Step 12: Responding to a breach
Contents
- Introduction
- Step 1: What do I need to know about data protection?
- Step 2: Who is responsible for what?
- Step 3: Appointing a Data Lead
- Step 4: Understanding data subjects' rights
- Step 5: Gathering data
- Step 6: Data discovery
- Step 7: Keep a record
- Step 8: Check your security
- Step 9: Third parties
- Step 10: Publish your privacy stance
- Step 11: Delete and destroy
- Step 12: Responding to a breach
Step 12: Responding to a breach
The Trustee Board is responsible for the security, integrity and confidentiality of all the data it holds. The Trustee Board is also obliged under GDPR to keep personal data safe and secure and respond promptly and appropriately to any data security breaches. Although all adult volunteers have a responsibility for the information they generate, manage, transmit and use in line with GDPR, it is the Trustee Board’s legal duty to secure personal and confidential data at all times.
Any person who knows or suspects that a breach of data security has occurred should report the breach immediately according to their Scout Unit’s Data Breach Response Plan. We have included some concepts that you may wish to include in your Local Data Breach Response Plan.
It's vital that prompt action is taken in the event of any actual, potential or suspected breach of data security or confidentiality to avoid the risk of harm to young people or adult volunteers, damage to the Scouts operations and severe financial, legal and reputational costs to the Movement as a whole.
What is a personal Data Breach?
A data breach is any event that has the potential to affect the confidentiality, integrity or availability of personal data held by the Local Scout Unit in any format. Personal data security breaches can happen for a number of reasons, including:
- The disclosure of confidential data to unauthorised individuals
- The loss or theft of portable devices or equipment containing identifiable personal, confidential or sensitive data e.g. PCs, USB, mobile phones, laptops, disks etc
- The loss or theft of paper records
- Inappropriate access controls allowing unauthorised use of information
- A suspected breach of the IT security
- Attempts to gain unauthorised access to computer systems, e.g. hacking
- Records altered or deleted without authorisation from the data ‘owner’
- Viruses or other security attacks on IT equipment systems or networks
- Breaches of physical security e.g. forcing of doors or windows into secure room or filing cabinet containing confidential information
- Confidential information left unlocked in accessible areas
- The insecure disposal of confidential paper waste
- Leaving IT equipment unattended when logged in to a user account without locking the screen to stop others accessing information
- The publication of confidential data on the internet in error and accidental disclosure of passwords
- Misdirected emails or faxes containing identifiable personal, confidential or sensitive data
How to respond to a data breach
In line with best practice, these five steps should be followed when responding to a data breach:
- Identification and initial assessment
- Containment and recovery
- Risk Assessment
- Notification
- Evaluation and response
To assist this process a Data Breach Notification Form is available. This form will help the Trustee Board to conduct an initial assessment of the incident by establishing if a personal data breach has taken place, and if so:
- What personal data is involved in the breach
- The cause of the breach
- The extent of the breach, i.e. how many individuals are affected
- The harms to affected individuals that could potentially be caused by the breach
- How the breach can be contained
The Trustee Board can determine the severity of the incident using the reference to decide if the incident can be managed and controlled locally or if it is necessary to escalate the incident to the Information Commissioner’s Office (ICO).
Once it has been established that a data breach has occurred, the Trustee Board needs to take immediate and appropriate action to limit the breach;
- Establish who within the Local Scout Unit needs to be made aware of the breach and inform them of what they are expected to do to contain the breach (for example finding a lost piece of equipment, requesting deletion and confirmation of an email from the wrong recipient, isolating/closing a compromised section of the network, etc)
- Establish whether there is anything that can be done to recover any losses and limit the damage the breach can cause (for example physical recovery of equipment/records, the use of back-ups to restore lost/damaged data)
- Establish if it is appropriate to notify affected individuals immediately (for example where there is a high level of risk of serious harm to individuals)
- Where appropriate (for example in cases involving theft or other criminal activity), inform the police.
In assessing the risk arising from a data breach, the relevant Trustee Board are required to consider the potential adverse consequences for individuals, i.e. how likely are adverse consequences to materialise and, if so, how serious or substantial are they likely to be. The information provided on the Data Breach Notification Form will help with this stage.
The Trustee Board should review the incident report to:
- Assess the risks and consequences of the breach.
- Risks for individuals.
- What are the potential adverse consequences for individuals?
- How serious or substantial are these consequences?
- How likely are they to happen?
- Risks for the Local Scout Unit or Country.
- Strategic and operational.
- Compliance/legal.
- Financial.
- Reputational.
- Consider what type of data is involved, how sensitive is it? Were there any protections such as encryption? What has happened to the data? If data has been stolen it could be used for purposes which are harmful to the individuals to whom the data relate; if it has been damaged this poses a different type and level of risk.
- Consider how many individuals’ personal data are affected by the breach. It is not necessarily the case that the bigger risks will accrue from the loss of large amounts of data but is certainly an important determining factor in the overall risk assessment.
