How to manage personal data breaches

It’s important to know how to manage a personal data breach if you are going to be able to protect your school if the worst should happen

CREDIT: This is an edited version of an article that originally appeared on gov.uk

A data breach is a security incident that results in personal data being:

  • lost or stolen;
  • destroyed without consent;
  • changed without consent;
  • accessed by someone without permission.

Such breeches can be deliberate or accidental but they are all about more than just losing personal data; knowing how to manage a breech can limit the damage such an event can cause so it’s important to make sure you are properly prepared to handle one.

There are legal obligations that organisations must follow in relation to handling personal data breaches. Make sure that all members of staff:

  • are able to recognise when a personal data breach has taken place;
  • know how to report it formally within your school;
  • check if any of their personal data is involved.

When you become aware of a suspected data breach you need to check whether or not the incident has involved personal data – if it does, there are actions you will need to take. The first step is to understand the type of personal data nvolved in the incident; this will help you to understand the seriousness of the breach. As soon as possible ascertain what type(s) of personal data are involved and who the data subjects are. For example, are the basic personal details of staff – such as name and email addresses – involved or has the breech encompassed the full records of pupils, including special category data such as disabilities and ethnic origin?

Your second step is to establish exactly what has happened to the personal data. Where is the data that has been accessed, lost or stolen and who might have it? Establishing this will enable you to identify the level of risk involved in the break – obviously, if you’ve shared some information via email with another part of your school or trust by mistake, this is much less of a risk than if an unknown party has stolen paper records.

If it’s possible to recover the data, you should do so immediately – and do whatever you can to protect those who’ll be most impacted. This might include:

  • recalling, or asking someone to delete, an email containing personal data sent by mistake;
  • retracing your steps, or contacting reception if you have lost some physical personal data to see if it has been handed in;
  • checking if you can lock or wipe a laptop, ‘phone or tablet containing personal data that has been stolen remotely.

Walk in their shoes

It is important that you accurately record all details of the breach, as you can use this to make a quick assessment before you have the full details. Based on the information you have so far, you can evaluate the risk to the data subjects involved by assessing how seriously you think people might be harmed, and the probability of this happening. It is crucial to consider all the information available, including:

  • who’s affected;
  • how many people are affected;
  • the ways the breech might affect them, such as:
    • safeguarding issues;
    • identity theft;
    • significant distress.

When assessing risk, putting yourself in the shoes of those who’ve been impacted may help you think about any steps you can take to reduce that risk now and in the future. If you decide that there is a risk to the data subjects, it is important that you notify the Information Commissioner’s Office within 72 hours of becoming aware of it and inform data subjects, so they can take steps to protect themselves.

If you’re unsure how best to handle a breach, call the ICO helpline on 0303 123 1113; they will support you to assess the impact and advise you on the appropriate steps.

What can be learned?

After every personal data breach, or near miss, you should review:

  • what happened;
  • how it happened;
  • why it happened;
  • what actions you can take to prevent it happening again.

It is important to do this even if you have determined that there are no risks as it is good practice to record and investigate every personal data breach, however small. Recording every incident also allows your data protection officer to spot any trends – if they notice that a particular system or process is regularly having minor incidents, they can reduce the risk and take action to prevent similar breaches from happening again.

Taking steps to reduce the possibility of personal data breaches occurring is crucial to preventing future breeches – think about:

  • having mandatory data protection training in place for all staff that includes how to recognise and report a personal data breach;
  • having clear and appropriate data protection policies;
  • ensuring staff have an awareness of common data breaches, and how they can be avoided, such as by getting into the habit of checking that recipients and attachments are correct before pressing ‘send’;
  • having appropriate controls in place to protect personal data;
  • documenting and sharing all lessons and actions you’ve taken as a result of any previous incidents.
Don’t forget to follow us on Twitter like us on Facebook or connect with us on LinkedIn!

Be the first to comment

Leave a Reply