BRASS Personal Data Breach Policy
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. BRASS must do this within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, BRASS will also inform those individuals without undue delay.
BRASS will ensure we have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
BRASS will keep a record of any personal data breaches, regardless of whether you are required to notify.
In brief - What is a personal data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
Personal data breaches can include:
access by an unauthorised third party;
deliberate or accidental action (or inaction) by a controller or processor;
sending personal data to an incorrect recipient;
computing devices containing personal data being lost or stolen;
alteration of personal data without permission; and
loss of availability of personal data.
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
Recital 87 of the GDPR makes clear that when a security incident takes place, BRASS should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it, including telling the ICO if required.
What breaches do we need to notify the ICO about?
When a personal data breach has occurred, BRASS will establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then BRASS will notify the ICO; if it’s unlikely then BRASS will not report it. However, if BRASS decide we don’t need to report the breach, BRASS will be able to justify this decision and document it.
In assessing risk to rights and freedoms, it’s important to focus on the potential negative consequences for individuals. Recital 85 of the GDPR explains that:
“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
This means that a breach can have a range of adverse effects on individuals, which include emotional distress, and physical and material damage. Some personal data breaches will not lead to risks beyond possible inconvenience to those who need the data to do their job. Other breaches can significantly affect individuals whose personal data has been compromised. BRASS will assess this case by case, looking at all relevant factors.
So, on becoming aware of a breach, BRASS will try to contain it and assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen.
What role do our processors have?
BRASS uses a Data Processor to back up our data. If this processor suffers a breach, then under Article 33(2) it must inform BRASS without undue delay as soon as it becomes aware.
Example from ICO
Your organisation (the controller) contracts an IT services firm (the processor) to archive and store customer records. The IT firm detects an attack on its network that results in personal data about its clients being unlawfully accessed. As this is a personal data breach, the IT firm promptly notifies you that the breach has taken place. You in turn notify the ICO.
This requirement allows BRASS to take steps to address the breach and meet our breach-reporting obligations under the GDPR.
The requirements on breach reporting should be detailed in the contract between BRASS and our processor, as required under Article 28. For more details about contracts, please see our draft GDPR guidance on contracts and liabilities between controllers and processors.
How much time do we have to report a breach?
BRASS must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If BRASS takes longer than this, you must give reasons for the delay.
Section II of the Article 29 Working Party Guidelines on personal data breach notification gives more details of when a controller can be considered to have “become aware” of a breach.
What information must a breach notification to the supervisory authority contain?
When reporting a breach, the GDPR BRASS will provide:
a description of the nature of the personal data breach including, where possible:
the categories and approximate number of individuals concerned; and
the categories and approximate number of personal data records concerned;
the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
a description of the likely consequences of the personal data breach; and
a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
What if we don’t have all the required information available yet?
The GDPR recognises that it will not always be possible to investigate a breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it. So Article 34(4) allows BRASS to provide the required information in phases, as long as this is done without undue further delay.
However, ICO expect controllers to prioritise the investigation, give it adequate resources, and expedite it urgently. BRASS must still notify ICO of the breach when BRASS become aware of it, and submit further information as soon as possible. If BRASS know we won’t be able to provide full details within 72 hours, it is a good idea to explain the delay to ICO and tell us when you expect to submit more information.
You detect an intrusion into your network and become aware that files containing personal data have been accessed, but you don’t know how the attacker gained entry, to what extent that data was accessed, or whether the attacker also copied the data from your system.
You notify the ICO within 72 hours of becoming aware of the breach, explaining that you don’t yet have all the relevant details, but that you expect to have the results of your investigation within a few days. Once your investigation uncovers details about the incident, you give the ICO more information about the breach without delay.
How do we notify a breach to the ICO?
To notify the ICO of a personal data breach, see the ICO pages on reporting a breach.
When do we need to tell individuals about a breach?
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the GDPR says BRASS must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.
A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO. Again, BRASS will need to assess both the severity of the potential or actual impact on individuals as a result of a breach and the likelihood of this occurring. If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher. In such cases, BRASS will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.
A hospital suffers a breach that results in an accidental disclosure of patient records. There is likely to be a significant impact on the affected individuals because of the sensitivity of the data and their confidential medical details becoming known to others. This is likely to result in a high risk to their rights and freedoms, so they would need to be informed about the breach.
A university experiences a breach when a member of staff accidentally deletes a record of alumni contact details. The details are later re-created from a backup. This is unlikely to result in a high risk to the rights and freedoms of those individuals. They don’t need to be informed about the breach.
If BRASS decides not to notify individuals, we will still need to notify the ICO unless we can demonstrate that the breach is unlikely to result in a risk to rights and freedoms. BRASS is aware that the ICO has the power to compel us to inform affected individuals if we consider there is a high risk. In any event, BRASS should document your decision-making process in line with the requirements of the accountability principle.
What information must we provide to individuals when telling them about a breach?
BRASS needs to describe, in clear and plain language, the nature of the personal data breach and, at least:
the name and contact details of our data protection officer (if your organisation has one) or other contact point where more information can be obtained;
a description of the likely consequences of the personal data breach; and
a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.
Does the GDPR require us to take any other steps in response to a breach?
BRASS will record all breaches, regardless of whether or not they need to be reported to the ICO.
Article 33(5) requires BRASS to document the facts relating to the breach, its effects and the remedial action taken. This is part of our overall obligation to comply with the accountability principle, and allows ICO to verify BRASS’s compliance with its notification duties under the GDPR.
As with any security incident, BRASS will investigate whether or not the breach was a result of human error or a systemic issue and see how a recurrence can be prevented – whether this is through better processes, further training or other corrective steps.