Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Similar documents
Guidance on data security breach management

Guidance on data security breach management

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

Data Security Breach Incident Management Policy

CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board

NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities

Data Protection Breach Management Policy

Data Protection Policy

Information Incident Management Policy

Human Resources Policy documents. Data Protection Policy

So the security measures you put in place should seek to ensure that:

Information Security Incident Management Policy September 2013

Security Incident Management Policy

Once more unto the breach... Dealing with Personal Data Security Breaches. Helen Williamson Information Governance Officer

DBC 999 Incident Reporting Procedure

Information security incident reporting procedure

Personal Information Protection Act Information Sheet 11

The potential legal consequences of a personal data breach

GUIDE TO MANAGING DATA BREACHES

Merthyr Tydfil County Borough Council. Data Protection Policy

1. Introduction Statement of Policy The Eight Principles of Data Protection Scope Roles and Responsibilities.

Information Governance Policy

Notification of data security breaches to the Information Commissioner s

Procedure for Managing a Privacy Breach

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Small businesses: What you need to know about cyber security

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

PRIVACY BREACH POLICY

Privacy and Electronic Communications Regulations

Data Protection Breach Reporting Procedure

A practical guide to IT security

DATA AND PAYMENT SECURITY PART 1

DATA PROTECTION POLICY

Somerset County Council - Data Protection Policy - Final

Incident reporting procedure

Policy Document Control Page

Records Management Policy & Guidance

California State University, Sacramento INFORMATION SECURITY PROGRAM

Information Security Incident Management Policy

Mitigating and managing cyber risk: ten issues to consider

Document Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014

NHS Commissioning Board: Information governance policy

SECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures

PRIVACY BREACH MANAGEMENT POLICY

Information Security Policy

1. (a) Full name of proposer including trading names if any (if not a limited company include full names of partners) Date established

Information Governance Policy

Cork ETB Data Breach Management Policy and Procedures

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Information Circular

INFORMATION GOVERNANCE POLICY

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Dean Bank Primary and Nursery School. Data Protection Policy

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Data Protection Act Bring your own device (BYOD)

UK Data Risks Incident RoadMap

Security Incident Policy

The CPS incorporates RCPO. CPS Data Protection Policy

Coláiste Pobail Bheanntraí

HERTSMERE BOROUGH COUNCIL

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY

Caedmon College Whitby

Council, 14 May Information Governance Report. Introduction

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Working Practices for Protecting Electronic Information

How To Protect Decd Information From Harm

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

IT ACCESS CONTROL POLICY

Corporate ICT & Data Management. Data Protection Policy

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

UoB Risk Assessment Methodology

Data controllers and data processors: what the difference is and what the governance implications are

Data Protection Policy

Information Governance Framework. June 2015

HIPAA Audit Risk Assessment - Risk Factors

Transcription:

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom Indirani 09/09/2010 Final Draft Jackie Indirani 16/02/2011 Amendment Includes notification of breaches to Corporate Director Support Services 28/02/2011 Amendment Add link to relevant ICO site 21/03/2011 Amendment Add disciplinary Groom Jackie Groom Indirani Jackie Groom Indirani Jackie Indirani action Groom 11/10/2012 Final Amendments Jackie groom Indirani Purpose: Status: To set guidelines for data breach management Final Date: 9 Sept 2010 Review Date: 9 Sept 2013 Breach Management Procedure 1

1. Introduction 1.1. Southend on Sea Borough Council (SBC) processes personal data and must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal data. 1.2. All Data Controllers have a responsibility under the Data Protection Act 1998 to ensure appropriate and proportionate security of the personal data they hold. (DPA 1998 7th Principle). This guidance should, however, assist in deciding on an appropriate course of action if a breach occurs. 2. Scope 2.1. This procedure applies to all users of SBC s information, data, information systems and the Council s property portfolio (its physical buildings). It applies to not only staff and members but also service providers and consultants and encompasses data, information, software, systems, paper documents and personnel. 3. When has there been a breach? 3.1. There has been a breach if there has been: Loss or theft of data or equipment on which data is stored Inappropriate access controls allowing unauthorised use Equipment failure Human error in dealing with personal information Unforeseen circumstances such as a fire or flood Hacking attack on the Council s ICT systems Blagging offences where information is obtained by deceiving the organisation who holds it. 4. The Four Elements for Breach Management 4.1. There are four elements in dealing with a data breach. These are: Containment and recovery Assessment of ongoing risk Notification of breach Evaluation and response Breach Management Procedure 2

