpleted please frward t yur Manager.