The ICO defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. This also means that a breach is more than just about losing personal data.
Recording a breach
In accordance with guidance from the ICO (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/) we will keep a record of any personal data breaches.
Procedure and timing
Should a breach occur, our Senior Information Rights Owner (SIRO) will investigate the likelihood and severity of any risk to people’s rights and freedoms. If there is a risk, we will notify the ICO; if it’s unlikely then we may choose not to report it in accordance with guidance offered by ICO.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we will also notify those affected individuals as soon as possible.
All breaches that need to be reported will be reported to the ICO within 72 hours.
Should we need to notify affected individuals, this will take place as soon as possible after reporting to the ICO.