Security Incident Policy
This policy specifies the actions to be taken with respect to breaches of personal data. It should be read in conjunction with Little Smeaton Parish Council’s Data Protection Policy.
2. What is a breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and
deliberate causes. It also means that a breach is more than just about losing personal data.
Personal data breaches can include:
• Access by an unauthorised third party.
• Deliberate or accidental action (or inaction) by a controller or processor.
• Sending personal data to an incorrect recipient.
• Computing devices containing personal data being lost or stolen.
• Alteration of personal data without permission, and loss of availability of personal data.
3. Dealing with an Incident
On discovery of an incident, either as a result of automatic notification, accidental discovery, manual record checking or any other means, the incident will be reported to the Chairman and the Clerk of the Parish Council by email.
The email will be followed up by a telephone call to the Chairman, or, if unavailable, to the Vice Chairman.
The Chairman (or vice chairman) will:
• Note the time, date and nature of the incident together with a description and as much detail as appropriate on an Incident Response Form (Appendix A)
• Ensure the protection of any evidence and that a documented chain of evidence is maintained
• Liaise with relevant authorities, individuals and the media where appropriate
• Keep a note of all communications together with names, date, time, and content on the Incident Response Form (Appendix A)
4. Incident Response Plan
a) Assess the risk to individuals as a result of a breach. The following should be considered:
• The categories and approximate number of individuals concerned
• The categories and approximate number of personal data records concerned
• The likely consequences of the personal data breach, in particular consider if the impact results in a risk to the rights and freedoms of individuals
To help assess the risks refer to the Information Commissioner Office (ICO) website: ico.org.uk.
b) If the incident is deemed to be a notifiable incident, within 72 hours of becoming aware call ICO (0303 123 1113) and provide the following information:
• What has happened
• When and how the Council found out about the breach
• How many people have been, or may have been affected by the breach
• What the Council is doing as a result of the breach
• Who else has been told
To report a breach outside normal working hours use the ICO Reporting Form found on their website.
c) If the incident is deemed to result in a high risk to the right and freedoms of individuals the affected individuals must be informed within 48 hours about the incident as there may be a need for them to take actions to mitigate any immediate
risk or damage.
The individuals must be told in clear plain language:
• The nature of the personal data breach
• A description of the likely consequences of the personal data breach
• A description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures to mitigate any possible adverse effects
• The name and contact details of the Clerk and Chairman from where more information can be obtained
d) If the incident is not deemed to be notifiable the Chairman (or Vice Chairman) should:
• Update the Incident Response Form along with the outcome of the risk assessment
• Include the steps and evidence used to identify and classify the risk. Include reasons why the incident is not deemed to result in a risk to the rights and freedoms of individuals
e) The Chairman (or vice chairman) and Clerk will ensure that the incident is reviewed at the next appropriate Parish Council meeting:
• The Council will consider whether discussion of the incident warrants exclusion of the press and public from the meeting during that discussion
• At that meeting the Council should determine if there are any further actions that need to be assigned or completed as a result of the incident
• The Council May decide to refer further actions to a committee, working group or external parties
• It should be noted that this final stage of the incident may require a review of this policy document