When there is a personal data breach, the Information Commissioner’s Office (ICO) advises:
Tell it all. Tell it fast. Tell the truth.
The designated Data Protection Lead is responsible for handling personal data breaches. In particular, he will evaluate what the breach is and how it occurred, and the associated risk to data subjects and the company.
The Board is committed to supporting the Data Protection Lead in response to any breach, whatever the level of seriousness.
If there is a risk to data subjects, the breach will be reported to the ICO within 72 hours. If the report is late, an explanation will be given as to why.
Where the risk to data subjects is high, the breach will be reported to them individually where possible. If there are a large number of data subjects at risk, it may not be logistically possible to do so, in which case a press release will be considered, and notification provided on the company’s website, for example.
Encryption of personal data is likely to reduce the risk to data subjects following a breach significantly. BMRA encrypts high-risk personal data such as identification records and financial information.
The ICO will be told how the breach occurred, what steps are being taken to reduce the risk, and how a similar breach is to be avoided in future. The initial report will contain no more than a summary of the position. The Data Protection Lead may seek authority to obtain legal advice before submitting the initial and any subsequent reports.
A thorough investigation and corrective action will be taken to reduce the risks to data subjects arising out of the breach, and to ensure that something similar does not happen again in future.
Where a breach of the company’s computer systems is suspected, to identify the breach and advise on corrective measures, the Data Protection Lead will seek support from the company’s IT provider:
Green City Solutions
BMRA has cyber security insurance and any IT-related breaches must be reported to insurers immediately.
The theft of data, whether as a result of shortcomings in the physical security arrangements on the premises, the hacking and penetration of computer systems, or theft by a member of staff, will be reported immediately to the police.
The breach, investigation and corrective actions will be documented and filed on the data protection risk register. Reports will also be made to the ICO.
All personal data breaches, however minor, and whether reportable or not, such as non-compliance with BMRA’s policies, will be recorded in the data protection risk register, held by the Data Protection Lead.