- Consider the individuals whose data has been breached. Whether they are young people or adult volunteers will to some extent determine the level of risk posed by the breach and therefore, the actions in attempting to mitigate those risks.
- Consider what harm can come to the affected individuals. Are there risks of physical safety or reputation, of financial loss or a combination?
- Consider if there are wider consequences to consider such as a loss of public confidence in Scouting as a whole.
- Determine, where appropriate, what further remedial action should be taken on the basis of the incident report to mitigate the impact of the breach and prevent repetition.
The Trustee Board should prepare an incident report setting out (where applicable):
- A summary of the security breach
- The people involved in the security breach (such as young people, adult volunteers)
- Details of the information, IT systems, equipment or devices involved in the security breach and any information lost or compromised as a result of the incident
- How the breach occurred
- Actions taken to resolve the breach
- Impact of the security breach
- Unrealised, potential consequences of the security breach
- Possible courses of action to prevent a repetition of the security breach
- Side effects, if any, of those courses of action
- Recommendations for future actions and improvements in data protection as relevant to the incident
The incident report will then be used to update the risk registers at the appropriate levels where necessary. Any significant risks will be reported and managed via the Risk Register.
We have provided a template Risk Register.
On the basis of the evaluation of risks and consequences the Trustee Board, and others involved in the incident as appropriate, will determine whether it is necessary to notify the breach to others outside the Local Scout Unit. For example:
- Parents
- Individuals (data subjects) affected by the breach
- The Information Commissioner’s Office
- Police
- The press/media via the UK HQ media team
- Insurers
- Bank or credit card companies
- External legal advisers
- Other regulatory bodies such as the Charity Commission
As well as deciding who to notify, the Trustee Board must consider:
- What is the message that needs to be communicated?
In each case, the notification should include as a minimum:
- A description of how and when the breach occurred;
- What data was involved; and
- What action has been taken to respond to the risks posed by the breach.
When notifying individuals, the Trustee Board should give specific and clear advice on what steps they can take to protect themselves, what the Local Scout Unit is willing to do to assist them and details of how they can contact the Trustee Board for further information.
- How to communicate the message?
What is the most appropriate method of notification (for example are there large numbers of people involved? Does the breach involve sensitive data? Is it necessary to write to each individual affected? Is it necessary to seek legal advice on the wording of the communication?)
- Why are we notifying?
Notification should have a clear purpose, for example to enable individuals who may have been affected to take steps to protect themselves (e.g. by cancelling a credit card or changing a password), to allow regulatory bodies to perform their functions, provide advice and deal with complaints, etc.
The Information Commissioner’s Office (ICO) expects that serious breaches should be brought to their attention within 72 hours of knowing about the breach. Serious breaches are not defined but guidance is available from the ICO.
Any contact with the ICO should be made through the Trustee Board. Initial contact with the ICO should be made by the Trustee Board, outlining the circumstances surrounding the incident through submission of the Breach Notification Form and the Breach Severity Form. The ICO will make a determination regarding the need for a detailed report and/or subsequent investigation based on the nature of the incident and the presence or otherwise of appropriate physical or technological security measures to protect the data. In cases where the decision is made by the Trustee Board not to report a breach, a brief summary of the incident with an explanation of the basis for not informing the ICO will be retained by the Trustee Board.
When the personal data breach is likely to result in a high risk to the rights and freedoms of those affected, the Trustee Board shall communicate the personal data breach to the data subject without undue delay.
The communication to the data subject referred to in paragraph one shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to above.
The communication to the data subject shall not be required if any of the following conditions are met:
- The Trustee Board has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption
- The Trustee Board has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise
- It would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
If the Trustee Board has not already communicated the personal data breach to the data subject, the ICO, having considered the likelihood of the personal data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to are met.
In addition, the completed Data Breach Notification Form should be passed to the Scouts UK headquarters via the following email address dpa.alert@scouts.org.uk.
NOTE – This email address is only for reporting a breach and there will be no remediation guidance as a direct result. The information will be used by the Scouts to monitor any trends in breaches being reported and update the Scout Unit Data protection Toolkit with further guidance.
Subsequent to a data breach, the Trustee Board will conduct a review to ensure that the steps taken during the incident were appropriate and to identify areas that may need to be improved.
The Trustee Board will compile a central record of incidents. To assist with this we have produced a Template Data Breach Register. The Trustee Board will report on incidents to the adult volunteers in order to identify lessons to be learned, patterns of incidents and evidence of weakness and exposures that need to be addressed.
For each serious incident, the Trustee Board will conduct a review and report:
- What action needs to be taken to reduce the risk of future breaches and minimise their impact
- Whether policies procedures or reporting lines need to be improved to increase the effectiveness of the response to the breach
- If there are any weak points in security controls that need to be strengthened
- If users of services are aware of their responsibilities for information security and adequately trained
- If additional investment is required to reduce exposure and if so what are the resource implications?
Useful resources for Step 12