5. What to do when a breach occurs: 5.1. The process below gives you a quick summary as to what to do in the event of a data breach. Information Governance Officer (IGO-DP&FOI) within the Information and Governance team in Support Services should be informed of all breaches The IGO will ensure that the Data Controller and Caldicott Guardian (if appropriate) is informed of the breach, depending on the nature and severity of the breach, i.e. the extent of the damage The Head of Service where the breach has occurred should take the lead on investigating the breach with the support of the IGO-DP &FOI The Heads of IT, HR and Legal should be notified, depending on the relevance and severity of the breach The Group Manager of the Service Area will discuss the matter with staff responsible for the breach. If negligence is proven, appropriate disciplinary action could be taken. Training and tailored advice will be provided by the IGO-DP&FOI Head of Service or the Group Manager to limit damages will establish whether there is anything that can be done to recover any losses the breach can or might have caused. These could include making arrangements to isolate or close a compromised section of the ICT network, recall any erroneously sent email, find a lost piece of equipment or simply change the access codes at the front door The IGO-DP&FOI will co-ordinate with the Data Controllers on steps to be taken IGO-DP&FOI will inform HR Business Partner regarding any relevant action on staff involved The Data Controller will notify, where appropriate, all in the Council about the breach and action taken The Group Manager of the service area will inform the Police and relevant partner agencies, if appropriate, and especially if it involves the safety of data subject(s) Discussions with the Corporate Director Support Services must take place prior to breaches being notified to the ICO by the IGO-DP&FOI The IGO-DP&FOI will notify the Information Commissioner s Office (ICO) in line with guidelines under Notification of breaches Any breaches will necessitate the relevant service area in attending Data Protection training or refresher sessions The IGO-DP&FOI will maintain an audit trail on what actions have been taken (as expected by the ICO) The IGO-DP&FOI must be kept informed of progress at all stages. Breach Management Procedure 3

6. Managing the Breach 6.1. The following gives more detail on the various stages of Breach Management. 7. Containment and Recovery 7.1. Breaches will require not just an initial response to investigate and contain the situation but also a recovery plan including, where necessary, damage limitation. This will often involve input from IT, HR and Legal and in some cases contact with external stakeholders and suppliers. 7.2 Media may be made aware of a breach if there is a possibility of information being made public in the press. 8. Assessing the risks 8.1. Certain data security breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. An example, where a laptop is irreparably damaged but its files were backed up and can be recovered, albeit at some cost to the business. 8.2. Whilst these types of incidents can still have significant consequences the risks are very different from those posed by, for example, the theft of a customer database, the data on which may be used to commit identity fraud. 8.3. Before deciding on what steps are necessary, further to immediate containment, an assessment of the risks which may be associated with the breach must take place. 8.4. Perhaps most important is an assessment of potential adverse consequences for individuals, how serious or substantial these are and how likely they are to happen. 8.5. Helpful tips for assessment: What type of data is involved? How sensitive is it? Is it sensitive personal details (e.g. health records) or other data types which are sensitive because of what might happen if it is misused (e.g. bank account details) If data has been lost or stolen, are there any protections in place such as encryption? If data has been stolen, could it be used for purposes which are harmful to the individuals to whom the data relate; if it has been damaged, this poses a different type and level of risk Breach Management Procedure 4

What could the data tell a third party about the individual? Sensitive data could mean very little to an opportunistic laptop thief while the loss of apparently trivial snippets of information could help a determined fraudster build up a detailed picture of other people How many individuals personal data is affected by the breach? It is not necessarily the case that the bigger risks will accrue from the loss of large amounts of data but is certainly an important determining factor in the overall risk assessment Who are the individuals whose data has been breached? Are they staff, customers, clients or suppliers? What harm can come to those individuals as a result of the breach? Are there risks to physical safety or reputation, financial loss or a combination of these and other aspects of their life? Are there wider consequences to consider such as a risk to public health or loss of public confidence in an important service you provide? If an individual s bank details have been lost, consider contacting the banks themselves for advice on anything they can do to help you prevent fraudulent use. 9. Notification of breaches 9.1. A part of breach management is to inform everyone in the organisation that there has been a data security breach. However, informing people about a breach is not an end in itself. 9.2. Notification should have a clear purpose, whether this is to enable individuals who may have been affected to take steps to protect themselves or to allow the appropriate regulatory bodies to perform their functions, provide advice and deal with complaints. 9.3. Answering the following questions will assist you in deciding whether to notify people: Can notification help you meet your security obligations with regard to the seventh Data Protection principle? Can notification help the individual? Bearing in mind the potential effects of the breach, could individuals act on the information you provide to mitigate risks, for example by cancelling a credit card or changing a password? If a large number of people are affected, or there are very serious consequences, the IGO DP&FOI will inform the ICO after discussions with the Corporate Director Support Services Consider how notification can be made appropriate for particular groups of individuals, for example, if you are notifying children or vulnerable adults. Consider the dangers of over notifying. Not every incident will warrant notification and notifying the whole customer base of an issue affecting only a few customers may well cause disproportionate enquiries, upset and work. Breach Management Procedure 5

