Data Breach Procedure

 CC2 School Data Breach Procedure

Important Note

This procedure has been produced based on current General Data Protection Regulations (GDPR) information. As further updates are released this procedure may be updated to reflect the changes.

Version History  
Version Date Detail Minute Number
1.0 Approved by Governors

  Review frequency: Yearly

Data Protection – Data Breach Procedure for Norbury CE Primary School

 The GDPR will apply in the UK from 25 May 2018

The following is a sample data protection breach procedure for schools to be adapted as required. It has been written to be included as an Annex/Appendix to the School’s Data Protection Policy.

Policy Statement

Norbury CE Primary School holds large amounts of personal and sensitive data. Every care is taken to protect personal data and to avoid a data protection breach. In the event of data being lost or shared inappropriately, it is vital that appropriate action is taken to minimise any associated risk as soon as possible. This procedure applies to all personal and sensitive data held by Norbury CE Primary School and all school staff, Governors, volunteers and contractors, referred to herein after as ‘staff’.

Purpose

This breach procedure sets out the course of action to be followed by all staff at Norbury CE Primary School if a data protection breach takes place.

Legal Context

Article 33 of the General Data Protection Regulations

Notification of a personal data breach to the supervisory authority

  • In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
  • The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
  • The notification referred to in paragraph 1 shall at least:

(a)       describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b)       communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

(c)       describe the likely consequences of the personal data breach;

(d)       describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

  • Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
  • The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

Types of Breach

Data protection breaches could be caused by a number of factors. A number of examples are shown below:

  • Loss or theft of pupil, staff or governing body data and/ or equipment on which data is stored;
  • Inappropriate access controls allowing unauthorised use;
  • Equipment Failure;
  • Poor data destruction procedures;
  • Human Error;
  • Cyber-attack;
  • Hacking.

Managing a Data Breach

In the event that the School identifies or is notified of a personal data breach, the following steps should followed:

  1. The person who discovers/receives a report of a breach must inform the Head Teacher or, in their absence, either the Deputy Head Teacher and/or the School’s Data Protection Officer (DPO). If the breach occurs or is discovered outside normal working hours, this should begin as soon as is practicable.
  2. The Head Teacher/DPO (or nominated representative) must ascertain whether the breach is still occurring. If so, steps must be taken immediately to minimise the effect of the breach. An example might be to shut down a system, or to alert relevant staff such as the IT technician.
  3. The Head Teacher/DPO (or nominated representative) must inform the Chair of Governors as soon as possible. As a registered Data Controller, it is the school’s responsibility to take the appropriate action and conduct any investigation.
  4. The Head Teacher/DPO (or nominated representative) must also consider whether the Police need to be informed. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future. In such instances, advice from the School’s legal support should be obtained.
  5. The Head Teacher/DPO (or nominated representative) must quickly take appropriate steps to recover any losses and limit the damage. Steps might include:

Attempting to recover lost equipment.

Contacting the relevant County Council Departments, so that they are prepared for any potentially inappropriate enquiries (‘phishing’) for further information on the individual or individuals concerned.

Consideration should be given to a global email to all school staff. If an inappropriate enquiry is received by staff, they should attempt to obtain the enquirer’s name and contact details if possible and confirm that they will ring the individual, making the enquiry, back. Whatever the outcome of the call, it should be reported immediately to the Head Teacher/DPO (or nominated representative).

Contacting the County Council’s Communications Division if part of the crisis service, so that they can be prepared to handle any press enquiries. The Council’s Senior Communications Officer can be contacted by telephone on (01629) 538234.

The use of back-ups to restore lost/damaged/stolen data.

If bank details have been lost/stolen, consider contacting banks directly for advice on preventing fraudulent use.

If the data breach includes any entry codes or IT system passwords, then these must be changed immediately and the relevant agencies and members of staff informed.

Investigation

In most cases, the next stage would be for the Head Teacher/DPO (or nominated representative) to fully investigate the breach. The Head Teacher/DPO (or nominated representative) should ascertain whose data was involved in the breach, the potential effect on the data subject and what further steps need to be taken to remedy the situation. The investigation should consider:

  • The type of data;
  • Its sensitivity;
  • What protections were in place (e.g. encryption);
  • What has happened to the data;
  • Whether the data could be put to any illegal or inappropriate use;
  • How many people are affected;
  • What type of people have been affected (pupils, staff members, suppliers etc) and whether there are wider consequences to the breach.

A clear record should be made of the nature of the breach and the actions taken to mitigate it. The investigation should be completed as a matter of urgency due to the requirements to report notifiable personal data breaches to the Information Commissioner’s Office. A more detailed review of the causes of the breach and recommendations for future improvements can be done once the matter has been resolved.

Notification

Some people/agencies may need to be notified as part of the initial containment. However, the decision will normally be made once an initial investigation has taken place. The Head Teacher/DPO (or nominated representative) should, after seeking expert or legal advice, decide whether anyone is notified of the breach. In the case of significant breaches, the Information Commissioner’s Office (ICO) must be notified within 72 hours of the breach. Every incident should be considered on a case by case basis.

When notifying individuals, give specific and clear advice on what they can do to protect themselves and what the School is able to do to help them. You should also give them the opportunity to make a formal complaint if they wish (see the School’s Complaints Procedure). The notification should include a description of how and when the breach occurred and what data was involved. Include details of what you have already done to mitigate the risks posed by the breach

Review and Evaluation

Once the initial aftermath of the breach is over, the Head Teacher/DPO (or nominated representative) should fully review both the causes of the breach and the effectiveness of the response to it. It should be reported to the next available Senior Management Team and Full Governors meeting for discussion. If systemic or ongoing problems are identified, then an action plan must be drawn up to put these right. If the breach warrants a disciplinary investigation, the manager leading the investigation should liaise with Human Resources or Internal Audit for advice and guidance. This breach procedure may need to be reviewed after a breach or after legislative changes, new case law or new guidance.

Implementation

The Head Teacher/DPO should ensure that staff are aware of the School’s Data Protection policy and its requirements including this breach procedure. This should be undertaken as part of induction, supervision and ongoing training. If staff have any queries in relation to the School’s Data Protection policy and associated procedures, they should discuss this with their line manager, DPO or the Head Teacher.