The following will be considered:-
- The type of data involved
- How sensitive the data is e.g. health records, bank account details
- Whether or not the data has been encrypted
- What has happened to the data?
- What the data could reveal about an individual?
- How many individuals’ personal data are affected – note that large amounts of data do not necessarily equate to bigger risks, but may be a factor.
- Whose data has been affected – staff, customers, clients, suppliers
- What harm can come to those individuals – risks to physical safety, reputation, financial loss or a combination of these.
- Is there a risk to public health, or loss of confidence in an important service we provide?
- Whether individuals’ bank details have been lost – we would need to consider contacting the banks for advice on how to prevent fraudulent use.
Notification of breaches
Whilst informing people and organisations about breaches is important, it is not just about informing people of a breach; it is also about enabling people to take steps to protect themselves or to allow the ICO and /or our Regulator to perform their functions, and provide us with advice and to deal with any complaints.
Factors to consider prior to any decision to notify:-
- Are there any legal or contractual requirements to do so
- Will notification help us meet our security obligations with regards the seventh data protection principle
- Will notification help the individual to mitigate risks e.g. cancel a credit card, change a password
- Are a large number of people affected or there are very serious consequences, in which case the ICO should be informed
- How will notification be made appropriate for particular groups such as children or vulnerable adults
- Is notification proportionate i.e. we need to consider the dangers of ‘over notifying’ e.g. we wouldn’t want to tell all our members about a breach if it only affected a very small percentage of them.
Once we have made a decision that we do need to notify, we then need to agree on:-
- Who to notify
- What we are going to tell them
- How we are going to communicate the message, i.e. which is the most appropriate way bearing in mind the security of the medium and the urgency of the situation.
- Whether to inform the media
The ICO only needs to be advised about breaches that involve personal data.
The Regulator needs to be advised about the following types of significant events:-
Governance and organisational issues:
- Potentially serious breach of legislation by us or serious legal action taken against us.
- Serious issues regarding a parent, subsidiary or connected organisation.
Financial and funding issues:
- Breach or potential breach (including, for the avoidance of doubt, technical breaches) of any banking covenants.
- Serious financial loss; actual or potential.
- Default or financial difficulties of major suppliers or service providers.
Any notification that is sent to the ICO will need to include a description of how and when the breach occurred and what data was involved. It should also include details of what we have already done to respond to the risks posed by the breach. We should also ensure that we provide specific and clear advice on the steps they can take to protect themselves and also what we are willing to do to help them. Finally, we should provide details on how they can contact us for further information or to ask questions about what has occurred, e.g. such as a link to a helpline number or web page.