Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009
Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is a Data Breach?... 4 4 Consequences of a Breach... 5 5 Discovering a Breach... 5 6 Reporting a Breach... 5 7 Preventing a Recurrence and Restoration of Service... 6 8 Further Reading... 6 9 For further information... 6 Page 2 of 6 Created on: 01/04/2009
1 Introduction The University processes personal data relating to its staff, students and other individuals (Alumni, applicants etc) in order to carry out its legitimate business activities. Use of Personal data is governed by the UK Data Protection Act 1998 (the Act) which sets out obligations with regard to personal data and the requirement to keep personal data secure at all times. All University staff have a responsibility for ensuring the security of personal data and should be vigilant to any breaches. This procedure outlines the process for reporting breaches of data security. 2 Data Classification In the terms of the DPA, data is information relating to an individual where the structure of the data allows information about the individual to be readily accessed. The information may be in the form of paper records or in a variety of electronic media (e.g. held on computer, CCTV, DVD etc). Data is classified into 2 parts Personal Data Personal data includes any information from which a living individual (the data subject) can be identified (e.g., name, address, contact details, photographs) either on its own, or together with other information that might come into someone s possession. It covers both facts and opinions about the individual. Personal data will include information about staff, students, alumni or anyone else with whom the University may have dealings with in the course of business or professional activities. Personal data applies where The individual is the focus of a document. The data relates specifically to the individual. The data includes significant biographical information, facts or opinions. The data affects the individuals privacy, be that personally or professionally. Personal data does not include incidences where an individual is merely named within a document that does not relate directly to them. For example. The names of students in the minutes of an exam board would be considered personal data as the meeting would be directly discussing their Page 3 of 6 Created on: 01/04/2009
individual performance, whilst the names of staff members attending the meeting would not. Sensitive Personal Data Sensitive personal data forms a subset of personal data that has the potential to cause an individual harm or distress should it be obtained and used illegally and therefore require stricter controls when processing. Sensitive data is anything that refers to an individual(s) (a) Racial or Ethnic Origin (b) Political Opinions or Persuasion (c) Religious Beliefs or other beliefs of a similar nature (d) Trade Union Membership or Affiliation (e) Physical or Mental Health or Condition (f) Sexual Life (g) Commissioned or Alleged Commission of Offences (h) Any proceedings for any offence, committed or alleged, including any sentencing decisions made by the Court The University also classes personal financial information as sensitive data. 3 What Is a Data Breach? A breach of data security occurs where established security fails or where unauthorised or unintentional access to personal data is gained. Breaches are not limited to electronic information. Breaches can happen for a variety of reasons including, but not limited to: Insufficient or inappropriate access controls enabling unauthorised users access to data, including unexpected enabling of access System failure unexpected loss of security protocols Physical storage areas left unlocked Physical records left unattended Human error inadvertent disclosure of data too much information Disclosure through deception where an individual blags access Theft or accidental loss of data held on electronic device (Laptop, mobile phone, USB) or in paper records Malicious attempts to access data hacking systems, Accessing data through unattended PCs Page 4 of 6 Created on: 01/04/2009
4 Consequences of a Breach The individual(s) to whom the data relates could become victims of identity theft or fraud or they could become severely distressed by the disclosure, especially where the information has the ability to cause harm. They would have the right to complain to the Information Commissioners Office (ICO) who regulates compliance with the Act. Some individuals could potentially sue the University. The ICO has the power of investigation and to impose penalties on any organisation found to have breached the Act. Penalties can include enforcement notices, where the offending organisation agrees to undertake improvement measures, or they can issue monetary fines up to a maximum of 500K. A breach also has the potential to effect the University s reputation, which could cause immeasurable damage. 5 Discovering a Breach 5.1 Any member of staff could discover a data breach at any time, including during out of hours. 5.2 Where a breach is discovered, it is important to deal with it both immediately and appropriately. This may vary depending on the nature of the breach, when the breach occurs or the circumstances of the individual making the discovery. 5.3 Where possible, staff should contain the breach, even if to do so would result in a temporary loss of service. 6 Reporting a Breach 6.1 Individuals must report the breach to The senior member of staff within their working area or the area in which the breach has occurred The University Records and Information Manager who is responsible for Data Protection or during out of hours periods, University Security. In the case of an electronic data breach, the Director of IT Services or during out of hours periods, the IT helpline. In the event of theft when away from the University, the police should be notified of the theft 6.2 The University Records and Information Manager will consult with the relevant individuals to immediately establish. Page 5 of 6 Created on: 01/04/2009
The nature of the breach - what data has been affected and how the breach has occurred What immediate actions can be or have been taken to contain it The number of individuals affected 6.3 The University Records and Information Manager will then to report the established facts to the Head of Governance and the IT Director (where applicable) to consider the breach under the University Reportable Incidents Policy and whether there is a requirement to inform the Information Commissioners Office and the individuals to who the data relates. 7 Preventing a Recurrence and Restoration of Service 7.1 The Records and Information Manager will liaise with the appropriate staff in area in which the breach occurred and where relevant, the Director of IT Services, to ensure that appropriate technical measures have been taken to prevent another breach. 7.2 Associated processes and procedures to be reviewed to ensure that effective remedial measures have been taken to prevent another breach. 7.3 Additional Data Protection training to be given where appropriate. 7.4 Once all parties are agreed that processing can resume, the system will be restored. 7.5 System to be monitored for an agreed period to monitor compliance with the Act 8 Further Reading Associated Policies Associated Guidance Associated Legislation University s Data Protection Code of Practice: Security of Personal Data Information Services: Introduction to Information Security 9 For further information Duncan James, Records and Information Manager. Ext. 7357. Duncan.james@northumbria.ac.uk Page 6 of 6 Created on: 01/04/2009