9.4. You also need to consider who to notify, what you are going to tell them and how you are going to communicate the message. This will depend to a large extent on the nature of the breach but the following points may be relevant to your decision. 9.5. Notify the appropriate regulatory body but the ICO should only be notified by the IGO-DP&FOI when the breach involves personal data and after discussions with the Corporate Director Support Services. 9.6. When notifying the affected parties consider using the most appropriate method of communication. Always bear in mind the security of the medium as well as the urgency of the situation. 9.7. Your notification should at the very least include a description of how and when the breach occurred and what data was involved. Include details of what you have already done to respond to the risks posed by the breach. 9.8. When notifying individuals give specific and clear advice on the steps they can take to protect themselves and also what you are willing to do to help them. 9.9. Provide a way in which they can contact you for further information or to ask you questions about what has occurred this could be a helpline number or a web page, for example. 9.10. 9.11. You might also need to consider notifying third parties such as the Police, insurers, trade unions, professional bodies and bank or credit card companies who can assist in reducing the risk of financial loss to individuals. Although there is no legal obligation to report breaches to the ICO, the Commissioner believes that serious breaches should be notified. There is no definition for serious breaches, but the following should be considered before reporting: Has harm/distress been caused to data subjects e.g identity theft through loss of details on passport Volume of data lost e.g unencrypted laptop with personal details Loss of sensitive data e.g manual file with financial records For more details please click on link below: Notification of Data Security Breaches to the ICO 9.12. When the IGO-DP&FOI notifies the ICO after discussions with the Corporate Director Support Services, the following will be provided: Details of the security measures - encryption and, where appropriate, other details of the security in place. Breach Management Procedure 6

Procedures you had in place at the time the breach occurred. Whether the media team are aware of the breach for SBC to handle a potential increase in enquiries from the public. When informing the media, it is useful to inform them whether you have contacted the ICO and what action is being taken. 9.13 Appendix A shows a flowchart detailing the key actions that need to be made. 10. Evaluation and Response 10.1. It is important not only to investigate the causes of the breach but also to evaluate the effectiveness of your response to it. Clearly, if the breach was caused, even in part, by systemic and ongoing problems, then simply containing the breach and continuing business as usual is not acceptable. 10.2. Similarly, if your response was hampered by inadequate policies, procedures or a lack of a clear allocation of responsibility then it is important to review and update these policies and procedures and lines of responsibility in the light of experience. Identify where improvements can be made and action them. 10.3. The following points will assist: Know what personal data is held and where and how it is stored. Dealing with a data security breach is much easier if you know which data is involved Establish where the biggest risks lie. For example, how much sensitive personal data do you hold? Do you store data across the Council or is it concentrated in one location? Risks will arise when sharing with or disclosing to others You should make sure not only that the method of transmission is secure but also that you only share or disclose the minimum amount of data necessary and in line with any Information Sharing Protocols in place. By doing this, even if a breach occurs, the risks are reduced Identify weak points in your existing security measures such as the use of portable storage devices or access to public networks Monitor staff awareness of security issues and look to fill any gaps through training 10.4. Ensure that any evaluation and implementation is recorded as part of the Breach Management. The IGO (DP&FOI) will routinely check with you that improvements have been made to mitigate future risk. 10.5. Additional Information This procedure should be read in conjunction with the Council s policies and procedures found on the Council s intranet listed below: Breach Management Procedure 7

Data Protection Policy Acceptable Use Policy Remote Access Internet & Email Policy Code of Practice Portable Computer Media IT User Guides IT Disposal Procedure New Ways of Working policies Document Retention and Disposal Policy Records Management Policy Breach Management Procedure 8

Data Breach Procedure Appendix A Breach Suspected Report to Direct Line Manager This flowchart shows the important steps involved in handling a Data Breach. The key people who should be kept informed in every breach are: Information Governance Officer (DP and FOI) Information and Governance, Support Services The Data Controllers Corporate Director Support Services Caldicott Guardians ICT Manager Communications Team Line Manager to Assess Risk Confidential Data Loss? No Report to Information Governance Officer (DP & FO) and Group Manager - ICT Recommend and Agree Future Controls for ICT/Data Protection (including mandatory DP training for staff) Line Manager Implements controls. End Yes External Loss? Yes No Report to Information Governance Officer (DP & FOI) and Report to Group Manager - ICT Report to IGO (DP &FOI) becomes Single Point of Contact (SPOC) Breach Reported to: CEO / Directors Corporate Director Support Services Data Controllers Caldicott Guardian (if necessary) Contain Breach 1. Provide direction to staff. 2. Suspend internet service. 3. Suspend email service 4. Retrieve source of loss 5. Update anti-virus 6. Apply IT patches 7. Kill blackberry 1. Delete instances of data 2. Report to Head of Service 3. Recommend future controls as above. End Data Encrypted? Yes 1. Manage PR (Comms Team) 2. Source of leakage found 3. Recommend future controls 4. Implement controls End End No Evaluate source of loss can further loss be prevented? Act on: Loss Prevention OPTIONS Suspend Internet Service Suspend Email Service Retrieve Source of Loss Update Anti-Virus Apply IT Patches Kill Blackberry Possible Staff Suspension (involve HR) Information Commissioner s Office Contacted By IGO (DP&FOI) After Discussion with Corporate Director Support Services 1. Manage PR (Comms Team) 2. Source of leakage found 3. Recommend future controls 4. Implement controls 5. Review any lessons learn and address Breach Management Procedure 9

Breach Management Procedure 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information