Data Breaches Policy
Under GDPR from May 2018 there is a breach notification policy across the whole office.
Factotum Ltd are required to notify the ICO (Information Commissioners Office) within 72 hours of any relevant data security breach. Fines may occur for any that are not notified within the timescales.
Relevant breaches are those where the individual is likely to suffer some form of damage, such as identity theft or a confidentiality breach.
Internal Reporting Policy
All staff members of factotum must be aware at all times on any instances that may occur that may give rise to a data protection breach.
Should you be aware of such a breach, this must be notified to your Line Manager, or an alternative manager should your Line Manager not be available, immediately. Your Line Manager will in turn notify the nominated Data Protection Manager at Factotum. This must be done immediately.
The Data Protection Manager is required to record all breaches within the data Security Incident Report and notify the ICO should the breach be identified as relevant to report.
When a personal data breach has occurred, the severity of the resulting risk to the individuals rights and freedoms must be established. If it is likely there will be a risk, then the ICO must be notified immediately, if the risk is unlikely it does not need to be reported. However, if the decision is made not to report the breach to the ICO, this decision will need to be justified, and therefore the reasons documented and attached to the register.
Reporting Policy to the ICO
If you need to report a breach – the process is as follows-
Go to ICO.gov.uk – For Organisation
Select ‘Report a Breach’
Within this section, there are 2 options to choose from
- Report a data Security Breach – Then follow instructions
- Section 55 breach – unlawful use of personal data
Complete the relevant section
The ICO will report back to factotum should any further information / action be required
Reporting Policy to other persons / organisations
Factotum Ltd must inform the individual concerned regarding the data breach and the action taken. This must be actioned immediately.
Factotum must also decide whether other persons / organisations need to be informed of the breach. This may include the client or any other parties involved.
Action Required after any breach
All data breaches must be discussed at Senior Management level and action taken to prevent any recurrence.
These actions must be documented and monitored on an ongoing basis to ensure and such breach s not repeated.
If staff discipline is required, we would refer to HR processes.
If the ICO do require any further action, all Senior management must be advised, relevant action taken and be fully documented.
Monitoring & Training
Factotum Ltd must ensure that there are monitoring processes in place to identify and prevent and data breaches.
Factotum must ensure that all staff are adequately trained on data protection and on how to identify and prevent data breaches within their particular roles.
The above must be fully documented.