Control measure: Measures are in place to prevent and detect personal data breaches.
Risk: Without appropriate technical and organisational measures in place to protect the personal information being processed (including preventing and detecting personal data breaches), there is a heightened risk of a personal data breach occurring. This may breach articles 5(1)(f) and 32 of the UK GDPR.
Ways to meet our expectations:
- Put in place appropriate organisational measures to prevent personal data breaches, for example:
- information security policies and procedures;
- risk assessments;
- internal audits;
- fraud detection reviews; or
- third-party notification procedures.
- Put in place appropriate technical measures to promptly detect personal data breaches, for example:
- data flow and log analysers;
- intrusion detection systems and intrusion prevention systems or firewalls that can alert to and identify actual personal data breaches;
- data leakage control; and
- access logging.
- Ensure there is an effective process to identify, investigate and respond to any suspected offences under section 170 DPA 18.
- Ensure there is a threshold for a “reasonable level of certainty” that a personal data breach has occurred.
Options to consider:
- Check your breach detection measures are appropriate to the amount, type and sensitivity of personal information processed.
- Get input and direction into your breach detection and prevention measures from the DPO, the Information Governance team, the Senior Information Risk Owner (SIRO) or the Chief Information Officer (CIO).
- Categorise and document the different types and causes of personal data breaches.
Control measure: Measures are in place to assess the severity of personal data breaches.
Risk: Without a proactive understanding of the inherent risk in the information being processed, or a rationale behind any assessments made in the event of a personal data breach, there may be a breach of article 33. This may also result in separate infringements of articles 5(f) and 32 of the UK GDPR.
Ways to meet our expectations:
- Record the type of personal and special category information held.
- Document and put in place criteria to assess the severity of the personal data breach and the likely effect on people’s rights and freedoms.
- Reference guidance (eg ICO’s personal data breach criteria).
- Put in place guidance to assess whether there is a 'high risk' to affected people.
- Assess personal data breaches on a case-by-case basis.
- Include the following factors in the assessment of a personal data breach:
- the type of personal data breach (eg an incident where information has been disclosed to an unauthorised person will cause a different set of consequences than an incident which has resulted in information no longer being available);
- the type, sensitivity and volume of personal information;
- the vulnerability of those affected, including any potential cultural and political sensitivities;
- the number of people affected;
- whether the incident has been contained (eg information has been located and returned, confirmation that the information has been securely destroyed or deleted by the unintended recipient, lost or stolen devices have been remotely wiped, system passwords have been changed);
- who has subsequently had access to the information and whether it could it be used in a malicious way; and
- the consequences of the personal data breach after any mitigation.
- Put in place a breach response plan that includes measures to proactively address effects and is focused on protecting the affected people and containing the personal data breach.
- Ensure relevant staff have a complete understanding of the security measures used (eg encryption or anonymisation) and they are assessing risks correctly.
- Test notification and communication channels between affected departments.
- Add highlighted risks to the organisational risk register and any data protection impact assessment.
- Ensure new risks are communicated to relevant operational staff.
Options to consider:
- Ask for input and direction on risk assessments and associated guidance materials from the DPO, Information Governance team, the SIRO and the CIO.
- Keep breach response plans under review and test regularly, especially following personal data breaches and near misses.
- Ask for feedback from staff on their understanding of how to assess risks within all areas of their work, both to ensure consistency in approach and to identify any training needs.
Control measure: Measures are in place to record personal data breaches.
Risk: Without appropriate logging of personal data breaches (including near misses), there is a risk that they cannot be tracked, investigated or escalated, and may reoccur. A clear record also ensures the ICO is able to verify compliance. This may breach article 33 (5) of the UK GDPR.
Ways to meet our expectations:
- Put a breach log in place that records the facts about the personal data breach, its possible effects on the affected people and the measures taken in response.
- Put a process in place to record near-misses that did not result in a personal data breach, but had potential to.
- Escalate near misses and personal data breaches into the information risk process.
- Regularly review the breach logs (or relevant reports) at a senior strategic level.
- Set out a retention period for breach logs that contain personal information and establish a lawful basis for their retention.
- Regularly review the contents of breach logs for possible excessive retention.
- Take steps to periodically reduce the personal information held in breach logs (eg by using data minimisation or anonymisation techniques).
- Evidence that logs are regularly deleted in line with the retention schedule.
Options to consider:
- Evidence that logs are regularly deleted in line with the retention schedule.
- Seek assurance that all personal data breaches and near misses are captured centrally (eg there are no locally held breach logs).
- Only give access to the breach log to staff who need it.
- Carry out trend analysis of breach logs as part of strategic level reporting.
- Carry out sampling checks on logs to test whether retention schedules and minimisation methods are used correctly.