Camber House Ltd and Johnrogerson.com (“we”/”us”) have this procedure is in place to provide a standardised response to any reported data breach incident, and ensure that data breaches are appropriately logged and managed in accordance with the law and best practice.
This procedure applies in the event of a personal data breach and applies to all employees of Camber House Ltd at all times and whether located within the physical offices or not
The document applies to all information we hold and all information technology systems utilised by us.
- All employees/Staff, contractors or temporary employees/staff and third parties working for or on behalf of us are required to be aware of, and to follow this procedure in the event of a personal data
- All Employees/Staff, contractors or temporary personnel are responsible for reporting any personal data breach to sally de waard who’s contact details are as follows: firstname.lastname@example.org
The GDPR defines a “personal data breach” in Article 4(12) as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Examples include:
- Loss or theft of data or equipment on which data isstored
- Access by an unauthorised thirdparty
- Sending personal data to an incorrectrecipient
- Alteration of personal data withoutpermission
- Loss of availability of personal data such as equipmentfailure
- Unforeseen circumstances such as a fire orflood
- ‘Blagging’ offences where information is obtained by deceit for the purposes of this procedure data security breaches include both confirmed and suspected
*If you suspect a data breach or are unsure whether the incident which has occurred constitutes a data breach please refer the matter to Matt Rogerson for consideration*
5. Reporting anincident
- Any individual who accesses, uses or manages information within our business is responsible for reporting data breach and information security incidents immediately to Sally de Waard.
- If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is
- The report will include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, the nature of the information, and how many individuals are involved.
- Matt Rogerson will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the
- An initial assessment will be made by Matt Rogerson in liaison with relevant persons (which may include IT services) to establish the severity of the breach and who will take the lead investigating the breach (this will depend on the nature of the breach).
- An investigation will be undertaken immediately and wherever possible within 24 hours of the breach being discovered/reported.
- Matt Rogerson will investigate the risks associated with the breach, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to
- Matt Rogerson will then establish whether there is anything that can be done to recover any losses and limit the damage the breach could
- Matt Rogerson will identify who may need to be notified. The relevant procedures from those identified below will then be followed. Every incident will be assessed on a case by case basis.
7. Procedure – Breach notification data processor to datacontroller
- Camber House Ltd must report any personal data breach or security incident to the data controller without undue delay.
- The breach notification should be made by email or phone
- A confirmation of receipt of this information should be requested and made by email or phone call.
8. Procedure – Breach notification data controller to supervisory authority
- Matt Rogerson will determine if the supervisory authority (the Information Commissioner’s
Office (ICO) in the UK) need to be notified in the event of a breach.
- If the breach affects individuals in different EU countries, the ICO may not be the lead supervisory authority. Matt Rogerson will also need to establish which European data protection agency would be the lead supervisory authority for the processing activities that have been subject to the
- We will assess whether the personal data breach is likely to result in a risk to the rights and freedoms of the data subjects affected by the personal data breach, by conducting an investigation and/or an impact assessment. If we decide that we do not need to report the breach to the ICO we will justify and document our
- If a risk to data subject(s) is likely, Matt Rogerson will report the personal data breach to the ICO without undue delay, and not later than 72 hours after becoming aware of
- If the data breach notification to the ICO is not made within 72 hours, Matt Rogerson will submit notification electronically with a justification for the communication.
- If it is not possible to provide all of the necessary information at the same time we will provide the information in phases without undue further
- The following information needs to be provided to the supervisory authority:
- A description of the nature of the
- The categories of personal data
- Name and contact details of Matt Rogerson.
- Likely consequences of the
- Any measures taken to address the
- Any information relating to the data
- Approximate number of data subjects
- Approximate number of personal data records
- The breach notification should be made via email. If they are still investigating and will be able to provide more information at a later date or if they are confident that the breach has been dealt with
- In the event the ICO assigns a specific contact in relation to a breach, these details are recorded in the Internal Breach
9. Procedure – Breach notification data controller to datasubject
- If the personal data breach is likely to result in high risk to the rights and freedoms of the data subject, Camber house will notify those/the data subjects affected without undue delay and in accordance with Matt Rogerson
In any event Matt Rogerson will document their decision-making process.
- We will describe the breach in clear and plain language.
- The data controller takes subsequent measures to ensure that any risks to the rights and freedoms of the data subjects are no longer likely to
- If the breach affects a high volume of data subjects and personal data records, we will make a decision based on assessment of the amount of effort involved in notifying each data subject individually, and whether it will hinder our ability to appropriately provide the notification within the specified time frame. In such a scenario a public communication or similar measure informs those affected in an equally effective manner and will be considered by Matt Rogerson.
- If we have not notified the data subject(s), and the supervisory authority considers the likelihood of a data breach will result in high risk, Camber House will communicate the data breach to the data subject by email
- We will document any personal data breach(es) within the Data Breach Register, incorporating the facts relating to the personal data breach, its effects and the remedial action(s)
10. Documentation requirements
Internal breach register: there is an obligation for us to document each incident “comprising the facts relating to the personal data breach, its effects and the remedial action taken”.
- Once the initial incident is contained, Matt Rogerson will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be
- Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents.
- The review will consider various points, including but not limited to:
- Where and how personal data is held and where and how it is stored
- Where the biggest risks lie, and will identify any further potential weak points within its existing measures
- Whether methods of transmission are secure; sharing minimum amount of data necessary Identifying weak points within existing security measures
- Staff awareness