3.1.8 Data Breach
If any individual across the Partnership becomes aware of a security breach, or breach of confidence in relation to the information sharing which takes place across the SSCP and partner organisations, the individual with responsibility for the area of activity in which the breach occurred, shall:
- immediately inform the relevant data controller for the information that a breach has occurred
- immediately investigate the cause, effect and extent of the breach
- report the results of the investigation to the other organisation/data controller without delay
- use all reasonable efforts to rectify the cause of the breach.
Personal Data Breach
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
A personal data breach will have occurred whenever any personal data is accidentally lost, destroyed, corrupted or incorrectly disclosed, or if someone accesses the data or passes it on without proper authorisation, or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
The UK General Data Protection Regulation (GDPR) introduced a duty on all organisations to report certain personal data breaches to the relevant supervisory authority. They must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, organisations must also inform those individuals without undue delay.
Organisations must have robust breach detection, investigation and internal reporting procedures in place. This will help facilitate decision-making about whether or there is a need to notify the relevant supervisory authority or the affected individuals, or both. These procedures should also include guidance to individuals who believe a personal data breach may have occurred. Organisations must take all reports of potential data breaches seriously and must keep a record of any personal data breaches, regardless of whether they are required to notify. The UK GDPR states that when a potential breach has been identified, organisations should quickly establish whether a personal data breach has occurred and, if so, promptly take steps to address it.
Reporting to the ICO
A data breach must be reported to the ICO if the breach poses a risk to the person’s rights and freedoms (i.e. will the breach cause them difficulty or potential harm). If a risk is likely, the organisation must notify the ICO. If a risk is unlikely, it doesn’t have to be reported. However, if an organisation decides they don’t need to report the breach, they may still be required to justify their decision, so should document it.
To report a breach:
Further Guidance—Personal Data Breaches for Organisations: Personal data breaches | ICO