Legislative framework

There are eight Data Protection Principles contained in the data protection Act 1998 and the General Data Protection Regulation 2018 which must be complied with when processing personal data.  Failure to comply with any of these Principles is a breach of Data Protection.

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

(a) at least one of the legal bases in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

This policy is concerned with the seventh Data Protection Principle: ‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’

Examples of a breach of this Principle would include:

• personal data accidentally being sent to someone (either internally or externally) who does not have a legitimate need to see it;
• databases containing personal data being compromised, for example;

• being illegally accessed by individuals outside the CCS;
• loss or theft of laptops, mobile devices, or paper records containing personal data;

• paper records containing personal data being left unprotected for anyone to see, for example:-

— files left out when the owner is away from their desk and at the end of the day;

— papers not properly disposed of in secure disposal bins that can then be extracted or seen by others;

— papers left at photocopying machines;

• staff accessing or disclosing personal data outside the requirements or authorisation of their job;
• being deceived by a third party into improperly releasing the personal data of another person; and the loss of personal data due to unforeseen circumstances such as a fire or flood.

A data breach relates to the loss of personal data and should be notified following the procedure described below. A security breach relates to the loss of equipment containing personal data. Where a security breach has been notified that also involves personal data staff must also follow the data breach policy.

Action to be taken in the event of a data breach

On discovery of a data breach the following actions should be taken:-

• Contact your Data Protection Officer who has 72 hours to contact Information Commission Officer if reportable
• Containment and recovery
• Assessing the risk – and notifying the individuals it is relating to if appropriate.
• Evaluation and response by CCS management Team

Containment and recovery

Who is responsible for action? – The individual committing the breach and their line manager.  On discovery of a data breach the individual must notify their line manager as soon as possible who will then be required to contact the DPO, senior management and Board of Trustees.

Action to be taken

The immediate priority is to contain the breach and limit its scope and impact.

Where personal data has been sent to someone not authorised to see it staff should:

• tell the recipient not to pass it on or discuss it with anyone else;
• tell the recipient to destroy or delete the personal data they have received and get them to confirm in writing that they have done so;
• warn the recipient of any implications if they further disclose the data, and inform the data subjects whose personal data is involved what has happened so that they can take any necessary action to protect themselves.

The line manager responsible for the staff member, volunteer/trustee where the breach occurred must be notified and they must immediately report it to the DPO and provide the following information:

• date and time of the breach;
• date and time breach detected;
• who committed the breach;
• details of the breach;
• number of data subjects involved; and
• details of actions already taken in relation to the containment and recovery.

Assessing the risk

The DPO is responsible for assessing the risk and whether it needs reporting to ICO and any remedial action. The subsequent report will follow the ICO’s guidance on Breach Management and will consider the following:

• How the breach occurred.
• The type of personal data involved.
• The number of data subjects affected by the breach.
• Who the data subjects are.
• The sensitivity of the data breached.
• What harm to the data subjects can arise? For example, are there risks to physical safety, reputation or financial loss?
• What could happen if the personal data is used inappropriately or illegally?
• For personal data that has been lost or stolen, are there any protections in place such as encryption?
• Notifying the ICO

Responsibility for notifying the ICO rests with the DPO. They will complete a breach notification form.

Responsibility

Overall responsibility for this policy lies with the CCS Board of Directors / Trustees and its implementation with the Senior Management Team.

Review

This policy is reviewed every two years and updated as required.